The biggest items on the graph are all out of bounds accesses, use-after-free and overflows. It is undeniable that memory safe languages help reducing vulnerabilities, we know for decades that memory corruption vulnerabilities are both the most common and the most severe in programs written in memory-unsafe languages.

Unsafe rust is also not turning off every safety feature, and it's much better to have clear highlighted and isolated parts of code that are unsafe, which can be more easily reviewed and tested, compared to everything suffering from those problems.

I don't think there is debate here, rewriting is a huge effort, but the fact that using C is prone to memory corruption vulnerabilities and memory-safe languages are better from that regard is a fact.

AFAIK I know that SSH has MaxAuthTries and LoginGraceTime, but all it does is terminating the SSH session (I.e. slow down at most), it won't block the IP via firewall or configuration.

Not sure if there is a recent feature that does the same.

Fair question. What I meant is that suggesting that would have made the whole post 10 lines long and not worth doing. So I avoided such suggestions that completely change the threat model.

It's not useless to avoid a good security posture (although you might have concerns of a monopoly gatekeeping the internet, TLS traffic inspection privacy concerns etc.), on the contrary makes everything I have written about here redundant (+ provide more, like DDoS protection) as you are outsourcing the security controls.

Thanks! I did mention this briefly, although I belong to the school that "since I am anyway banning IPs that fail authentication a few times, it's not worth changing the port". I think that it's a valid thing especially if you ingest logs somewhere, but if you do don't choose 2222! I have added a link to shodan in the post, which shows that almost everybody who changes port, changes to 2222!

Desec.io is a good option. To be honest using cloudflare just for DNS is completely OK. It's not a service that allows spying on you or consolidates their monopoly.

Oh Yeah, Porkbun does have API (it seems since sometime last year? ). I think also Cloudflare, Namecheap and many others do too.

I agree about GoDaddy. It was an original sin for me to use them years ago, and I was lazy with just one domain that I use for most of my emails etc. I deferred the move for a while and then - how it often happens - I had to do it in "emergency" mode.

I am sorry! As an amateur landscape photographer I actually like very much those clouds. There are a few r-word posts about people hating those clouds though, but I checked and they are nowhere near as long as you would expect a proper rant to be

I feel you very much. Security work is also somewhat similar.

I think this takes a way basically the component that made it interesting, understanding what you are doing to the point that you can build stuff.

it's about learning specific applets and features to click on and running down daily and weekly checklists.

Well said.

citizen

Actually I believe it's "residents". You don't need to be a citizen.

Polished doesn't mean functional or ergonomic, which is something I value a lot. The ability to customize what I want easily is also something that Linux offers much more directly than macOS (which is the definition of getting in the way).

Again, I totally believe that for someone the Mac experience can be superior, but it depends on preference, use, habits and priorities.

Their privacy policy is rock solid, and there is no business incentive for them to do so, at the moment.

The law - for good or for bad - is what defines rights. If there is a judge which says that an investigation has to happen, and also the companies ensured that the claim is legit (you see from the stats that the context 15-20% of the data requests), then what else can be done?

You cannot operate illegally, so either you comply or you shut down.