Interesting approach but looks like this ultimately ends up:

• being a lot of babysitting / manual work
• blocking a lot of humans
• not being robust against scrapers

Anubis seems like a much better option, for those wanting to block bots without relying on Cloudflare:

https://anubis.techaro.lol/

If they don’t keep any private data on any computer that trusts their home network/wifi and don’t do taxes or banking on those, there’s no problem.

But if they do, I maintain that the analogy is correct: their unpatched machine is an easy way to digitally get access to their home, just like an unlocked door is to a physical home.

You keep using the word “maintenance”. All I’m worried about is not installing any security patches for months.

The problem that I tried to highlight with my “cherry picking” is:

• Running a machine with open vulnerabilities for which patches exist also “paints a target on your back”: even if your data is worthless, you are essentially offering free cloud compute.
• But mostly, a single compromised machine can be an entrypoint towards your entire home network.

So unless you have separated this Orange Pi into its own VLAN or done some other advanced router magic, the Orange Pi can reach, and thus more easily attack all your other devices on the network.

Unless you treat your entire home network as untrusted and have everything shut off on the computers where you do keep private data, the Orange Pi will still be a security risk to your entire home network, regardless of what can be found on the little machine itself.

No it is

https://www.pandasecurity.com/en/mediacenter/consequences-not-applying-patches/

And:

You’re allowing for more attack vectors that would not be there if the system were to be patched. Depending on the severity of the vulnerability, this can result in something like crashes or something as bad as remote code execution, which means attackers can essentially do whatever they want with the pwned machine, such as dropping malware and such. If you wanna try this in action, just spin up a old EOL Windows machine and throw a bunch of metasploit payloads at it and see what you can get.

While nothing sensitive may be going to or on the machine (which may seem to be the case but rarely is the case), this acts as an initial foothold in your environment and can be used as a jumpbox of sorts for the attacker to enumerate the rest of your network.

And:

Not having vulnerability fixes that are already public. Once a patch/update is released, it inherently exposes to a wider audience that a vulnerability exists (assuming we’re only talking about security updates). That then sets a target on all devices running that software that they are vulnerable until updated.

There’s a reason after windows Patch Tuesday there is Exploit Wednesday.

Yes, a computer with vulnerabilities can allow access to others on the network. That’s what it means to step through a network. If computer A is compromised, computer B doesn’t know that so it will still have the same permissions as pre-compromise. If computer A was allowed admin access to computer B, now there are 2 compromised computers.

From https://www.reddit.com/r/cybersecurity/comments/18nt1o2/for_individuals_what_are_the_actual_security/

I used to lose my keys all the time. I don’t want to spend so much time looking for my keys, nowadays I mostly just leave them in the front door, I rarely lock it and it works like a champ.

No.

It is very different from the usual flat corporate style yes, but this is just their branding. Their blog is full of anime characters like that.

And it’s not like you’re looking at a literal ad for their company or with their name on it. In that sense it is subtle, though a bit unusual.

They hit all the right Node(j)s!

For anyone wondering what “TDS” means:

Trump derangement syndrome (TDS) is a pejorative term, used to describe criticism of or negative reactions to President Donald Trump that are perceived to be irrational and to have little regard for Trump’s actual policy positions.[1] The term has mainly been used by Trump supporters to discredit criticism of him, as a way of reframing the discussion by suggesting that his opponents are incapable of accurately perceiving the world.[2][3] Some journalists have used the term to call for restraint when judging Trump’s statements and actions.[4][5][6]

Despite the usage of the term syndrome suggesting a medical condition, TDS is not an official medical diagnosis.[7] A 2021 research study found no evidence to support the existence of TDS among Trump detractors on the left, but instead found bias among his supporters.[8

Source: Wiki

GitOps + Renovate.

Tools that allow you to work GitOps (everything is defined in text files in Git) are:

• Kubernetes
• NixOS
• to a lesser degree, Ansible

Here’s a nice starter template for running your own Kubernetes cluster via GitOps with Renovate pre-configured: https://github.com/onedr0p/cluster-template

Mostly yes, but there are some closed source services which are still good options for this specific threat model.

And I just thought the clear explanation of the why combined with the list, makes this an excellent blog to send to people who don’t get it yet.

The list itself is something most of the people in this community know already, but you might want to send this when someone asks “why?”

Oh, so Rust is like JavaScript!

• @Arcka@midwest.social

https://feddit.nl/comment/15678640

Undervalued comment right there. This is better than the OP

Took a look at the specification, this is what I found:

For federated servers performing delivery to a third party server, delivery SHOULD be performed asynchronously, and SHOULD additionally retry delivery to recipients if it fails due to network error.

So they should retry. Note that should is not the same as must. So there is no obligation. There is no timeline in the spec about for how long or how often retries should be done. The wording says network error.

My interpretation: the spec leaves a lot of room for implementations to differ. Network problems don’t normally last for days though. I’d guess that if your server is down for 5 minutes, you’ll still receive most or everything you’d normally receive. I wouldn’t trust on that if your server is offline for more than a day.

Yes, I test in production and so should you

• Charity Majors

https://www.youtube.com/watch?v=b2oota_FhGY&t=34

There is a reason why NixOS was invented 21 years ago. Reproducible builds are not simple in most packaging build systems.

And at your next job, at an employer who sees the value of FOSS and a nerd with strong Linux-fu!

Animals are individuals, servers are cattle!

The Vegan GitOps lifestyle

Honestly, k8s + GitOps at home is my project that I’m just starting this week. I found a community around it (on Discord 🤮) called Home Operations.

Docker Hub sucks and is VERY strict with rate limits. Try ghcr.io or the aws container registry.

GitOps + Renovate

Gives you:

• automation of updates
• smart notification of updates that are below a certain confidence that it won’t break stuff
• rollback: simply git revert
• the whole shebang

Some stacks that work well with GitOps are:

• k8s + Flux or ArgoCD
• Nix(OS)

Mixing them is a LOT of complexity though. Just pick whichever you are most comfortable with. If you want a declarative immutable OS just for running k8s, check Talos Linux.

If you don’t want to deal with GitOps, Nix or k8s, and you don’t need recent versions, just run Debian and set a cronjob for auto updates. Then only deal with potential breaking changes just once every 5(?) years or thereabouts.