Payment card transactions can be disputed or reversed. Cryptocurrency transactions cannot be easily reversed. Reversal is an important capability because sometimes customers or merchants lie, or they can have problems fulfilling their obligations.

When the buyer and seller are in the same country, or are in countries with legal and criminal justice systems which cooperate, transaction risk is lower so fees can be lower.

I do, and I agree about their utility. My users and aliases are in OpenLDAP but it’s pretty easy to add new ones.

Separate accounts are preferable if you’re actually going to be responding to messages. I’ve had some embarrassing encounters where I’ve given an alias to a business that I didn’t realize was going to actually use it for real email conversations with a human. By default roundcube web mail lets you hit reply anyway and the reply goes out with your real address, which can lead to confusion.

Thank you for your reply, but to be clear, I’m not looking for individual details to be spelled out in comments. What you said is absolutely correct, thoughtful, and very helpful. But emotions are running a little high and I’m worried I’ll accidentally lash out at someone for helping. Apologies in advance.

But do you have any links? Beyond just the general subjects of security architecture, secure design, threat modeling, and attack surface identification, I’d love to see this hypothetical “generic VM and web application housing provider in a box” come with a reasonably secure default architecture. Not what you’re running, but how you’re running it.

Like, imagine decades in the future, internet historians uncover documentation and backups from a successful generic hosting company. They don’t necessarily care what their customers are hosting, their job is to make sure a breach in one customer’s stuff doesn’t impact any other customer. The documentation describes what policies and practices they used for networking, storage, compute, etc. They paid some expensive employees to come up with this and maintain it, it was their competitive advantage, so they guarded it jealously.

I’d want to see that, but (a) a public, community project and (b) now, while it’s still useful and relevant to emulate it in one’s own homelab.

If I can get some of that sweet, sweet dopamine from others liking the idea and wishing for my success, maybe I can build my own first version of it, publish my flawed version, and it can get feedback.

I’ve been struggling to wrap my head around a good security architecture for my mspencer.net replacement crap. Could I bug you for links?

I figured out a while ago to keep VM host management on a management VLAN, and I put each service VM on its own VLAN with heavy, service-specific firewalling and a private OS update repo mirror - but after hearing about ESXi jackpotting vulns and Broadcom shenanigans, I’ve gotten really disheartened. I’d love some safe defaults.

Are you sure? Maybe I’m using the wrong word. What is it called when, in an academic paper, the author states findings or conclusions the author got from some other source, in the author’s own words, but doesn’t cite their source?

Giving up land to an invader was ever acceptable? LOL

What’s the penalty for claiming to be impartial but not actually being impartial?

Dust it off and give it a try, next chance you get. I was honestly terrible but we still had a blast. Not even several different instances of “crap I forgot about this, can we just pretend that whole combat never happened?” could derail our fun.

That’s right. I know I was thrown off by large projects earlier in my career. The more you learn the stronger you get at understanding and packaging/setting-aside larger and larger pieces of a project. Bigger projects stress this ability in new ways. I think I lost a job in 2016 because I couldn’t stretch my brain around something bigger, at a small business with maybe 14 devs.

This might be a bad way to communicate this, and I think I’m taking this in a weird direction, but: I’ll use the Mozilla project as an example of a large project, though I’ve never looked at its source.

Suppose you were in an interview, and due to the specifics you are expected to be fast and fluent with the same technologies used in the Mozilla project, though you’ve never looked at the source before. Given a machine with the source already checked out and open in an IDE, you have one hour to read through the source and familiarize yourself with it, so you can answer questions about how you would approach adding features or test coverage.

What I want to know is: how high does your heart rate go? Does it go up just a little, as expected for a high stakes situation? Or does it go up a lot, because you honestly have no idea how much another dev in your situation would be expected to accomplish, so you have no clue what “good enough” looks like?

This is a crappy example because no interviewer could ever actually use this metric. But I’d say if it goes up a lot, for the reason I gave, you might not be ready for senior. And by this metric, it might not ever be possible to grow to “senior” without working at a company with large multi-team projects. But I think that’s accurate.

(Edit: yes, sorry, Software Development Engineer. I think that’s a protected term in the US, in Texas and California at least, but anywhere else in the US you don’t need to pass an engineering board exam to use that title.)

I don’t know if this is a reasonable thing to want, but I want to create it if it doesn’t. Or I need to understand why my expectations are warped.

I have this impression that, in 1995, you could just stand up a Solaris or Sys V UNIX box on the public internet, run some common default services that most people wanted on a “standard internet host” and they would more or less do ok. Try that today, of course, and things would not be ok.

I think there should be a guide for creating a similar environment with free (and/or “free”) software. My version would start with: you’ll need server hardware totaling around 32 GB of RAM or more, on one machine or several. Recycled laptops or corporate desktops work, though you’ll need vlan aware switching if multiple machines. We’ll assume a static ip and a domain with dnssec support. Here’s what that means.

And then a sort of step by step for a management vlan, a vm hypervisor, management vm, firewall, gsa/openvas, an apt-mirror VM, and then we start setting up services. Each service gets its own VM, and gets a /30 net and firewall rules allowing minimum permissions. DNS, then OpenLDAP, then haproxy, then email, etc.

I’ve been on a journey setting this all up for myself, and I think my biggest problem has been understanding the abstract concepts. I was following an OpenLDAP walkthrough, for example, without really understanding how different clients would be using it. I found a whole series of articles on setting up email, and was able to adapt their approach (single hosted VM, sql storage for user info) to my own (four VMs, LDAP storage for user info). But I’m still struggling with postfix mapping tables for example.

Setting aside if it’s possible to find this sort of “follow these steps for an exceptionally secure, though maintenance heavy, internet site!” walkthrough, is this even something people want? Maybe I’m being too egocentric, assuming everyone must want what I want. The whole thing is unmaintainable if the reader is just walked through the steps without getting a deep understanding of what and why. Maybe people looking for walkthroughs generally don’t want all of the extra steps.

Does what I’m proposing make sense? Should it exist? Does it already?

I hope this is ok to say, but I don’t think there was any part of what I said that you disagreed with.

I completely agree on all points. Those people have a dishonest agenda and they’ve figured out how to manipulate human nature to get what they need from part of an otherwise-good populace.

Hey now, I know the average Bush voter in the late 90s wasn’t like this. Blind hate for half the country just destroys the country. This is a new problem.

Whatever this new thing is, the small group doing this - not the ever growing group being exposed and converted by it - deserves everything you’re saying. But don’t give up on your conservative family members. We’ll figure out how to stop the flow of hateful brain junk food eventually. We can go back to just politically disagreeing with them, instead of being irrationally hated by them. And vice versa.