Readit News logoReadit News
btasker commented on Why not use DNS over HTTPS (DoH)?   bsdhowto.ch/doh.html... · Posted by u/Bogdanp
ggm · 3 months ago
Eh. He doesn't discuss which public dns upstream supports dtls and in some sense it's just picking who snoops, ie he argues against cloudflare snooping but doesn't discuss who else might.

Run hyperlocal root, run your own dns.

His "don't move off 22 for ssh" is also just opinion. He argues "you will be found" but misses the experience of those of us running on shifted ssh is continuously validated by the visibly lower level of probes we see. He offers no mathematical analysis of how quickly a port knock sequence will be uncovered, and again dismisses it as infeasible and useless.

I've got nothing against strongly held opinions and these are his. But, form your own opinions too.

btasker · 3 months ago
> His "don't move off 22 for ssh" is also just opinion. He argues "you will be found"

Worse than that, that post misunderstands it's own statement:

"Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots"

That's a *good* thing, because the move has reduced the signal to noise ratio. By getting rid of most of the crufty noise of the internet, you now know that anything hitting your logs now is more likely to be an actual threat than the poorly automated dictionary attack bots.

Moving SSH to a different port doesn't make the system much more secure (and definitely shouldn't be the only thing you do), but it does generally enable you to be more responsive.

btasker commented on Why not use DNS over HTTPS (DoH)?   bsdhowto.ch/doh.html... · Posted by u/Bogdanp
elashri · 3 months ago
I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers. Put VPN in front of it and know you trust this VPN company (kudos Mullvad).

And abusing https is for a good reasons. Blocking ports 53 and 853 is easy and many ISPs will do that.

The author also make it feel like the only option is to use cloudflare DoH on Firefox while that's the first option, there is also nextdns and custom field. There are many providers I would trust more like quad9 and Mullvad DoH.

I think the reasons why not to use DoH is the same for why not using public dns from providers you don't trust anyway.

Most of the people are happily using 8.8.8.8 and handing all their dns information to the biggest advertisement company in the world. Or wosre, using their ISP provided DNS.

btasker · 3 months ago
> The author also make it feel like the only option is to use cloudflare DoH on Firefox

In fairness, the date on the post is 2018 - when Firefox first launched this, Cloudflare was the only option

btasker commented on Why not use DNS over HTTPS (DoH)?   bsdhowto.ch/doh.html... · Posted by u/Bogdanp
deknos · 3 months ago
is it possible to route DoH over generic HTTPS service when i only inspect a certain route? so i could have a generic https-server, where at some route, DNS requests are answered, other stuff just gives me a normal website?

because then we could use DoH for hiding our DNS requests..

btasker · 3 months ago
Yes.

DoH requests go to /dns-query so you only need that path to proxy onto your DoH handler.

Some DoH clients will also allow you to specify a custom path, so you can also obfuscate the path by configuring client and server to use /foobar instead.

But, re-using an existing site does come at the cost of generating a bunch of extra log noise (fine if it's just you, not so fine if it isn't). If you don't have some kind of auth in place, you might also find that you suddenly come under a lot of load (when I ran a public DoH service, I eventually started getting a lot of traffic from users in an authoritarian country)

btasker commented on I wrote to the address in the GPLv2 license notice (2022)   code.mendhak.com/gpl-v2-a... · Posted by u/ekiauhce
n3storm · 4 months ago
True, any page oriented software like LibreOffice, Inkscape, Gimp, will show you US Letter sizes and US Letter Envelope sizes and you may have messed up with printing on wrong size... but as other posters say, maybe this days nobody prints on real paper anymore...
btasker · 4 months ago
They all default to ISO sizes for me.

If I format the page size, Libreoffice does offer "Letter" and "Legal". GIMP shows them as "US Letter" and "US Legal" but again they're not the default.

It wouldn't surprise me if most non-US users hadn't seen them at all, and certainly not that they don't realise the US uses a different size.

btasker commented on Difficult Employees (and How to Handle Them)   newsletter.canopy.is/p/th... · Posted by u/BerislavLopac
t43562 · 6 months ago
It often has practical problems with tossing people out like: I'm not going to get the money to be able to replace them. OR they know a hell of a lot and it will be years or never before someone can solve the brutal problems they can in a few minutes.

Then you have the issue that the new people you hire might be worse AND a huge pain to train. Or you spend 3 months getting them to know your system and then they leave for another job.

At some point people know if you don't care about them. If you cannot care about them why would they "follow you into battle?"

btasker · 6 months ago
> At some point people know if you don't care about them. If you cannot care about them why would they "follow you into battle?"

That's true, but it also works both ways.

If the "problem" person is impacting others on your team, you owe it to them to address rather than ignore the issue. After all, why would _they_ follow you into the trenches if you've shown that you don't care enough to deal with an issue that they're saying is making their lives difficult.

(Good) management is about striking a balance - between the business's needs (otherwise you're all out of a job anyway) and the welfare of everyone on the team (which IMO, should always benefit from a bit of priority over the other).

Sometimes that does mean making a hard decision about someone who's very technically capable, but damages the wellbeing or efficiency of the rest of the team.

As an extreme example - I once worked with someone who was a pretty good engineer and knew where a lot of the bodies were buried in the codebase (i.e. keeping him around would be beneficial), but one day he started regularly talking, quite inappropriately about schoolgirls in the team skype group (and even defended doing so). Good engineer or not, sometimes things have to change.

All of that being said, I think the article is too hardline, at least if those are intended to be the opening gambit. There's a ton of people engineering that you can do before you need to reach the point of making it sound like a PIP.

btasker commented on Is Wordpress.org GDPR Compliant?   shkspr.mobi/blog/2024/12/... · Posted by u/robin_reala
that_guy_iain · 9 months ago
> dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.

The dot org being run by an American citizen who does not operate within the UK that country 100% means UK courts do not having standing. Remember GDPR UK is not GDPR. It's based on it but case law is different and other stuff. Remember, just because one country does not allow something or requires something does not mean everyone whose website is accessible within that country has to follow that law. But for UK law to apply to someone there has to be a connection. Not just "I can connect to that website" or they're processing my data.

Furthermore, GDPR UK does make a distinction or at least the ICO does - https://ico.org.uk/for-organisations/data-protection-and-the.... Under UK law providing goods and services requires taking payment.

Legal opinion has also been shared from lots of sources that small businesses operating out with the EU aren't covered by GDPR. I believe there is EU law that says EU law only applies to companies with a significant number of customers who are EU citizens.

> There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.

Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household. That is UK case law. But again, there is no standing for even the Data Protection Act to apply because there is no connection.

> Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".

Yea, but there is no standing for the UK to apply its laws on Matt. The EU may have a better claim since he has servers in the EU. However, as pointed out GDPR does not apply for that person because he is neither an EU citizen or a resident as far as I can tell. Their entire claim would be to apply UK law to someone not operating within the country.

The entire point of commercial activity is that there would be a connection and would give UK courts standing is silly. It's basic law 101. Hence, why I said in my first comment that OP didn't understand the law.

btasker · 9 months ago
GDPR (including the UK GDPR) is extra-territorial by design.

It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.

I suspect that you and I would agree about the wrongs of any law being extra-territorial, but it's where things on both sides of the pond have landed us.

You already linked to the relevant part of the ICO's guidance but *appear* to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.

That's not the case, it applies just as much to free services.

Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) *collecting and processing data* is offering a service.

> Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household

They do indeed. In fact, it's not just cameras: as soon as you publicly share information you can't rely on the exemption because it doesn't cover it.

> Yea, but there is no standing for the UK to apply its laws on Matt.

You keep using the word standing, which is very much as US-centric term. I'm not, for a second, suggesting that anyone would try and enforce this in a US court.

Being able to enforce is (as I've already said) an entirely different kettle of fish.

> Their entire claim would be to apply UK law to someone not operating within the country.

Yes. Welcome to the intended design of GDPR.

Although you're right that EU GDPR and UK GDPR are now two seperate things, they're not actually particularly different things: we didn't really amend it after leaving the EU - the two are seperate since Brexit, but the way that they work is the same, albeit absent a few years of caselaw.

In fact, it's not GDPR that's extra-territorial (or intended to be). Have you seen the stuff they've been trying to bring it to make the internet "safe"? That's extra-territorial in nature too.

Ever since the US passed the CLOUD act, politicians on this side of the pond seem to have decided that what's good for the goose is good for the gander.

btasker commented on Is Wordpress.org GDPR Compliant?   shkspr.mobi/blog/2024/12/... · Posted by u/robin_reala
that_guy_iain · 9 months ago
>Wordpress.org is IIRC run by Automattic, which receives payments from the UK so there is even a way to enforce fines.

No. WordPress.org is owned and operated by a private American citizen who receives no payments.

Automattic is a separate for-profit organization which does fall under GDPR. WordPress foundation would also fall under GDPR. WordPress.org does not.

Yea, we were all pretty surprised to hear that WordPress.org is a privately owned and operated site.

btasker · 9 months ago
dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.

There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.

Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".

It might be quite difficult to enforce against a private citizen, but that's not the same as it not applying.

btasker commented on ACF Plugin no longer available on WordPress.org   advancedcustomfields.com/... · Posted by u/michaelcampbell
photomatt · a year ago
I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.

If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...

That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .

btasker · a year ago
> I don't think

No, you just act and screw everyone else.

There's no justification for this whatsoever - it was your actions which meant that the ACF team couldn't manage the plugin on dotorg, and the issue you fixed was unbelievably minor.

IF you even had a point in the beginning, you've fatally undermined it. Hell, WPE's motion for a preliminary injunction even now notes that your actions here have potentially fallen into CFAA territory - https://storage.courtlistener.com/recap/gov.uscourts.cand.43...

Given you've been banning dissenters from Slack, I wonder "why" people might not be reporting issues where you can see them?

btasker commented on Ask HN: Did you personal website help you get hired? Tell about it    · Posted by u/throwaway844535
throwaway346434 · a year ago
> they felt that having a project called F*ckAMP might put off potential employers.

Do you really want to work with an employer who cares about this? Works both ways

btasker · a year ago
Yep, that's exactly my view on it.
btasker commented on Ask HN: Did you personal website help you get hired? Tell about it    · Posted by u/throwaway844535
btasker · a year ago
I can't say for sure that it directly led to jobs, but my website has been brought up in a positive light during the recruitment process more than a few times.

Because I write about technical things a lot, it's often been viewed as "evidence" that I'm an experienced technical writer as well as an engineer.

But, it (and my github account) have also been flagged as "risks" by a recruitment agency though: I can be a bit sweary at times and they felt that having a project called F*ckAMP might put off potential employers. No-one else has cared though.

But, to echo the advice that others are giving you - the "power" of my blog lies more in it being stuff that I want to write, rather than stuff that I'm writing because I think that it'll help my career.

Deciding what to write about can be hard, and sometimes you'll find you hit a block and don't write about anything at all. Those are both fine, just write about stuff when you want to and don't pressure yourself to write "just because".

b

u/btasker

KarmaCake day60June 5, 2017View Original