Using my amateur woodworking skills, I built myself a server rack using red oak and 72" metal rails last year. It lives in a dedicated corner of my basement where sound and heat are manageable challenges. It has since housed several enterprise switches (SONiC) and routers (VPP) I've been building around.

My venerable DS1513 NAS turned is now 12 years old, so I decided to leverage the rack to move to a Supermicro X11-based server running TrueNAS SCALE to replace it. 12 drives, 40 cores, 2 x 25Gb NICs, and 128GB of ECC RAM later, I may have over done it a little. But it's a very nice upgrade. I finished moving the NFS shares for this service over tonight and migrating to a new database run on the NAS server itself (which eliminates a long-standing pain point with iSCSI).

I'm considering just turning down my long-running Mastodon instance in favor of leaning in to #Enigmatick. As a result, I'm sending out lots of follow requests. Feel free to follow me back here, as this is what I'll be paying attention to moving forward.

#MusicProduction picks of the day:

➡️ @ardour - Free open source digital audio workstation

➡️ @zrythm - Different FOSS DAW

➡️ @tenacity - FOSS audio editing & recording software, forked from Audacity

➡️ @DawVert_FOSS - FOSS DAW project file converter

➡️ @MusicRadar - Music equipment news & reviews for people who make music

➡️ @linuxdaw.org - News feed from Linux DAW highlighting audio software for Linux

➡️ @Jyoti - Musician, singer, producer, writer, famous as "White Town"

🧵 1/3

I've been casually battling (and regularly cursing) Cloudflare's apparent hatred of HTTP connections generated by reqwest for a few months. A request from curl on my core server to download an image on Cloudflare-protected servers (e.g., for local caching) works fine. But using the same UA and headers, a connection from reqwest triggers a 403.

I finally took the time to chase it down last night and found this GitHub issue. Implementing the recommendation to include features for http2 and native-tls-alpn seems to have solved the issue; I'm now seeing images properly cached from servers that I've long had trouble with.

#Rust #FediDev #DitchCloudflare

@arichtman To prevent MITM attacks that handle the HTTPS session to the server and pass along an unencrypted session to the client. With HSTS set, the client browser will reject that.

So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

#cloudflare #password #cybersecurity

@arichtman This is distressingly long overdue. One less reason to open Chrome on my mobile.

@miah is the red leakage or epoxy? I'd expect the tops to be bulging or leaking if the caps had failed (although admittedly I don't do much with old boards).

@reiver take a look at this document on Gitlab. I'm rewriting the encryption layer to use OpenMLS instead of Vodozemac, so the details there are out-of-date. But that will give you some idea of the goals.

@jalefkowit I still feel this way about "architect" as a verb even though it's become ever-increasingly common jargon in my field over the last 25 years.

I refuse to use it that way and I look askance at people who choose otherwise.

The way things are headed, the word "security" is in danger of becoming a liberal slur. Long rant ahead explaining why this notion keeps popping in my head.

The subtext of the entire GOP playbook Project 2025 is that liberals have "weaponized" the government against conservatives and have been abusing that power to censor and unconstitutionally stifle their views and voices.

This ongoing injustice, they argue, justifies emptying all government agencies of any people, entities or ideologies that don't align with these views. If you're asking why at this point, remember that the president promised this term is all about retribution and settling scores, real or otherwise.

Why does Maga keep couching everything in terms of censorship? Disinformation researcher Kate Starbird nailed it in a Bsky thread from Nov. 2023, about how Maga lawmakers and their supporters mostly stopped parroting Trump's lies about election fraud as Biden's term went on, and instead pivoted to the deep threat of "censorship". This she argues, allowed Trump supporters to distract from the violence on Jan. 6, and to claim that the real threat to democracy wasn't this interruption of the peaceful transfer of power, but the so-called "censorship" of conservatives by "The Deep State."

"The deep story of 'censorship' is also a redemption story for influencers whose repeated falsehoods about the election stoked the grievances that led to Jan 6," Starbird wrote. "They get to play the parts of victims & heroes again. And no matter the veracity of their claims, to their audiences, the story rings true."

https://bsky.app/profile/katestarbird.bsky.social/post/3kdu7ucy3jd2f

Starbird was one of many researchers whose work came under heavy scrutiny by the House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government. Led by GOP Rep. Jim Jordan of Ohio, the committee’s stated purpose was to investigate alleged collusion between the Biden administration and tech companies to unconstitutionally shut down political speech.

The GOP committee focused much of its ire at members of the short-lived Disinformation Governance Board, an advisory board to DHS created in 2022 (the “combating misinformation, disinformation, and malinformation” quote from Trump’s executive order is a reference to the board’s stated mission). Conservative groups seized on social media posts made by the director of the board, who resigned after facing death threats. The board was dissolved by DHS soon after.

In his first administration, President Trump created a special prosecutor to probe the origins of the FBI’s investigation into possible collusion between the Trump campaign and Russian operatives seeking to influence the 2016 election. Part of that inquiry examined evidence gathered by some of the world’s most renowned cybersecurity experts who identified frequent and unexplained communications between an email server used by the Trump Organization and Alfa Bank, one of Russia’s largest financial institutions.

Trump’s Special Prosecutor John Durham later subpoenaed and/or deposed dozens of security experts who’d collected, viewed or merely commented on the data. Similar harassment and deposition demands would come from lawyers for Alfa Bank. Durham ultimately indicted Michael Sussman, the former federal cybercrime prosecutor who reported the oddity to the FBI. Sussman was acquitted in May 2022. Last week, Trump appointed Durham to lead the U.S. attorney’s office in Brooklyn, NY.

Lest anyone think these Project 2025 playbook items are just words on a page written by some political lackey, Trump also last week issued two executive orders -- one called "Ending the Weaponization of the Federal Government," and another titled "Restoring Freedom of Speech and Ending Federal Censorship." The last few paragraphs were lifted from this week's story about all the upheaval in federal cybers over the past week: https://krebsonsecurity.com/2025/01/a-tumultuous-week-for-federal-cybersecurity-efforts/

It doesn't take a rocket surgeon to figure out that the GOP will likely expand the number of ad hoc committees that seek to leave no stone unturned in their quest to find and root out the Deep State conspirers who are trying to stifle conservative voices. And we will likely see similar persecution of people in the security and research community who've been doing important work tracking disinformation networks, among other things.

NB: The disinformation stuff tends to be proxied through the same providers where most of the mass brute force vulnerability/credential stuffing attacks come from, and it's almost invariably tied to Russia-backed networks or cybercriminal actors.

Which brings me back (finally) to the first line of this post. If you are not interested in hearing the truth about disinformation, by extension you are also probably not too keen on people working to block it either. In fact, why should you want to block it at all, if the overall message is in support of this "censorship" worldview? Or in support of some other conservative or authoritarian messaging?

In this context, all kinds of security concerns become a threat to the censorship ideology. This includes vulnerability research, data analysis, incident response, site or network-specific threat metrics, the list goes on. At some point, pretty much all security efforts constitute some form of network censorship.

I'm not going to say that cybersecurity has always somehow been a "bipartisan" issue. For one thing, there are always way more than two sides to any story, and that term has somewhat lost its meaning. But at least until around when Trump first took office, support for tech-focused legislation was generally not broken down along party lines (except maybe in areas like government surveillance).

Cybersecurity has and always will be a very political challenge, at every level, for all organizations. But we just can't afford to let it become a deeply partisan issue, because then we are truly lost.

Why does any of this matter? There is very little daylight anymore between the priorities and prerogatives of cybersecurity and national security. As one goes, so goes the other.

@nlnet A positive move, I think. But it does cast light on the awkward position of small ISPs' who lease IPv4 space from non-ROA issuing providers like Cogent.

Also, it may portray RPKI as more powerful than it is. It's useful to bind a prefix to an AS, but doesn't help in determining if one AS should be announcing resources from another (i.e., upstream provider relationships).

I loaded a game on my Pixel for the first time in years this morning. It's a simple knot untying thing that looked interesting. And it had an option to purchase "no ads" once the game was loaded, which is a prerequisite for me. So I loaded it, clicked the button to disable the ads and sent my $3.99.

The game is maybe too simple; I burned through the first 40 levels within 20 minutes or so. It has a lot of flashy graphics and invitations to buy more tokens or boons or whatever. I ignored those.

But in one level, I accidentally used one of the "free" boons and it put the board in a state that I had to use another to undo it. But you can't earn those boons, they have to be purchased either with money or by watching an ad.

I watched the ad, finished the level, uninstalled it, and had Google refund my purchase: "purchase does not function as stated." I just have zero tolerance for this bullshit anymore.

#Enshittification #Freemium

@jochenwolters I've used GitLab for years and have appreciated how it has developed. I still use it as my primary and mirror some things to GitHub from there for increased visibility.

@jdt This may end up being the difference between:

let content_type = get_header("content-type");

…and…

let content_type = request.content_type().map(|x| x.to_string());

In the first, I'm using a function that interacts with the headers() map directly. In the second (which is what I had been using), I'm passing the processing through Rocket's ContentType struct. I think that may be where my problem lies.

Rebuilding now.

I've been debugging some signature problems with #Pixelfed this evening and just discovered the root cause. Using the param accessors on a rocket::request::Request strips the " characters from the header strings. That causes a verification string from Pixelfed to look like this:

(request-target): post /user/jdt/inbox
host: enigmatick.social
date: Mon, 20 Jan 2025 03:29:29 GMT
digest: SHA-256=tvVdCEGSoxNEj7oVFAP605tc/SddUSK7TvqoI51qAsI=
content-type: application/ld+json; profile=https://www.w3.org/ns/activitystreams
user-agent: (Pixelfed/0.11.9; +https://pixels.jdt.io)

However, Pixelfed signs a string that looks like this:

(request-target): post /user/jdt/inbox
host: enigmatick.social
date: Mon, 20 Jan 2025 03:29:29 GMT
digest: SHA-256=tvVdCEGSoxNEj7oVFAP605tc/SddUSK7TvqoI51qAsI=
content-type: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
user-agent: (Pixelfed/0.11.9; +https://pixels.jdt.io)

Note the content-type differences. For cryptographic purposes, that's a deal breaker.

I spent some time reading the Pixelfed source code and mocking up the verification routines to finally arrive at that discovery. Adding the double quotes manually allows the verification to be successful.

I'll look up the specifications in a second, but #lazyprogrammer question: is that a problem at Pixelfed or in Rocket? Are HTTP headers supposed to be stripped of double quotes?

#Rust #RustLang #ActivityPub

To be slightly blunter than The Atlantic allowed me to be: the tiktok ban is a protectionist subsidy to Meta and Google worth hundreds of billions of dollars: https://www.theatlantic.com/ideas/archive/2025/01/internet-censorship-tiktok-ban/681361/

I can be wry about the TikTok situation because I have literally never installed that app and its absence has zero impact on me or my family (in fact, I'll be pleased to not have it show up in any search results).

…but it sets a precedent that might wind up being a huge pain in the neck for me (as the CTO of a small ISP that deploys TP-Link devices for CPE in high density deployments) if the government goes through with banning TP-Link devices due to trumped up characterizations of their relative vulnerability levels and susceptibility to CCP influence.

I'll have opinions about that.

…and nothing of value was lost.

There is a VPP developer meet-up at FOSDEM. If you'd like to join, please add your availability at https://framadate.org/5ZUpqDenPBwenfgq per Ben Ganne's request.

I will be there as well, and have a tech-talk at the #fosdem Networking devroom with a set of VPP-minded folks. Check out the FOSDEM schedule!

#Enigmatick's timeline retrieval performance was getting a little slow, so I spent some time optimizing my PostgreSQL queries yesterday. I was able to take the EXPLAIN ANALYZE loop from 17 seconds (an exaggeration of the actual experience in production of a delay of about 2 seconds) to 53ms. It was mostly down to a JOIN that employs a JSONB_AGG to pull in Actor records associated with an Activity to avoid having to make additional calls. The way I was matching against the attributed_to JSONB column was apparently slowing things down.

I also have some #Wasm calls that proactively transform #E2EE asymmetrically encrypted messages to symmetrically encrypted vault items. Those run on each load of the timeline, but I was able to use spawn_local to move the processing to a background task for timeline views that don't display encrypted content.