Linux Recall

It’s not supported by either Chromium or Firefox, which is part of the issue (Google basically decided against it with arguments that are much better suited against WebP, which they pushed some years ago).

There aren’t that many static image codec comparisons, for example there is https://giannirosato.com/blog/post/image-comparison/. https://afontenot.github.io/image-formats-comparison/ doesn’t even include WebP because the test suite uses features unsupported by it (YUV 4:4:4). In the ones I do find, WebP usually wins against good JPEG at low bitrates, but loses on high bitrates because of the blurriness issue. They both get beaten by JPEG XL and AVIF. Which one is better probably depends on whom you ask. The before linked comparison prefers JPEG XL by a slim margin, https://tonisagrista.com/blog/2023/jpegxl-vs-avif/ strongly favors JPEG XL.

Though you couldn’t set the bar any lower without it turning into a joke.

Anyhow, to quote Wikipedia:

Comparing different encodings (JPEG, x264, and WebP) of a reference image, she stated that the quality of the WebP-encoded result was the worst of the three, mostly because of blurriness on the image. […] In October 2013, Josh Aas from Mozilla Research published a comprehensive study of current lossy encoding techniques and was not able to conclude that WebP outperformed JPEG by any significant margin

All while having significantly increased complexity. The blurriness problem was inherited from the video codec webp was based on. When you can’t beat an 18 years old format, don’t be surprised when people get irritated when you use your position to get it mandated into a standard, while later stalling actual improvements (JPEG XL).

I like that none of my local devices are externally addressable unless an outgoing connection has been established.

This can also be achieved using (other) firewall rules.

but then it’s essentially just maintaining a NAT table without the translation piece.

So… a firewall?

NAT isn’t a security feature and shouldn’t be relied on for managing access to hosts.

It also breaks the assumption of IP that connections between hosts are end-to-end, which requires sophisticated solutions so that everything works (more or less).

I too employ NAT to make services accessible over IPv4. But only because it doesn’t work otherwise. Not because it “makes sense”. I don’t use it at all for IPv6.

Idk man, NAT makes a lot of sense once you get used to it.

That’s a lie, NAT is bullshit, sometimes necessary, but it will never “make sense”.

Client data absolutely is encrypted in TLS. You might be thinking of a few fields sent in the clear, like SNI, but generally, it’s all encrypted.

I never said it isn’t, but it’s done using symmetric crypto, not public key (asymmetric) crypto.

Asymmetric crypto is used to encrypt a symmetric key, which is used for encrypting everything else (for the performance reasons you mentioned).

Not anymore, this was only true for RSA key exchange, which was deprecated in TLS 1.2 (“Clients MUST NOT offer and servers MUST NOT select RSA cipher suites”). All current suites use ephemeral Diffie-Hellman over elliptic curves for key agreement (also called key exchange, but I find the term somewhat misleading).

As long as that key was transferred securely and uses a good mode like CBC, an attacker ain’t messing with what’s in there.

First, CBC isn’t a good mode for multiple reasons, one being performance on the encrypting side, but the other one being the exact reason you’re taking about: it is in fact malleable and as such insecure without authentication (though you can use a CMAC, as long as you use a different key). See https://pdf-insecurity.org/encryption/cbc-malleability.html for one example where this exact property is exploited (“Any document format using CBC for encryption is potentially vulnerable to CBC gadgets if a known plaintext is a given, and no integrity protection is applied to the ciphertext.”)

As I wrote in my comment, I was a bit pedantic, because what was stated was that encryption protects the authenticity, and I explained that, while TLS protects all aspects of data security, it’s encryption doesn’t cover the authenticity.

Anyhow, the point is rather moot because I’m pretty sure they won’t get a certificate for the IP anyways.

Public key crypto, properly implemented, does prevent MITM attacks.

It does, but modern public key crypto doesn’t encrypt any client data (RSA key exchange was the only one to my knowledge). It also only verifies the certificates, and the topic was about payload data (i.e. the site you want to view), which asymmetric crypto doesn’t deal with for performance reasons.

My post was not about “does TLS prevent undetected data manipulation” (it does), but rather if it’s the encryption that is responsible for it (it’s not unless you put AES-GCM into that umbrella term).

Right, and for the challenge, you need to have access to a privileged port (which usually implies ownership), which you won’t get assigned.

Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

It shouldn’t be because you’re not actually the owner of the IP address. If any user could get a cert, they could impersonate any other.

I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

No, encryption only protects the confidentiality of data. You need message authentication codes or authenticated encryption to make sure the message hasn’t been transported tampered with. Especially stream ciphers like ChaCha (but also AES in counter mode) are susceptible to malleability attacks, which are super simple yet very dangerous.

Edit: this post is a bit pedantic because any scheme that is relevant for LE certificates covers authenticity protection. But it’s not the encryption part of those schemes that is responsible.

I haven’t watched the video, but maybe it wasn’t in bad faith, but the author didn’t know better. bash can be arcane at times, like when I open my old scripts I often have no clue what exactly is going on without comments. Substring removal comes to mind.

I’m not even sure what strucrued data would really mean, so I’m pretty sure it’s not useful to my usecase lol

Probably not, but to give an easy example:

~> ls | where modified >= (date now) - 30day
╭───┬───────────┬──────┬────────┬────────────╮
│ # │   name    │ type │  size  │  modified  │
├───┼───────────┼──────┼────────┼────────────┤
│ 0 │ Downloads │ dir  │ 4,0 kB │ 4 days ago │
│ 1 │ Musik     │ dir  │ 4,0 kB │ a week ago │
╰───┴───────────┴──────┴────────┴────────────╯

Here, ls doesn’t just return a string representing directory content as text, but a table where each file is an entry with attributes that have their own data type (e.g. size is Filesize while modified is Datetime). That’s why I’m able to filter based on one of them; that part isn’t part of ls, but of the shell itself. In a classic shell, this filtering would need to be handled in the originating binary in its own specific way, or you’d need to parse its output, transform it using tools like sed and awk etc. This here is a special case because ls is built into the shell; for non-builtin commands, if they offer it, you can have them output structured data as json or something else and read it into nu, like

~> ip -j a | from json | where {|device| $device.address? != null and $device.addr_info? != [] and $device.link_type =~ "ether"} | get addr_info.0 | select -o local broadcast scope
╭───┬────────────────────────────────────────┬─────────────────┬────────╮
│ # │                 local                  │    broadcast    │ scope  │
├───┼────────────────────────────────────────┼─────────────────┼────────┤
│ 0 │ 192.168.178.72                         │ 192.168.178.255 │ global │
│ 1 │ 2001:9e8:4727:2c00:3071:91ff:fed1:9e26 │                 │ global │
│ 2 │ fdaa:66e:6af0:0:3071:91ff:fed1:9e26    │                 │ global │
│ 3 │ fe80::3071:91ff:fed1:9e26              │                 │ link   │
╰───┴────────────────────────────────────────┴─────────────────┴────────╯

It’s kind of cool, but I don’t need it that often either, so I just play around with it when I feel like it.

I’m glad you mentioned nushell (it sounds like) is a more poweruser thing.

It serves a different niche. nushell is very good for working with structured data. fish on the other hand is a “conventional” shell that’s not POSIX compliant. I guess that’s why they call it “a command line shell for the 90s” because it doesn’t incorporate modern concepts, it’s just more convenient than POSIX shells.

This results in some notable differences: nushell for example has actual data types (https://www.nushell.sh/book/types_of_data.html, though they are dynamically typed by default).

All this doesn’t mean that one is better than the other. I use fish daily and just sometimes dabble in nushell because most of my workflow doesn’t require all the stuff nu offers.

Oh yeah, I never used Python myself and did some very simple (but IMHO too much hassle in bash) Go stuff some time ago. It’s a really good language for that, and if you can’t build on the target, the binary is statically linked anyways.

What’s so bad about string replace World Bash $STRING?

Just don’t microwave it.

Same, but I don’t think it was ever intended differently; I mean the word interactive is literally in the name. If you want portable scripts, use bash. For simple helpers, quickly define a function. If you feel your script becomes too long, use Python.

Try Ritalin 4, it’s the new hot stuff

Good luck on the journey! What I meant is that over time, you’ll realize that what you did was probably not the most elegant was to do something, at least that’s my experience with my config. Like, I started with a flake with an explicit config for each machine (basically multiple nixosConfigurations) and then turned it into a lib with functions to turn a set of hosts from json into an attribute set (kind of a simple inventory done). My last efforts that are still ongoing (cough) are splitting my NixOS modules off into a separate flake using flake-parts.

I do understand you meant having the stuff that your need work, I just wanted to hint that the language is very powerful and as such, most configurations have room for improvement, as in learning to do things more efficient or do things that weren’t possible before.

I see, thanks

For instance, I recently discovered the structuredExtraConfig option for patching the kernel straight up does not work. This means you cannot unset any kernel options

From reading, I thought this option was for adding options, not removing them. Sure, you might be able to set options to “no”, but I don’t think this will override the defaults…