Comments

Anarchy Moment 0341 – The Great One Responds To Comments On Da Webz Syte. — 16 Comments

  1. I do like a bit of listener generated content 🙂

    So… Start9

    Looks like a good idea. Probably isn’t.

    An interesting intellectual exercise but not one I’d spend a penny on. If you want to pursue something like this, have a look at this video for some good ideas:

    https://www.youtube.com/watch?v=f5jNJDaztqk

    You can run all this on an old $50 PC and get all the software for nothing.

    And it’s all good for hosting your own files and media server within your place, so you don’t need spotiflix at home, but the whole self-hosting thing for anything like internet-accessible (e.g. websites) is a DUMB idea unless you are a SuperSperg with far too much time on your hands. I looked at it all before I made the decision to go to Substack rather than self-host.

    1) No DOS/DDOS protection. If you think Piggott has problems keeping his website up, you ain’t seen nothing until you’ve tried to keep a site running from your home IP address in the face of hostile traffic.

    2) Just wait until someone does some basic checking on what your IP address actually is. It takes less-than-minutes to discover that it’s a residential broadband IP address with Provider-X, which can then be Geolocated to within a very short distance from the seat you’re sitting in (thanks to Google & Apple being able to cross-reference what they see as your WiFi IP with what the GPS in your phone is telling them).

    a. The Provider-X information might also tell a hostile actor that you must therefore use provider-X’s router, which they will know has this here list of vulnerabilities, which means they can use the port you had to open for your Website/VPN/mining/whatever to get into your network and own all your shit.

    3) You have responsibility for patching EVERYTHING. Every module you install on this box has bugs and vulnerabilities. The more functionality is enabled, the more vulnerabilities, the more stuff you have to patch. You end up being your own security & systems operation team. And if there’s a zero-day out there, you can’t even patch it, because there is no patch. A commercial provider will use next-gen firewalls and intrusion detection systems that use pooled threat intelligence, proactive threat modelling and monitoring, AI/ML pattern recognition for unusual traffic that can provide some level of protection even against zero-day attacks. Can your crappy home router and your crappy pf-sense/IPTables firewall do any of that? Nope.

    4) “Oh but it’s all open source and open source is more secure because the code is all out there and has been vetted thousands of times” – Bullshit. Vetted by who? Where are their findings documented? Who’s validating their skills and the analysis they’ve done? How did all this help to prevent the Heartbleed bug which almost killed the internet and was present in the OpenSSL codebase for years? You know that a typical Linux distribution is compiled from 200 MILLION lines of code, right?

    a. http://www.pl-enthusiast.net/2014/07/01/how-did-heartbleed-remain-undiscovered-and-what-should-we-do-about-it/

    5) Hardware resilience. Substack (or any other commercial provider) will be hosting your site in a VM that is portable across dozens or hundreds of redundant servers, each with redundant disks, power supplies, network adapters etc. Their network will have redundant paths through switches, routers and firewalls. Does your home server have redundant components? Your home network have redundant paths? Do you have 2 broadband connections that go to different ISP points of presence? You don’t, do you.

    6) You have to back EVERYTHING up. Not just the content for your website. EVERYTHING. Where to? And if the disk goes pop on your home server, and you put a new disk in, do you know how to restore your website’s software stack and all the configuration and data? Have you tested it to make sure that when the time comes the process will work? Are you sure that in the event of a ransomware/malware/virus/hacker attack, the attacker won’t be able to also delete or encrypt your backup?

    7) And after you’ve paid Start9 hundreds of dollars for your box (or even just $200 for the EmbassyOS), what warranty do they offer you relating to any of this at all? No doubt it’s all built from freely available open source tools, but I assume they’ve integration tested it all, and that any warranty that derives from that becomes null and void the moment you have to upgrade a single component to patch a vulnerability, whether it’s nginx, sshd, the kernel or whatever, unless you wait months for them to integration test the new configuration – during which time you have known vulnerabilities.

    JUST.SAY.NO.

  2. Goddamit the comment system ate my long-assed comment.

    Short version: Start9 seems like an interesting idea, but there are ways to do the same thing for free, and hosting your websites from your home is a REALLY TERRIBLE IDEA.

  3. I dont always take a break from touching myself when I leave comments, sometimes I like to combine pleasures.

Leave a Reply

Your email address will not be published. Required fields are marked *

HTML tags allowed in your comment: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>