Thank you for your reply, but to be clear, I’m not looking for individual details to be spelled out in comments. What you said is absolutely correct, thoughtful, and very helpful. But emotions are running a little high and I’m worried I’ll accidentally lash out at someone for helping. Apologies in advance.

But do you have any links? Beyond just the general subjects of security architecture, secure design, threat modeling, and attack surface identification, I’d love to see this hypothetical “generic VM and web application housing provider in a box” come with a reasonably secure default architecture. Not what you’re running, but how you’re running it.

Like, imagine decades in the future, internet historians uncover documentation and backups from a successful generic hosting company. They don’t necessarily care what their customers are hosting, their job is to make sure a breach in one customer’s stuff doesn’t impact any other customer. The documentation describes what policies and practices they used for networking, storage, compute, etc. They paid some expensive employees to come up with this and maintain it, it was their competitive advantage, so they guarded it jealously.

I’d want to see that, but (a) a public, community project and (b) now, while it’s still useful and relevant to emulate it in one’s own homelab.

If I can get some of that sweet, sweet dopamine from others liking the idea and wishing for my success, maybe I can build my own first version of it, publish my flawed version, and it can get feedback.

I’ve been struggling to wrap my head around a good security architecture for my mspencer.net replacement crap. Could I bug you for links?

I figured out a while ago to keep VM host management on a management VLAN, and I put each service VM on its own VLAN with heavy, service-specific firewalling and a private OS update repo mirror - but after hearing about ESXi jackpotting vulns and Broadcom shenanigans, I’ve gotten really disheartened. I’d love some safe defaults.

I think this needs to exist, but as a community supported system, not as a commercial product.

Pick a set of open technologies - but not the best, lightest weight, just pick something open.

Come up with a security architecture that’s reasonably safe and only adds a moderate amount of extra annoyance, and build out a really generic “self-hosted web hosting and VM company-like thingy” system people can rally around.

Biggest threat to this, I think, is that this isn’t the 90s and early 2000s any longer, and for a big project like this, most of the oxygen has been sucked out already by free commercial offerings like Facebook. The technical family friend offering to self-host email or forums or chat no longer gets gratitude and love, they get “why not Facebook?”

So… small group effort, resistant to bad actors joining the project to kill it, producing a good design with reasonably safe security architecture, that people can install step by step, and have fun using while they build and learn it.

Married, we both work from home, and we’re in an apartment.

First, all of my weird stuff is not between her work and living room pcs and the internet. Cable modem connects to normal consumer router (openwrt) with four lan ports. Two of those are directly connected to her machines (requiring a 150-ish foot cable for one), and two connect to my stuff. All of my stuff can be down and she still has internet.

Second, no rack mount servers with loud fans, mid tower cases only. Through command line tools I’ve found some of these are in fact capable of a lot of fan noise, but this never happens in normal operation so she’s fine with it.

Separately I’d say, have a plan for what she will need if something happens to you. Precious memories, backups, your utility and service accounts, etc. should remain accessible to her if you’re gone and everything is powered off - but not accessible to a burglar. Ideally label and structure things so a future internet installer can ignore your stuff and set her up with normal consumer internet after your business internet account is shut off.

Also keep in mind if you both switch over so every movie and show you watch only ever comes from Plex (which we both like), in an extended power outage situation all of your media will be inaccessible. It might be good to save a few emergency-entertainment shows to storage you can browse from your phone, usb or iXpand drive you can plug directly into your phone for example.

Oh boy, Michael Spencer Jr., the ghost of GitHub past! With a bio as empty as your follower count dreams, you’ve managed to accumulate a whopping three followers—congratulations on that ambitious social life. Your repos are a trip down memory lane for those still stuck in 1982, complete with assembly language nostalgia. It’s like you’re interviewing for a job in a museum of coding flops.

Your “BenedictionGame” is a masterpiece of zero stargazers—truly a testament to your extraordinary ability to create absolute nothingness in a world craving entertainment. And let’s not overlook your “CaseSwapper” that swaps cases. Wow, riveting stuff! At least your repos prove you can follow the lead when it comes to forking other projects, though I’m disappointed to see you haven’t pirated the skill to write something original.

In summary, your profile is a stark reminder that not everyone is cut out for coding fame. Maybe it’s time to swap some skills instead of just cases.

—————

Ok that’s pretty funny :-) I was hoping it would detect notable positive things and roast them like negatives, though.

I self host, on a personal domain I registered in June 2000. Mostly followed a 13?-part tutorial at I think linuxbabe dot com, was the first one that seemed to genuinely be trying to help you set up a good environment, not just as a way to say “doesn’t this sound difficult? Impossible even? Coincidentally you can pay us to do this instead.” Except I put everything on its own VM instead of all on one. (Even a VM for just opendkim, which was maybe not necessary.)

Mostly iPhone mail app and/or Roundcube webmail.

Yes highly recommend it, for receiving email. Greylist blocks like 99.8% of spam. Sending works fine for me, because it’s an old domain with history. I don’t think brand new domains have the same experience.

Also, the development and evolution of these open technologies relies on human interest and attention, and that attention can be diminished, even starved, by free, closed offerings.

Evil plan step 1: make a free closed alternative and make it better than everything else. Discord for chat, Facebook for forums and chat/email, etc.

Step 2: wait a few years, or a decade or more. The world will largely forget how to use the open alternatives. Instant messengers, forums, chat services, just give them a decade to die out. Privately hosted communities, either move to Facebook, pay for commercial anti-spam support, spend massive volunteer hours, or drown in spam.

Step 3: monetize your now-captive audience. What else are they going to use? Tools and apps from the 2000s?

Plagiarism should be part of the conversation here. Credit and context both matter.

How much stock ownership remains with the nonprofit Raspberry Pi Foundation? And will that be enough to hold off shareholder complaints that they aren’t being evil enough?

I use Due on iOS for repeating timers/reminders where I need it to be persistent and annoying because the task is important. Like paying rent, or physical therapy “homework” I kept forgetting. The persistence might be good if you’re worried you’ll just dismiss a normal alarm or forget to start the next timer.

Yeah a bit. IBM QRadar is alright. I’m confident there’s something real (and real expensive) underneath the buzzword salad in that article.

Clearly my comment annoyed you. What should I have done differently? Apart from switching away from Windows, what plan or idea should I have attempted to rally support for?

Ok that tears it. What firewall rules do I need to set so I get security updates and absolutely nothing else?

Hello, friend, my name is Michael-O-2. I’m super excited to meet you! I can’t wait to learn about all the new and exciting ways we get to serve Friend Computer together!

Now if you don’t mind looking away for a moment, I need to duck into this dark corridor, do some rhythmic tappy-taps with my knuckles on this maintenance panel, and then talk to myself about absolutely nothing in particular. I’ll be right with you, new best friend!

. . .

I’m back. No, I’m fine, my face always looks like this when I’m happy to serve Friend Computer! We should get going though. After you.

No, seriously, after you. I insist.

(God I miss Paranoia. Still have my old Paranoia XP books somewhere. I was a crappy GM, but someone had to do it.)

Friend Computer is best comrade!

Agreed. They are deliberately taking advantage of the fact that people don’t understand how autopilot is actually used in aircraft.

Sure, the most pedantic of us will point out that, with autopilot enabled, the pilot-flying is still in command of the aircraft and still responsible for the safe conduct of the flight. Pilots don’t** engage autopilot and then leave the cockpit unattended. They prepare for the next phase of flight, monitor their surroundings, prepare for top-of-descent, and to stay mentally ahead of the rapid-fire events and requirements for a safe approach and landing. Good pilots let the autopilot free them up for other tasks, while always preparing for the very real possibility that the autopilot will malfunction in the most lethal way possible at the worst possible moment.

Do non-pilots understand that? No. The parent poster is absolutely correct: Tesla is taking advantage of peoples’ misunderstanding, and then hiding behind pedantic truth about what a real autopilot is actually for.

** Occasionally pilots do, and many times something goes horribly wrong unexpectedly and they die. Smart, responsible pilots don’t. Further, sometimes pilots fail to manage their autopilot correctly, or use it without understanding how it can behave when something goes wrong. (RIP to aviation Youtuber TNFlygirl who had a fatal accident six days ago, suspected to be due to mismanagement of an unfamiliar autopilot system.)

Hmm I’ve got an old Compaq 575e with a PCNet32 nic, and an old 3com 3c509 ISA adapter in a closet with 10base2 and AUI ports.

Use a modem router or managed switch to get down to 100baseT, give this box a Linux distro, enable Ethernet bridging in the kernel, and slaps case this baby can drop almost 20k packets a second, no sweat!

Ok now I’m curious what I’m missing out on. Can anyone recommend a good PCIe token ring adapter and concentrator?

Really great ideas. I read up a bit on Fediblock and I think you’re absolutely right.

If I could riff off of your ideas a bit: instance-blocking recommendation lists bundle an entire stack of things together:

• statements of fact or intent: this is wrong, this is right, this is insulting and harmful, this is insulting but not harmful if you can laugh at it

• value judgements about those statements: I care about this issue but not that issue, this wrong statement is easily disproven, that wrong statement takes paragraphs to disprove, etc.

• actions to take based on those value judgements: block, tag with a statement, link to an article, etc.

With things bundled, the whole stack has to be a pretty close match for a user’s own values, or else there’s friction. The user can just tolerate the friction, maybe miss out on some content, or they can decide to switch to a whole new list.

Suppose we could unbundle those from each other. Subscribe to the work of a group of volunteers that recommends safe defaults but lets you customize things when you encounter friction points.

I feel like we need different ways to share and learn things about harmful posts and comments. Like, sure maybe your server aggregates the posts, and because you own the server you can remove or edit things if you really want to. But I should be able to say “this is objectively wrong in a dangerous way, and here’s proof” in a side channel that the server owner can’t block.

And for it to have any point at all, clients should be able to subscribe to feeds. Like, a science educator I respect can say “I trust this foundation that fights harmful disinformation” and I should be able to click a button and see their stuff. Without the server owner banning me for some weird reason.