So you’re advocating that Google shouldn’t broadcast that firefox is broadcasting your current location? Even though they do this for every other app available on Android, you’re saying they shouldn’t do this for firefox?

Why?

https://qu.ax/VSrfL.jpg

https://qu.ax/VSrfL.jpg

I was a super early adopter for firefox. I started using it back in 2005-2006. I’m pretty sure it was still in beta when I started using it.

Over the past 20 years I’ve watched while firefox users have formed a goddamn cult around a software. It’s insane to me, especially because I’m seeing exactly the same things from Mozilla that I was seeing from Microsoft (and later Google) at the time I decided to switch from IE to firefox to begin with…

Firefox isn’t special. It’s falling for all the cloud-based privacy invasive enshittification that Chrome has so far. It’s just getting there slower.

So cool your jets. Especially considering uBlock Origin Lite is uBlock Origin. It’s just compatible with the Manifest V3 standard.

Agreed. I haven’t even found anything that it doesn’t block that UbOrigin did.

Yeah, granted it’s a niche situation.

I think I’ve found a medium, though. I ended up setting Portainer agent on my VPS, and I’ve disallowed connections to everyone on that port but my IP via ufw; ufw allow from x.x.x.0/24 to any port 9001. I would still prefer to do it via SSH to hide behind the protocol and identity keys, but this will have to do. It doesn’t seem like the Portainer devs even care about an issue like this, which is pretty fucked up because by default all docker systems exposed to the internet (unless you know what you’re doing) are vulnerable to Kinsing.

https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh

Doesn’t cover 100% of what uBO did, but it still works just as good IMO with DNS based ad-blocking on top.

Well, first of all, using a computer network to do illegal shit is always illegal, no matter where you are in the world. Almost all sovereign countries have laws against this, offering reciprocity. So it really depends on what you’re doing with your VPN. No company out there is going to attempt to shelter you from the consequences of your own actions.

The difference is when the actions you’re doing aren’t considered illegal. The FBI has no right to go to a foreign company and demand your information over piracy in countries where that’s not a crime. But child porn? Participating in botnets/hacking/cyber-crimes? Yeah, they’re going to roll over you so quickly you won’t even know what happened. Doesn’t matter who you go with.

fail2ban can be configured in just about any way you want. There’s no reason to say that fail2ban “isn’t” a WAF simply because it wasn’t designed that way. It’s kinda moot when it can be configured that way.

I’ve repaired thousands of computers over the past 30 years. It’s really not that rare to see cooler brackets find ways to loosen themselves over time. I highly suspect if this is a new thing, just un-seat your CPU cooler, reapply thermal paste, and then properly re-seat your cooler again, and you’ll most likely be fine.

Yes, you just have to enable the built-in plugin for cloudflared: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf

https://github.com/fail2ban/fail2ban

You can set dbpurgeage to 30d and pretty much just run it–or you can setup jail.conf with a bantime.factor. Its appeal is that you basically can download it, enable it, and it just works for you. It depends on your environment, though. If you have incoming authorized requests from other services it might be a pain to configure, but I’ve never used anything easier to protect you from bad actors.

https://tools.suckless.org/sent/

A DMZ is a decent idea, but you can do the same thing with vLAN and it would be less of a PITA.

I recommend just doing a vLAN and disable outside connection to your network. Use Wireguard to VPN in, and access local services via the VPN.

For notifications, you can use Gotify.

I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe.

It is, but it could/would cause huge complications when both containers attempt to access the same resource which is already in use. I wouldn’t recommend running 2 containers from in the same location. It’s a bit antithetical to what docker is used for.

JBOD is nice, but if you’re interested in backups, check out an actual NAS. They’re very much worth the expense.

When I htop, I don’t see anything to hint me to what is causing the heating.

Bad cooling. If nothing presents itself as the obvious answer, then you have to go with what’s left.

Check your thermal paste. Is your cooler seated properly? Do you have sufficient/unrestricted air flow if you have air heating. If you have liquid cooling, do you have enough fluid to make a loop?

The lingering feeling of instability. This is my second install of OpenSUSE, after I messed up something leading to my computer having some files which it wanted to update, but using urls which didn’t exist. After this, I’ve been feeling a bit insecure and afraid of doing something that ruins my installation. I know there’s the saying that Linux ‘just works’, but I’ve never messed up a Windows installation…

IMO this is a right of passage. Sure, windows babies you to the point where you can’t really mess much up, but that doesn’t mean its impossible to mess up. I’ve also borked Windows installs just by using them over long periods of time. You bork linux a few times and learn what not to do.

Hundreds of millions. They’re used in an almost uncountable number of IoT devices.

It’s only this specific chip that is affected. It’s not all bluetooth chips. The article doesn’t even specify which of their tens of chips is affected; ESP32-D0WD-V3, ESP32-D0WDR2-V3, ESP32-U4WDH, ESP32-PICO-V3, ESP32-PICO-V3-02, or the ESP32-PICO-D4.

Even if it were all of them, and even if it were hundreds of millions of devices it would still pale in comparison to HeartBleed in all aspects. It’s an interesting but sophisticated attack vector which severely limits its usage. But lets say you execute a MITM attack from one of these ESP32 chips. What are you feasibly able to do? A MITM attack? Considering these are all low power devices its extremely unlikely that they would be able to output enough power to overtake your home AP. Without doing more research on it, the actual attack surface is opaque. I mean, I guess a guy in China can remotely turn on your sprinklers or get your WiFi password… Lot of good that’s gonna do him from China.

Yeah, looks like I was gonna respond to the other guy too, but ended up rolling both replies into the same post for some reason. lol oops.

The first part of my post is just backing up what you had said, and the second half was for the guy you were also replying to, to point out how crazy he was.

1. You really don’t need to explicitly set all these misc headers. Caddy takes care of 99% of them by default regardless, and for the most part they’re really not doing much for you considering these are self-hosted services.
2. br is mostly inferior to zstd.

Your API endpoint doesn’t exist, so something isn’t configured correctly here;

❯ xhs https://bookmarks.laniecarmelo.tech/api/v1/auth
HTTP/2.0 404 Not Found
alt-svc: h3=":443"; ma=2592000
content-encoding: gzip
content-security-policy: default-src 'self' https: 'unsafe-inline' 'unsafe-eval'; img-src https: data:; font-src 'self' https: data:; frame-src 'self' https:; object-src 'none'
content-type: text/html; charset=utf-8
date: Sun, 09 Mar 2025 02:31:59 GMT
etag: "55v7hh2i2t1fq"
referrer-policy: strict-origin-when-cross-origin
server: Caddy
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-powered-by: Next.js
x-xss-protection: 1; mode=block

Check the docker config and ensure that 2 webservers aren’t being spawned here. One for the front end reverse_proxy 127.0.0.1:3009 and an additional one for the API server on a different port.