6

cross-posted from: https://infosec.pub/post/16642151

(I have just learned you can cross-post!)

As someone who has read plenty of discussions about email security (some of them in this very community), including all kind of stuff (from the company groupie to tinfoil-hat conspiracy theories), I have decided to put ~~too many hours~~ some time to discuss the different threat models for email setups, including the basic most people have, the "secure email provider" one (e.g., Protonmail) and the "I use ~~arch~~ PGP manually BTW".

Jokes aside, I hope that it provides an overview comprehensive and - I don't want to say objective, but at least rational - enough so that everyone can draw their own conclusion, while also showing how certain "radical" arguments that I have seen in the past are relatively shortsighted.

The tl;dr is that email is generally not a great solution when talking about security. Depending on your risk profile, using a secure email provider may be the best compromise between realistic security and usability, while if you really have serious security needs, you probably shouldn't use emails, but if you do then a custom setup is your best choice.

Cheers

45

As someone who has read plenty of discussions about email security (some of them in this very community), including all kind of stuff (from the company groupie to tinfoil-hat conspiracy theories), I have decided to put ~~too many hours~~ some time to discuss the different threat models for email setups, including the basic most people have, the "secure email provider" one (e.g., Protonmail) and the "I use ~~arch~~ PGP manually BTW".

Jokes aside, I hope that it provides an overview comprehensive and - I don't want to say objective, but at least rational - enough so that everyone can draw their own conclusion, while also showing how certain "radical" arguments that I have seen in the past are relatively shortsighted.

The tl;dr is that email is generally not a great solution when talking about security. Depending on your risk profile, using a secure email provider may be the best compromise between realistic security and usability, while if you really have serious security needs, you probably shouldn't use emails, but if you do then a custom setup is your best choice.

Cheers

[-] loudwhisper@infosec.pub 21 points 3 months ago

I think the benefits of federation is discoverability. I can spin up my gitea or forgejo (or something else!) Instance, but when people look for code in their instances, they can still discover my public repositories, and if they want to contribute, they can fork and open PRs from their instances.

So yeah, it means mostly you can selfhost and provide space to others, but with the same benefits that right now github offers (I.e., everything is there).

74

Hi, recently (ironically, right after sharing some of my posts here on Lemmy) I had a higher (than usual, not high in general) number of "attacks" to my website (I am talking about dumb bots, vulnerability scanners and similar stuff). While all of these are not really critical for my site (which is static and minimal), I decided to take some time and implement some generic measures using (mostly) Crowdsec (fail2ban alternative?) and I made a post about that to help someone who might be in a similar situation.

The whole thing is basic, in the sense that is just a way to reduce noise and filter out the simplest attacks, which is what I argue most of people hosting websites should be mostly concerned with.

[-] loudwhisper@infosec.pub 21 points 4 months ago

Been there...

I thought my API keys were expired, I regenerated them, changed a couple of things, checked all API calls to see if they changed API itself...then I searched the exact error and found out.

For such a breaking change to the API, was it hard to drop an email to every account not meeting the damn "requirements" with an API call performed in the last x months, to alert of the change?

[-] loudwhisper@infosec.pub 12 points 4 months ago

$20/month for a service that anyway is low traffic (especially for hobbyists) is a completely insane price. Even more insane is that their cheapest subscription still doesn't offer any API access. I agree anyway, but are these staying in business just because they have a consolidated market share? Do they have access to more TLDs? I don't know, I am genuinely confused. I have absolutely no reason whatsoever to even think of using GoDaddy again.

[-] loudwhisper@infosec.pub 36 points 4 months ago

NameCheap

WOW! I did not know that. I just checked and after a little search:

We have certain requirements for activation to prevent system abuse. In order to have API enabled, your account should meet one of the following requirements:

- have at least 20 domains under your account;
- have at least $50 on your account balance;
- have at least $50 spent within the last 2 years

$50 in last 2 years is not much, but for those who renew for many years, it is still stupid.

Ironically, Namecheap is what the people in https://github.com/navilg/godaddy-ddns/issues/32 migrated to!

I really wish that domain registration was done in a different way, but even in current scenario, gutting features for such a basic service to extract a few bucks and risking losing customers...?

320

GoDaddy really lived up to its bad reputation and recently changed their API rules. The rules are simple: either you own 10 (or 50) domains, you pay $20/month, or you don't get the API. I personally didn't get any communication, and this broke my DDNS setup. I am clearly not the only one judging from what I found online. A company this big gating an API behind such a steep price... So I will repeat what many people said before me (being right): don't. use. GoDaddy.

[-] loudwhisper@infosec.pub 11 points 4 months ago* (last edited 4 months ago)

Thanks, that is a very good observation! I will try to sneak an edit later today where I can add some appendix about acronyms and abbreviations.

Edit:

While it might not look great, I have added at the bottom an Appendix with all (hopefully, I might have missed some) acronyms and abbreviations. Thanks for the suggestion!

[-] loudwhisper@infosec.pub 15 points 4 months ago

Thanks! I went and tried on my phone and indeed setting Firefox to light mode indeed causes that horrendous and unreadable result. I will need to figure out way, eventually, and provide an alternative light scheme.

[-] loudwhisper@infosec.pub 11 points 4 months ago

How do you get this? Anything that tries to force a light mode?

This is how the site is supposed to look like (there is no light/dark theme selection):

[-] loudwhisper@infosec.pub 15 points 4 months ago

Thanks!

But I have to think the massive costs of cloud junk also pay a role in stuff like a calendar charging double digit annual fees for something that takes very little storage and very little computation (and you of course can’t just buy software any more).

Absolutely agree. I did not even think about this aspect, but I think you are absolutely spot on. Building something with huge costs is something that ultimately gets passed to the users in addition to the rent-seeking aspect.

I have no words for multi-cloud.

You and me both. I have to work with it and the reality is, there is nobody who actually understands the whole thing. The level of complexity (and fragility, I might add) of it all is astonishing. And all of this to mitigate some (honestly) low risk of downtime from the cloud provider. I have lobbied a little bit against at work, but ultimately it has become a marketing tool to sell to customers, so goodbye any hope of rational evaluation...

[-] loudwhisper@infosec.pub 13 points 4 months ago

Oh yeah, I know that that's a thing. It's a practice not too different from the stereotypical drug dealer who gets you hooked on free drugs. In this case the idea is that if you start there, you get vendor-locked and you will have to pay that amount many times over. I understand the appeal from the company perspective, though.

[-] loudwhisper@infosec.pub 66 points 4 months ago

How could I miss the opportunity to use this picture!

It definitely felt like that at times.

[-] loudwhisper@infosec.pub 31 points 4 months ago

Nothing to be sorry for. I didn't write for you nor for any particular individual, and it's fair if you are not interested in it. I also added a table of content at the beginning, so you can jump directly to the relevant section (Technical Side) skipping the (in my opinion needed) introduction completely, if you wish. Cheers

239

I hope this won't be counted as some form of self-promotion, even though I am sharing a post from my own blog.

As a tech worker who works in a Cloud shop, I wanted to elaborate the many reasons why I find working with Clouds terrible, from multiple points of view.

I tried to organize my thoughts in a (relatively long) post, in which both technical aspects and political aspects (which are very related) are covered.

I am sure many people will have different perspectives, and this could be potentially also a nice prompt for a discussion.

[-] loudwhisper@infosec.pub 15 points 9 months ago

This can be absolutely true the other way around too, depending on how proficient you are, and what you are used to or find intuitive. For me, macOS is extremely unintuitive, for example, while my fully personalized Linux setup allows me to do what I want. It is very subjective, ultimately.

view more: next ›

loudwhisper

joined 1 year ago