• 0 Posts
  • 72 Comments
Joined 3 months ago
cake
Cake day: March 20th, 2025

help-circle
  • Genetics also plays a large part in greying. I started going grey in my early 20’s. Rather than fight it, I chose to embrace it. I’m in my mid 30’s now, probably ~40% grey, and consistently get “silver fox” and “salt and pepper” types of comments. Fighting against it often leads to people spotting when you need to touch up your roots. But embracing it and styling your hair to accentuate it will make it look much more natural and attractive.



  • A honeypot is something that is intentionally left available, to alert you when it gets hit. In practice, they’re just a tool to tell security specialists when they need to start worrying; They wouldn’t be used by the average user at all.

    The goal is to build your security like layers, and ideally have all of your services behind the secure walls. Between these layers, you have honeypots. If someone gets through your first layer of security but hits the honeypot, you know someone is sniffing around, or maybe has an exploit for your outer layer that you need to research. If they get through the second layer and hit your second honeypot, you know that someone is specifically targeting you (instead of simply running automated scans) and you need to pay closer attention. Etc…

    Reinforcing the attack layer comes in two main forms, which work in tandem: Strengthening the actual layer, and reducing attack vectors. The first is focused on using strong passwords, keeping systems up to date, running something like Fail2Ban for services that are exposed, etc… The goal is for each layer of security to be robust, to reduce the chances of a bot attack actually working. Bots will simply sniff around and automatically throw shit at the wall to see if anything sticks.

    The second part is focused on identifying and mitigating attack vectors. Essentially reducing the amount of holes in the wall. It doesn’t matter how strong the wall is if it’s full of holes for your server’s various services. The goal is typically to have each layer be as solid as possible, and grant access to the layers below it. So for instance, running a VPN. The VPN gets you access to the network, without exposing services externally. In order to access your services, they need to get through the VPN first, making the VPN the primary attack vector. So you can focus on ensuring that the VPN is secure, instead of trying to spread your focus amongst a dozen different services. If it’s exposed to the open internet, it is a new potential attack vector; The strength of the wall doesn’t actually matter, if one of those services has an exploit that someone can use to get inside your network.

    Home users really only need to worry about things like compromised services, but corporate security specialists also focus on things like someone talking their way past the receptionist and into the server room, USB sticks getting “lost” around the building and plugged into random machines by curious employees, etc… All of these are attack vectors, even if they’re not digital. If you have three or four layers of security in a corporate setting and your third or fourth honeypot gets hit, you potentially have some corporate spy wrist-deep in your server room.

    For an easy example, imagine having a default password on a service, and then exposing it to the internet via port forwarding. It doesn’t matter how strong your firewall is anymore. The bot will simply sniff the service’s port, try the default credentials, and now it has control of that service.

    The better way to do it would be to reduce your attack vectors at each layer; Require the VPN to access the network via a secure connection, then have a strong password on the service so it can’t easily be compromised.





  • People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.

    And this is what should be sung from the hills and mountaintops. There’s some old infosec advice that you should have two or three honeypots, buried successively deeper behind your security, and only start to worry when the second or third gets hit; The first one getting hit simply means they’re sniffing around with automated port scanners and bots. They’re just throwing common vulnerabilities at the wall to see if any of them stick. The first one is usually enough for them to go “ah shit I guess I hit a honeypot. They must be looking for me now. Never mind.” The second is when you know they’re actually targeting you specifically. And the third is when you need to start considering pulling plugs.








  • Lots of those issues have been blown out of proportion, and would never be a real concern for the “just a dude running a server in his closet for his friends” setups. Which, to be clear, is the vast majority of setups.

    For instance, virtually all of the worst issues require that the attacker already has a valid login token. So unless they stole your buddy’s credentials, the only one to truly worry about would be your buddy directly. But yes, Jellyfin has some gaping holes, and letting it touch the WAN at all is always a risk. You’re giving attackers a new potential vector of attack that didn’t exist before, so that’s worth noting.


  • I disagree; Self-hosting is for a variety of things, and plenty of people (in fact, I’d say probably the majority of Plex users) just want to be able to pirate Netflix without a ton of setup.

    Is learning some networking inevitable? Yeah, probably. But I also think this xkcd is apt. The reality is that what may be simple for you and me actually requires a lot of studying for a complete novice. Plenty of people will need to google what a port is, let alone how to forward one. And that’s assuming they even know the word “port” to google. Plenty of people won’t even know where to start.

    And true novices are hopefully going to be extremely wary of any info they find online. It’s easy to fuck something up without even realizing it, and leave your entire system exposed; especially when the braindead “lol just forward your Jellyfin port and use your public IP” advice is posted somewhere in every single advice thread.



    1. It’s also the most complex to set up, and for many people the threshold is “walking your tech-illiterate mother-in-law through side loading it over the phone, because she lives 100 miles away… She’s afraid to touch her computer for anything except email and Facebook. And then resetting her password every 30 days, because she keeps locking herself out of it.” Suddenly the “just fucking sign into Plex and it automatically discovers your server” option becomes a lot more appealing.

  • Yeah, but good luck proving that. My partner is disabled, and has learned to avoid disclosing her disability until after she gets hired. Because if she mentions it during the interview process, she’ll get ghosted every time.

    Proving it usually requires proving a pattern of behavior. And as an individual applicant who isn’t in touch with the other applicants (both past and present), that’s basically impossible to do.