loudwhisper
@loudwhisper@infosec.pub
- Comment on Why are anime catgirls blocking my access to the Linux kernel? 8 hours ago:
Exactly my thoughts too. Lots of theory about why it won’t work, but not looking at the fact that if people use it, maybe it does work, and when it won’t work, they will stop using it.
- Comment on Actors that have been the least believable scientist castings, I’ll start. 1 week ago:
The weather man? I think he fit very well. Same for Lord of War. I know they are both 20 years old, but still.
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
But the estimation is with each NC instance with half a CPU and 1GB of memory. This is a super conservative estimation, that doesn’t include anything besides a tiny Fargate deployment and Aurora instances.
For a heavily used NC instance (assuming a company offering it as a service), the cost is going to become massive pretty fast.
Also, as I side note, if a company is offering NC as a service, but doesn’t manage a single piece of NC deployment… What is the company product? And most importantly, how are they going to make money when AWS is going to eat a linearly scalable chunk of their revenue forever?
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
Well yeah, wouldn’t break the bank, but a conservative cost estimate (without considering network costs, for example, quite relevant for a data intensive app) would bring this setup to about $40/month. That is about 5 times more expensive than a VPC with 4x the resources.
OP said this is some sort of “enterprise self-hosting” solution, which I guess then kind of makes sense. For a company providing nextcloud as a service I would never vendor lock myself and let AWS take a huge chunk of my revenue forever, but I can imagine folks have different opinions.
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
In that case, Pulumi permissions are too broad IMHO for what it has to do, an enterprise should adhere to least privilege. Likewise, as I wrote in another comment, the egress security groups are unclear to me (why any traffic at all is needed?) and the image consumed should be pinned to a digest. Or better yet, should be coming from a private enterprise registry, ideally with an attestation that can be verified at runtime.
I am not sure ECS Fargate makes sense vs an ec2 instance to run the workload. This setup alone will cost about $30/month assuming half a vCPU per replica with Fargate, plus about $12 for the memory (1GB/task). 2xt2.micro could be run for ~$20 without even considering reservation discounts etc. Obviously the gap will become even larger at scale, which I suppose might be very interesting for an enterprise.
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
Plus, at this point why not using directly managed Nextcloud (or alternatives)… If anyway you use a managed storage, runtime and database, in a vendor lock…
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
Oh yeah, I am aware. Mostly here I would question the idea to have multi-AZ redundancy and using a manage service for DB (which indeed is expensive). All of this when a 5$ VPS could host the same (maybe still using s3 for storage) and accept the few hours downtime in the rare event your VPS explodes and you need to restore it from a backup.
So from my PoV this is absolutely overkill but I concede that it depends a lot on the requirements. I can’t ever imagine having requirements so tight that need such infra to run (in fact, I think not even most businesses have these requirements, I have written on the topic at loudwhisper.me/blog/hating-clouds/) for my personal stuff…
- Comment on Deploying Nextcloud on AWS ECS with Pulumi 1 week ago:
Everyone is free to pick their poison, but I have to ask…why? What is the target audience here? This is a massively overkill architecture IMHO. Not to talk about the fact you now need 3 managed services (fargate, s3 and aurora at least) for a single self hosted tool, and that is being generous (not counting cloudwatch, ALBs, etc.).
- Why do you need security groups to allow egress anywhere (or, at all)?
- I would pin the image to a digest, rather than using latest.
- what is the average monthly cost for this infra for you?
- Comment on European Commission launching #Wifi4EU initative, 93k high-speed private access points across the EU, free of charge. 2 weeks ago:
Someone runs MongoDB unauthenticated, bound on 0.0.0.0 with production data, on a computer without a VPN, and the problem is the WiFi?
Like I get what you are saying, but this sounds like saying that we should ban speedbumps because imagine there is a guy with a loaded gun pointed at a kid with no safe, finger on the trigger, and high on coke, if the car hits the speedbump the toddler is gone. Yeah, but I would hardly say the speedump is the same.
- Comment on European Commission launching #Wifi4EU initative, 93k high-speed private access points across the EU, free of charge. 2 weeks ago:
This is not really a common or easy attack, especially for any meaningful service (that is probably in preloaded HSTS lists).
It’s not like this is the only shared network. In airports millions of people everyday connect to the same network.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
Email is almost always zero-access encryption (like live chats), considering the % of proton users and the amount of emails between them (or the even smaller % of PGP users). Drive is e2ee like chat history. Basically I see email : chats = drive : history.
Anyway, I agree it could be done better, but I don’t really see the big deal. Any user unable to understand this won’t get the difference between zero-access and e2e.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
They compare it to proton mail and drive that are supposedly e2ee.
Only drive is. Email is not always e2ee, it uses zero-access encryption which I believe is the same exact mechanism used by this chatbot, so the comparison is quite fair tbh.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
How would you explain it in a way that is both nontechnical, accurate and differentiates yourself from all the other companies that are not doing something even remotely similar? I am asking genuinely because from the perspective of a user that decided to trust the company, zero-access is functionally much closer to e2ee than it is to “regular services”, which is the alternative.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
Scribe can be local, if that’s what you are referring to.
They also have a specific section on it at proton.me/…/proton-scribe-writing-assistant#local…
Also emails for the most part are not e2ee, they can’t be because the other party is not using encryption. They use “zero-access” which is different. It means proton gets the email in clear text, encrypts it with your public PGP key, deletes the original, and sends it to you.
See proton.me/…/proton-mail-encryption-explained
The email is encrypted in transit using TLS. It is then unencrypted and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is not end-to-end encrypted, however, and might be accessible to the sender’s email service.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
Over the years I’ve heard many people claim that proton’s servers being in Switzerland is more secure than other EU countries
Things change. They are doing it because Switzerland is proposing legislation that would definitely make that claim untrue. Europe is no paradise, especially certain countries, but it still makes sense.
From the lumo announcement:
Lumo represents one of many investments Proton will be making before the end of the decade to ensure that Europe stays strong, independent, and technologically sovereign. Because of legal uncertainty around Swiss government proposals(new window) to introduce mass surveillance — proposals that have been outlawed in the EU — Proton is moving most of its physical infrastructure out of Switzerland. Lumo will be the first product to move.
This shift represents an investment of over €100 million into the EU proper. While we do not give up the fight for privacy in Switzerland (and will continue to fight proposals that we believe will be extremely damaging to the Swiss economy), Proton is also embracing Europe and helping to develop a sovereign EuroStack(new window) for the future of our home continent. Lumo is European, and proudly so, and here to serve everybody who cares about privacy and security worldwide.
- Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source 2 weeks ago:
They actually don’t explain it in the article. The author doesn’t seem to understand why there is a claim of e2e chat history, and zero-access for chats. The point of zero access is trust. You need to trust the provider to do it, because it’s not cryptographically veritable. Upstream there is no encryption, and zero-access means providing the service (usually, unencrypted), then encrypting and discarding the plaintext.
Of course the model needs to have access to the context in plaintext, exactly like proton has access to emails sent to non-PGP addresses. What they can do is encrypt the chat histories, because these don’t need active processing, and encrypt on the fly the communication between the model (which needs plaintext access) and the client. The same is what happens with scribe.
I personally can’t stand LLMs, I am waiting eagerly for this bubble to collapse, but this article is essentially a nothing burger.
- Comment on Tea app leak worsens with second database exposing user chats 3 weeks ago:
If in were in the security team of that company, I would never accept ACLs on the bucket as a sufficient compensating control for this risk. Here the best most reasonable would be encryption, which would make the bucket being public relatively unimportant.
When you are collecting so sensitive data (potentially including personal data of people not using your service), you simply can’t even imagine doing that by storing the data unencrypted.
- Comment on [deleted] 3 weeks ago:
Really annoying interaction. I am out. Cya.
- Comment on [deleted] 3 weeks ago:
That’s not the argument, and you know it, which you need to understand, now it makes it even harder not to think maliciously about the good faith you bring to the conversation.
In case you actually care about it: I feel your statement not only unfairly characterizes white men (not all of them, taking blame for other demographics too etc., etc.,) which who cares, but also is completely exclusionary of all those women who were are not historically oppressed by white men, for example those in different parts of the world, those themselves part of racial minorities etc., and that’s what I think is racist. Of course, in that US-centric perspective the world is the same as for Hollywood disaster movies…
You disagree for sure, but since you were interested in comedy…
- Comment on [deleted] 3 weeks ago:
Fair enough.
However, OP stood by his statement:
Including both in the same sentence is because of the common shared group of oppressors, white men.
So I guess your interpretation was too generous, mine slightly too strict.
- Comment on [deleted] 3 weeks ago:
You meant to write what you wrote, I assumed…?
But I see we are going in circles. So far you are leaning on “that’s the common oppressor” which sounds silly to me if I am being honest. But anyway, whatever. I stand by the fact that your original statement is either extremely US-centric (and frankly a bit racist from multiple points of view) or just generally incorrect. Don’t need to convince you or change your mind. So have a good day/evening/whatever.
- Comment on [deleted] 3 weeks ago:
Are you implying that minorities aren’t oppressed and don’t need safe spaces?
What? My only qualm is that you added white to a sentence about gender oppression. Of course minorities are oppressed and need safe spaces.
which I assert is true in the vast majority of the world where English (the language we are speaking) is the primary language for the country
What has the language we are speaking (which is not even my language) to do with what is “historically” true or not? Is this just a classic example of US exceptionalism or what?
Including both in the same sentence is because of the common shared group of oppressors, white men.
Minorities are also oppressed by way more demographics than white men.
If you want any statement to be true for literally the entire world, then your expectations are unreasonable.
Saying that men oppressed women is a much, much, much more accurate statement, for example. There are always exceptions, but we are talking about different things.
- Comment on [deleted] 3 weeks ago:
Absolutely not true. The critique is based on adding a racial connotation to gender oppression, which is completely orthogonal to it.
To be even more frank, saying that women and minorities need safe spaces because white men historically oppressed them is complete bonkers. Women need safe spaces because men historically oppressed them, and that is true all around the world, in almost all communities.
I literally took your words literally, as I quoted and addressed the very sentence you wrote. You decided to add white to a sentence that didn’t need it. It’s already the second comment where you refuse to elaborate and instead you indulge in meta-conversation. So for the sake of clarity, discard everything I have said so far, and allow me to simply ask what did you mean with that sentence?
- Comment on [deleted] 3 weeks ago:
The rest of the critique remains nevertheless.
- Comment on [deleted] 3 weeks ago:
No it doesn’t exclude that, but it also unnecessarily mixes racial with gender discrimination, and in a general statement like that is odd to do that. The intention I perceived was to link the creation of spaces that women (or minorities) require to white men discrimination only, which is absurd in my opinion.
To make a similar example, saying “gay people need their spaces, because they are historically discriminated by black women” doesn’t “exclude” that also men discriminate them, or that also white women do, but I hope you can see what an odd statement that is, and if someone would find it misogynistic or racist, I think they would be right.
Thinking maliciously, I would say that’s the classic way for a white guy (the commenter stated that about himself) to make a statement that is less controversial because it only “accuses” their own demographic and the most acceptable demographic to critique.
- Comment on [deleted] 3 weeks ago:
Can you please then elaborate on what the following means, according to your interpretation?
Women and minority only spaces exist because white men as a group have historically discriminated against them
- Comment on [deleted] 3 weeks ago:
It’s more like that stage only allows women participants. But the stage example doesn’t work well because a forum is not a stage.
Either way, I take issue with the idea that a male participation makes a space inherently unsafe. You didn’t say it explicitly, but you kinda implied it.
I think this is not only false, but it’s divisive and it’s a terrible narrative to build that harms cohesion in the face of class struggle.
- Comment on [deleted] 3 weeks ago:
~white~ men as a group
Unless you are suggesting women have not being discriminated in non-white communities?
- Comment on [deleted] 3 weeks ago:
Do you/did you feel that random members of a demographic “speak for you”? Why would that be the case for people you have nothing in common with except some amount of genetic material?
- Comment on [deleted] 3 weeks ago:
To be fair the vast, vast majority of the rules are simply common sense stuff. If you are not an asshole, you can avoid reading community rules and in 99% of case you won’t violate any.