Readit News logoReadit News
isodude commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
ptman · 7 days ago
It would be nice to be possible to do the hardening of services via allowlisting instead. E.g. AllowNothing=true and then start adding what is allowed to make the service function.
isodude · 7 days ago
I think that pledge[0] offers that functionality

[0] https://github.com/jart/pledge

isodude commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
igorramazanov · 7 days ago
Automatic systemd service hardening guided by strace profiling

https://github.com/desbma/shh

isodude · 7 days ago
A nice thing I found is that if you do (which I see they did not in the examples)

  # ProtectSystem=
you can do

  TemporaryFileSystem=/:ro
  BindReadOnly=/usr/bin/binary /lib /lib64 /usr/lib usr/lib64 <paths you want to read>
And essentially just including the binary and the path you want available. ProtectSystem= is currently not compatible with this behavior.

EDIT: More info here: https://github.com/systemd/systemd/issues/33688

isodude commented on ADHD drug treatment and risk of negative events and outcomes   bmj.com/content/390/bmj-2... · Posted by u/bookofjoe
mockingloris · 10 days ago
As someone from Nigeria who's self-diagnosed with ADHD (my brain switches gears on the spectrum, and I've learned to cope without formal help), reading this thread hits different.

Here, access to stimulants like Adderall or alternatives are expensive to be viable to the average household (if there is fore-knowledge, which is undocumented), doctors rarely diagnose ADHD in adults (that kind of access is on the premium side, so many have zero idea).

I self-medicate with coffee and green tea to get that dopamine hit, and mix in novelty tricks (gamifying tasks) to keep my monkey brain engaged. But the cultural stigma? Folks just call it laziness or blame "village people" (supernatural enemies).

It's exhausting, but I've leaned into the positives—like my ability to hyperfocusing on creative work for hours.

US folks, your bureaucracy sounds brutal, but at least diagnosis is an option. Anyone else from outside the West dealing with this?

isodude · 9 days ago
From the West here, but anyway.

> But the cultural stigma? Folks just call it laziness or blame "village people" (supernatural enemies).

Funny, my daughter just stops my explanations after circa one minute, abruptly, saying that her brain just does not listen anymore and there is no reason for me to continue. Which is blunt, but kind. I understand and stop talking, that's that. We can do that since we know our limits, I would assume that Africa in general is more attuned to accepting people as they are? For my daughter it makes a world of difference that she can communicate her ADHD symptoms. The medication are there to make ADHD people behave like "normal" people, but acceptance in the other direction could quite helpful as well.

With some luck and effort you can have some effect with diet. It would be nice to see a graph between the rise of white flour and the amount of ADHD in the world. I would love to step off medication, but it's not doable without switching to sufficient combination training and good diet, I have neither now :) As they point out in the article it can be great to find out your vitamin levels to address shortage.

> These types of complex carbohydrates are less likely to spike your blood sugar levels and help keep you feeling fuller for longer, which may help improve your focus and attention.

> By avoiding simple carbohydrates, like sugar and white flour, you may reduce specific ADHD symptoms. [0]

I just finished fixing my bike (Suntour Perfect) and have started taking it on smaller trips, hopefully that will be _my_ way to a more stable day to day. [1]

[0] https://add.org/adhd-diet/

[1] https://i.ebayimg.com/images/g/NxQAAeSwpg1odZbS/s-l1600.jpg (about the same bike)

isodude commented on Square Theory   aaronson.org/blog/square-... · Posted by u/aaaronson
oliwary · 3 months ago
> If you’ve ever tried to construct a crossword, you’ll find that the framing of a crossword grid under square theory feels right. When you’re nearing the end of the grid-filling process, finding valid crossings of words to fill that final corner of a grid, there’s a satisfying “clicking” feeling—a sense of magic—when it all fits together, analogous to the wrapping-around feeling of completing the square.

If you enjoy this feeling, I think you would like my word game https://spaceword.org. The goal is to arrange 21 letters in a square that is as tight as possible. No one has achieved a "perfect" pattern yet, but people are very close, often leaving only 3 spaces blank!

isodude · 3 months ago
My first initial thought when I saw the game: spaceword golf.

Like any golf, you start with the smallest square possible and increase it with each level. You get less points for how perfect the the square is.

isodude commented on I helped fix sleep-wake hangs on Linux with AMD GPUs   nyanpasu64.gitlab.io/blog... · Posted by u/fanf2
isodude · 6 months ago
There should exist something like memtest86, but for S3 and S0, that you can run on the laptop to identify hardware that do not suspend properly.
isodude commented on I helped fix sleep-wake hangs on Linux with AMD GPUs   nyanpasu64.gitlab.io/blog... · Posted by u/fanf2
whizzter · 6 months ago
It wouldn't happen that this feature was released around early/mid 2020? Windows sleep used to be semi-reliable but one it's been shit for a couple of years.

(Any link to the video/docs for turning it off?)

isodude · 6 months ago
TL;DR pull the the plug from the laptop _before_ closing the lid. That way it will not be sleeping thinking it got power from the wall.
isodude commented on Show HN: Interactive systemd – a better way to work with systemd units   isd-project.github.io/isd... · Posted by u/kai-tub
glandium · 7 months ago
First time I hear about it. And it's not surprising, because it's not in cron. It's in cronie, and was "only" added in 2016.
isodude · 7 months ago
I only found out last week!

Was not aware that vixie cron was first released 1987(https://github.com/vixie/cron/blob/master/Documentation/Chan... 1.md), and still has fresh commits.

isodude commented on Show HN: Interactive systemd – a better way to work with systemd units   isd-project.github.io/isd... · Posted by u/kai-tub
glandium · 7 months ago
At least systemctl status tells you when next the timer will trigger. Cron doesn't.
isodude · 7 months ago
Actually it does, have a look at cronnext
isodude commented on An unordered list of things I miss in Go   kokada.capivaras.dev/blog... · Posted by u/todsacerdoti
kbolino · a year ago
Being unable to access struct fields a.b.c without risking a panic sucks (and which caused the panic: a.b or b.c?). There's no remotely ergonomic solution to the problem, because there's no nil-safe struct member operator, there's no ternary operator, and if-statements can't be used as expressions.

This wouldn't be such a problem, since of course you can just "choose" to not use pointer- or interface-typed fields in "your" structs, but as soon as serialization, databases, or other people's APIs are involved, you don't have that "choice" anymore.

In the same vein, being unable to write e.g. &true or &"foo" is annoying too. If I can write &struct{...} why can't I write &true?

isodude · a year ago
Horrid, but this works.

  &([]bool{true}[0])
But at least it allows me to write it without declaring a variable first.

isodude commented on Attackers can decloak routing-based VPNs   leviathansecurity.com/blo... · Posted by u/dsr_
rnewme · a year ago
What would be the opposite approach, to make sure all traffic goes through VPN, and only VPN, even if user didn't start the VPN connection (default to no connectivity)? Is there better approach then just disabling all other network interfaces?
isodude · a year ago
AFAIK Wireguard will always listen in the default namespace, thus you need to isolate everything else. A fun way of doing it though is to do an ip rule that uses the VRF table, and matches on the user id. That way all traffic from certain users will always end up in the same routing table. You can go further and match on everything except the Wireguard endpoint. With iptables you can MARK the traffic you want to be differently and then catch that traffic with ip rule.
i

u/isodude

KarmaCake day291April 21, 2017View Original