Why do you even bring this up, the blog post does not contain this message, they rewrote it to eliminate a class of bugs. They don’t bash C, so refrain yourself from mentioning what hypothetically could have been written…

Because Hacker News gamifies engagement, and they know that this kind of message tends to attract a lot of upvotes. The whole conversation tree is a carpet of land-mines, laid out in the hopes that someone steps on one so they can pounce.

This sort of gamification of discourse is poison if you actually care about good faith or reasonable discussions. HN is not a good place for either.

He wrote it because he has eyes and has seen how the typical conversations about switching to Rust often go.

> TLS inspection products can intercept the paste transaction before the data leaves the company network, hitting the user with a "No you didn't! Shame on you!"-banner and notify the admins how a user just tried to paste hundreds of customers' personal information and credit card details into some snooping website, or into otherwise allowed LLM chat which still is not allowed to be used with confidential information."

Are there tools that do this reliably today without a whole bunch of false positives?

I have the impression tailscale drains my battery on macOS and iOS, only turn it on when truly needed.

Yeah, it most certainly does. Very noticeable on iOS. I don’t know if this is an Apple specific thing, or if it’s a similar story on Android.

It’s WireGuard underneath, which is designed to not be very chatty when idle, so I’d put this down to regular back and forth with Tailscale’s control plane, relays, etc.

It’s a shame really, because a huge value prop of TS is that it’s a VPN you just leave on and forget about. I hate having to toggle it when I inevitably forget to and wonder why I’m getting connection errors to private resources.

shameless self promotion: I just launched a website [1] that tracks CVEs per kernel version since 2.6.12, it makes use of the tools that Greg KH will probably talk about in his next blog posts.

[1] https://www.kernelcve.com

Macbook and ssh into Linux workstation.

I’d choose Rust because of the better safety guarantees and nice tooling.

Is this new capacity or will some kind of other chip type suffer?

They're spooky names for simple concepts, with extremely deep consequences and hard theory, don't be fooled.

That's rough ... it is a bad, bad world out there.

Try exposing a paswordless SSH server to outside to see what happens. It'll be tried immediately, non-stop.

Now, all the servers I run has no public SSH ports, anymore. This is also why I don't expose home-servers to internet. I don't want that chaos at my doorstep.

Expose it on port 22 on ipv6 and it might as well be invisible. Cleanest logs ever.

Yeah, I have been thinking about hosting a small internet facing service on my home server, but I’m just not willing to take the risk. I’d do it on a separate internet connection, but not on my main one.

You can always use a small Hetzner server (or a free Oracle Cloud one if you are in a pinch) and install tailscale to all of your servers to create a P2P yet invisible network between your hosts. You need to protect the internet facing one properly, and set ACLs at tailscale level if you're storing anything personal on that network, though.

I would probably just ssh into the Hetzner box and not connect it to my tailnet.

Would tailscale or cloudflare do the trick. Let them connect to the server.

Yeah no need for public ssh. Or if you do pick a random port and fail2ban or better just whitelist the one IP you are using for the duration of that session.

To avoid needing SSH just send your logs and metrics out and do something to autodeploy securely then you rarely need to be in. Or use k8s :)

Whitelisting single IP (preferably a static one) sounds plausible.

Kubernetes for personal infrastructure is akin to getting an aircraft carrier for fishing trips.

For simple systems snapshots and backups are good enough. If you're managing a thousand machine fleet, then things are of course different.

I manage both so, I don't yearn to use big-stack-software on my small hosts. :D

This is just FUD, there is nothing dangerous in having an SSH server open to the internet that only allows key authentication. Sure, scanners will keep pinging it, but nobody is ever going to burn an ssh 0day on your home server.

A few years ago a vulnerable compression library almost got pushed out that major Linux distros linked their OpenSSH implementations to. That was caught by blind luck. I'm confident there's a lot more shit out there that we don't know about.

> This is just FUD.

No, it's just opsec.

> Sure, scanners will keep pinging it, but nobody is ever going to burn an ssh 0day on your home server.

I wouldn't be so sure about it, considering the things I have seen.

I'd better be safe than sorry. You can expose your SSH if you prefer to do so. Just don't connect your server to my network.

"opsec" includes well defined things like threat modeling, risk factors, and such. "Things I have seen" and vague "better safe than sorry" is not part of that.

There are two golden rules of opsec:

    1. Never tell everything you know and seen.
    2. 

For what I do, you can refer to my profile.

this can be fixed by just using random ssh port

all my services are always exposed for convenience but never on a standard port (except http)

It reduces the noise, yes, but doesn't stop a determined attacker.

After managing a fleet for a long time, I'd never do that. Tailscale or any other VPN is mandatory for me to be able to access "login" ports.

I don’t think it’s hard to imagine that people work better together when they are in the same office. It’s also not hard to imagine people work harder when there’s more social control. From the perspective of the business owner, this makes total sense. Yes, some people work harder and better at home, but, in general WFH is net negative for a company I think.

If you trust your employees so little, why even bother employing them in the first place though? And for what it's worth, I'm equally capable of slacking both in-office and at home and I'm definitely not alone in that one, it's just that the slacking is more often in the form of socializing, eating snacks, taking toilet and smoke breaks etc.

We have a choice thankfully, so no one really slacks in person or remotely because surprise surprise, when you treat your employees like human beings and not cogs in the machine they're actually motivated to do good work, who'd'a thunk it?