robryk @robryk@qoto.org
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
Hm~, it seems that I've used https://github.com/chutz/mullvad-netns in the past instead of systemd-based netns creation (I don't really recall much about it apart from not having difficulties setting it up).
Now that I've looked for related tooling, I've noticed that https://github.com/jamesmcm/vopono exists. However, I've first heard of it right now, so I have no opinion even on whether it actually works.
robryk
boosted
@tqbf I'm sort of tired of the HN explanation that Google is doing stuff like that as a part of some secret agenda, though.
I call it an "asymmetry of nudges". One day, you dream up a way to improve security or make the platform cooler. If an unintended side effect of your proposal is that Google could lose revenue or market position... you just check yourself and don't go with it. If you try anyway, you will be arguing with execs for months or years. Even if you win, the effort to ship such features is high and the throughput is low.
The opposite is not true: if your feature could accidentally strengthen your company's position in some morally questionable way... the answer is just "we're the good guys, and it's not why we're doing this". If 3-5 years down the line, some PM in another org unit decides to use your feature precisely the way the critics feared - well, it's too late at that point.
So you get this gradual drift that is just an emergent property of the corporate culture. But if your only argument is "you have evil intentions" or "well, but your company could theoretically abuse it down the line", you're not gonna win too many debates.
@sgf Do you want to count a user as active if they made any public posts?
What distribution are you using and does it use systemd?
For some people, because education research is research _on_ people, which requires treating them as research subjects.
For some others, because it requires confronting the same things that frustrate them when interacting with people: e.g. that one cannot assume literal meaning of what people say is what they mean, or that whether people get convinced that X is true is very path-dependent.
Wouldn't that be even more confusing in other edge cases? If the first path entry acquires something that matches, but you have a matching entry in a later path entry cached, you'll execute that entry no matter what unless you abandon caching altogether (or use inotify or sth to invalidate it, which iirc would introduce races).
@freemo In which direction?
What about using multiple remote browsers á la qubes in Qubes?
@irving Whenever that's important we already use such functions: you can construct something with circuit depth of f(security parameter)*log(input size) by computing the Merkle tree root hash.
Are you familiar with network namespaces in general? I think the simplest way to do such things is to have a netns that routes through the tunnel and run everything you want to use the tunnel there.
@stux How similar is this mechanism to fasteners either loosening or tightening when thermally cycled?
@dunkelstern Why? At least on macs there is a wireguard client and an NFS client and that setup doesn't require anything more from the terminal.
> But I probably still need Samba for the machines of some users that prefer to use their own laptops.
Why? You can give them VPN creds, give them a fixed IP in the VPN, and tell the nfs server to assume (via anonuid option in exports) that all traffic from that IP corresponds to their UID of the laptop's owner.
Ah, you mean in nixos modules as opposed to in packages.
Yes, that part is very rarely well documented. My rule of thumb is that, unless extraRawTextConcif is the only way some service has of being configured, I should not use it without reading the implementation of the module :(
I'm confused.
If a terminal is owned and permanently assigned to a signle user, there is no next and previous user. You can assume that all traffic coming from that machine (recognized by posession of a secret, e.g. of a wireguard private key) is on behalf of that user.
If you have a shared terminal, then:
- anyone using it would anyway trust it (if an attacker gets root on it, they can impersonate anyone who tries to log in on it later),
- you can treat it as a run of the mill multiuser Linux machine to get separation between users.
So, you can allow people to declare whether they want shared terminals to be able to mount their homedirs, and then trust the shared terminals to claim what user is logged in. You can recognize the shared terminals by possession of a secret, just like private ones (if someone gains root there, they can impersonate future users of that terminal anyway, so being able to exfiltrate the secret doesn't change things massively).
Re arguments to the package to modify it: fully agreed, they are documented something between badly and not at all.
I don't understand what configuration files you are referring to in the other two cases.
OK, but then the situation is somewhat simpler: each terminal has a fixed user. That could even be done by just having a wireguard network (with the list of peers managed manually) and IP-based NFS exports.
Do you mean documentation for packages or for nixos modules/config options, or both?
But also consider how you can realistically avoid trusting the terminals. If they are not assigned to individual users, how does a user verify that the terminal they intend to enter their password on/authenticate themselves in any other way is not running malicious software?
I enjoy things around information theory (and data compression), complexity theory (and cryptography), read hard scifi, currently work on weird ML (we'll see how it goes), am somewhat literal minded and have approximate knowledge of random things. I like when statements have truth values, and when things can be described simply (which is not exactly the same as shortly) and yet have interesting properties.
I live in the largest city of Switzerland (and yet have cow and sheep pastures and a swimmable lake within a few hundred meters of my place :)). I speak Polish, English, German, and can understand simple Swiss German and French.
If in doubt, please err on the side of being direct with me. I very much appreciate when people tell me that I'm being inaccurate. I think that satisfying people's curiosity is the most important thing I could be doing (and usually enjoy doing it). I am normally terse in my writing and would appreciate requests to verbosify.
I appreciate it if my grammar or style is corrected (in any of the languages I use here).
Joined Nov 2020
