Friday, 2021-12-24

lkcllet me know when someone from Cuba or Russia is "allowed" to have one.11:27
lkcland let me know if you're happy with your new God. your absolute One True Authority and arbiter of on your online identity: Microsoft.11:34
lkclRaptor Engineering bans its employees from using github because of the risk to their employees, some of whom do Dept of Defense contract work11:36
lkclhaving Microsoft as your God and Absolute Authority means that if they get hacked or demands are made to provide your identity by a Government - and they will - you have zero recourse.11:37
lkclat least with a GPG key and a keyring Web of Trust between developers you are not enslaved to the new Gods of your life and identity.11:39
lkclalso: have you done the code review yet of the firmware for the yubikey?12:05
lkcland does it use "FIPS-approved" (U.S. Govt, NSA Certified) crypto ASICs?12:06
lkclyou realise those ASICs are only certified to pass the tests in the Compliance Suite12:06
lkclif you'd said, "the rust team has reivewed the full schematics and firmware used by one of Crowdsupply's many high security security products and has forced Microsoft to accept their use in a peer-distributed Web-of-Trust that Microsoft has no authority or control over"12:09
lkcli would have been deeply impressed12:09
Chips4Makers[m]<lkcl> "and let me know if you're..." <- Says a person who uses Google for email...15:14
lkclChips4Makers[m], i know. i'm not happy about it, and have 15 gb of email to have to move.15:18
lkclthe "real name" policy had me really concerned about getting cut off from that, i'd be royally screwed15:19
lkcli did run my own imap server online for a while: it didn't go well15:19
lkclnot because of the imap hosting but because of the insane level of spam (something mad like 1,000 spam messages an hour) required more CPU power running spamassassin than was possible for the virtual machine15:21
sadoon_albader[mYou ever think most of the spam is perpetuated by Google and Microsoft to keep you tied to their email services?15:22
lkclin the end i went "screw it" and redirected everything through gmail.15:22
lkclno, most of it is state-sponsored and mafia. they make enough money - enough people do actually buy viagra - that it's justified15:23
sadoon_albader[mI've done everything I can short of changing my domain name and I'm still having issues of people not receiving my emails15:23
lkcland enough people fall for the scams. i have an otherwise highly-intelligent person with 2 PhDs who contacts me at least one every 18 months to ask if a particular email is a scammer or not15:23
lkclsadoon_albader[m, you got dnssec, dmarc, spf, and a fixed IP address?15:24
lkclwhat's the domain?15:24
sadoon_albader[mI believe I've got all.15:24
lkclreverse DNS is not set up15:25 Reverse DNS does not contain the hostname15:25 Reverse DNS does not match SMTP Banner15:26
sadoon_albader[mHuh, I was pretty sure I set that up15:26
sadoon_albader[mI have some maintenance to do anyways so I'll do it all tonight15:26
sadoon_albader[mBut as far as spam goes15:27
lkclmy favourite there is teergrube15:27
sadoon_albader[mI've only received 2 spam emails since setting it up in March or April15:27
lkclgood grief15:27
lkclare you running greylisting at all?15:27
lkclyyeah it's a little different if you've been running a domain for 20 years15:28
lkclCreation Date: 2000-01-20T20:13:57Z15:28
sadoon_albader[mI just use spamassasin with defaults based on a guide online15:28
lkcli did, too - and it ate 1 GB of resident RAM and required 20 processes at any one moment15:29
lkclfail2ban i've found extremely useful btw15:30
lkclyou might also want to enable gzip compression on your website15:31
sadoon_albader[mI've got a lot to learn heh15:32
lkclit was the stylesheet that needed it15:32
lkclhey at least you have a brain-dead-simple website, which is awesome15:33
lkcl100% score on both mobile and desktop. wow
lkclthat's extremely rare15:33
lkcl0.2 seconds to first pain :)15:33
lkclthat puts you in the top 1% of all websites in the world :)15:33
lkcl0.2 seconds to first paint :)15:34
sadoon_albader[mHeheh nice15:35
sadoon_albader[mIt's all written in markdown which I compile to html using Python-markdown15:35
sadoon_albader[mAnd the css is borrowed from with minor edits, but he changed his much now so mine resembles it from earlier this year15:35
lkclha. found a great resource on gzip compression for nginx
octaviusInteresting test resource lkcl, thanks for sharing those. Tested them on my site as well, seems that hostinger isn't too bad of a host provider (though email is missing dmarc)15:40
lkcl whoops :)15:44
lkcloctavius, i just searched online "email domain checker" or something15:45
lkclwtf in /var/log/nginx/error.log "/usr/lib/open() security.txt" ???15:54
programmerjakeidk if it's this exact one, but a teardown of a similar yubikey revealed it uses
programmerjakere russia, cuba --- if i made my own security chip it'd likely be illegal for me to sell it to someone in russia or cuba or iran or a few other isn't my fault (or microsoft or github or yubico), it's the us govenment's export restrictions or the other government's legal restrictions (iirc that's the case for russia), so no amount of complaining could get around that unless I managed to get the law changed (basically18:26
programmerjakeyubico does have a fips-compliant version that they make18:27
lkclthis one's one of my favourites - runs a general-purpose linux OS with an iMX6 (superb processor with a 19-year lifetime support from Freescale/NXP)
lkclanother one is this - - which uses an STM32F4, which is an excellent processor, supported by libopencm319:37
lkcland this one apparently works with github 2FA
lkclnever heard of the STM32F7 series before, must be new19:39
lkclas all of those are general-purpose computing devices - no on-board hardware encryption - their sale cannot be restricted19:41
programmerjakebtw, i'd be using it as additional authentication with a password, not as a password replacement.19:46

Generated by 2.17.1 by Marius Gedminas - find it at!