Hey, sorry to say but not seeing this at all. About 60 customers, each between 30-200 staff, in Australia region. Almost all of them have reasonable conditional access policies managing maximum login times per app, requirements for device compliance for data sync and geo-restrictions and longer login times for known sites, as well as standard mfa requirements.

Id say there’s something else in your stack. We monitor many of our customers with 3rd party tools too, including Arctic Wolf for seim /SOC alerts and triage and isolation if AAD accounts are breached. Sentinel one with integration in aad too. Though personally I feel like most medium and small businesses would be better served with the already included defender for business. A topic for a different day.

But no unusual requirement for cleaning cache and such to ensure the policies we configure act as we expect.

I’ve seen different tenants act differently of course in the past. But nothing right now I can suggest. I’d personally start doing a/b testing and reviewing all logs relative and see what impact before and after has on logs.

Anyway sounds frustrating so good luck.

I’m not in America but the organisation for NIST recommends it in guidance now and its getting backing by the nsa

https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/

https://www.zdnet.com/article/nsa-to-developers-think-about-switching-from-c-and-c-to-a-memory-safe-programming-language/ https://www.malwarebytes.com/blog/news/2022/11/nsa-guidance-on-how-to-avoid-software-memory-safety-issues

I see this becoming required in the future for new projects and solutions when working for new governnent solutions. The drum is certainly beating louder in the media about it.

Not possible without a domain, even just “something.xyz”.

The way it works is this:

• Your operating system has some trusted certificate root authorities root certificates installed from installation of the OS. All OS have this, Linux, Windows, iOS, macos, Android, BSD.
• when your browser goes to a Web url and it is a https encrypted site it reads the certificate.
• the certificate has a certificate subject name on it. It also may optionally have some alternative names.
• the browser then checks if the subject name matches the Web url address. If it does, that’s check one.
• next it checks the certificate validity: it looks at the certificate chain of trust to see if it was signed by a intermediary and then the intermediary was signed by a root certificate authority. Then it can check if any certificate has been revoked along the way.
• if that’s all good, then you’ll open without a single warning, and you browse Web sites all day long without any issue.

Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that’s presented. So you have a few ways as I previously described.

Note there’s no reverse proxy here. But it’s also not a toggle on a Web server.

So you don’t need a reverse proxy. Reverse proxies allow some cool things but here’s two things they solve that you may need solving:

• when you only own one public IP but you have two Web servers (both listening to 443/80), you need something that looks at incoming requests and identifies based on the http request from the client connecting in ‘oh you’re after website a’ and 'you’re after website b".
• when you have two Web servers running on a single server, you have to have each Web server listening on different ports so you might choose 444/81 for the second Web server. You don’t want to offer those non standard ports to public so instead you route traffic via a reverse proxy inbound and it listens for both Web servers on 80/443 and translates it back to the server.

But in this case you don’t really need to if you have lots of ips since you’re not offering publicly you’re offering over tailscale and both Web servers can be accessed directly.

It’s possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP

Then using certbot let’s encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.

Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.

There’s more than one way though, but that’s how I’d do it. If you don’t own a domain then you’ll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.

If your family can click the “advanced >continue anyway” button then you don’t need to do anything but use a locally generated cert.

It’s totally fine to bulk replace some sensitive things like specifically sensitive information with “replace all” as long as it doesn’t break parsing which happens with inconsistency. Like if you have a server named "Lewis-Hamiltons-Dns-sequence“ maybe bulk rename that so is still clear “customer-1112221-appdata”.

But try to differentiate ‘am I ashamed’ or ‘this is sensitive and leaking it would cause either a PII exfiltration risk or security risk’ since only one of these is legitimate.

Note, if I can find that information with dns lookup, and dns scraping, that’s not sensitive. If you’re my customer and you’re hiding your name, that I already invoice, that’s probably only making me suspicious if those logs are even yours.

Just fyi, as a sysadmin, I never want logs tampered with. I import them filter them and the important parts will be analysed no matter how much filller debugging and info level stuff is there.

Same with network captures. Modified pcaps are worse than garbage.

Just include everything.

Sorry you had a bad experience. The customer service side is kind of unrelated to the technical practice side though.

I love the hand gesture at the end!

Start realising that the way you’re used to scrolling with your mouse wheel, is a cog between you and the service it’s moving. Actually you were using natural all along. It was the early touch pads that were wrong and nonsense.

zfs is excellent. It’s enterprise and designed to suit the whole “I’ve got 60 disks filling up a 4ru top loaded SAN. If we expand we have to buy another 60 disk expansion.” and because of that it works perfectly for expansion. You don’t make a single raidz holding 60 disks. You’d make them in groups of say 6 or 8 or 10. Whatever suits your needs for speeds and storage and resilience. When you expand you drop another while raidz into the pool. Maybe it’s another 6 disks into the new storage shelf.

But since your article in 2016, the openZFS project has promised us individual raidz expanding: In 2021 the announcement: https://arstechnica.com/gadgets/2021/06/raidz-expansion-code-lands-in-openzfs-master/

In 2022 an update for feature design complete but no code: https://freebsdfoundation.org/blog/raid-z-expansion-feature-for-zfs/

The actual request is here: https://github.com/openzfs/zfs/pull/15022

And the last announcement update was in June 2033 in the leadership meeting recorded here: https://m.youtube.com/watch?time_continue=1&v=2p32m-7FNpM

You might think this is slow and yeah it’s snails pace. But it’s not from lack of work it’s really truely because it’s part of the entire strategy of making sure zfs and every update and every feature is just as robust.

I’m a fan even having hardware fail and disks fail both in enterprise, and at home. Zfs import being so agnostic just pull in the pool doesn’t matter if it was BSD or Linux.

Luckily on your own network you have control over these decisions! Especially with source and destination firewall rules.

Traceroute.

Look it depends on the age of the car, but let’s take an old manual car for example.

On those cars, there’s a fuel map to rpm. There’s actually a few maps including throttle and ignition timing. But think of a spreadsheet of rpm and fuel at a certain throttle load.

At 0 throttle: The map says to stop the engine from stealing at under say 800 rpm it needs to have fuel added at rpms lower than that to speed up the engine to avoid stalling. At 800rpm it needs a consistent amount kind of a known amount that keeps it in equilibrium. At over 800rpm it needs less fuel the more rpm it has over the idle 800rpm until it’s zero fuel.

And you’ll feel that, you’ll feel that moment the car starts adding fuel because if you’re only engine braking to a stop your car will get near that idle rpm and your engine will start adding power to avoid a stall, and your braking will diminish.

If you take an engine out of a car and try to spin it by turning the crank shaft, it will be hard to turn because the cylinders need to compress air (it’s required before adding fuel and spark to explode that compressed air so it expands).

When that engine is in the car, and you don’t add fuel and spark, then the cars wheels have to turn the engine and compress that air, thousands of times per minute. That force that the wheels have to send to the engine to spin that engine slows you down.

I’m thinking you think the engine itself has a brake on it… No.

Stupid take to be honest, real people getting trafficked and stalked, domestic abuse victims being tracked for control by the abuser, and you think that’s fine because google has that data about you even though nobody can use it so why shouldn’t all apps be able to? Go to a women’s shelter, touch grass.

This issue is far more nuanced. No it’s not good Google has that data on you.

No it’s not fair that automatons caused a small developer to have their entire amount destroyed without a proper review.

Both things can be true.

So I think you may not know about quick sync, an Intel transcoding acceleration feature of Intel gpus in Intel CPUs.

https://handbrake.fr/docs/en/latest/technical/video-qsv.html

There’s information about it for I think plex and handbrake and ffmpeg in general. This is how some people do real time transcoding for media servers. But I’m not an expert. I just hope you can be guided with easier search terms.

Hi, I run pop! Os for about a year on a mac book pro 2012. My biggest hassles are Bluetooth audio sucks (glitchy) and I had to install a wireless driver to get wireless to work at all. Other than that, it’s working exactly as expected. Can recommend. It can’t game, it can’t play videos well because the inbuilt speakers suck (and the Bluetooth audio is glitchy), but it’s plenty performant for my actual tasks. Runs smooth. I’m sure most distributions will.

I think that’s a good idea, good luck with it!

I can guess at some things but let me first start with what I think is happening:

You have a gateway set. Your device sends a broadcast arp message asking 'who has ip ’ and the device with that ip is supposed to send back ‘me with this mac address!’.

That device is either sending it so slowly that your machine says ‘I can’t go past the gateway, the gateway isn’t responding’ which in your error message is no route to host.

Assuming that you have no custom manual network route in play.

So things that can cause that are usually link layer and layer two issues and sometimes duplicate IPs. Two devices with the gateway ip.

You should watch your mac address table and arp table (arp a) and watch if the router gateway disappears or changes Mac addresses.

Don’t feel bad because you’re really good at using a tool that doesn’t follow your values. I use Windows during the work week and I use Linux for gaming on the weekend where I literally can’t work even if I wanted to.

For me Windows is a tool box with propriatry tools that have no Linux compatibility. That’s OK for me. People get emotionally invested but that’s neither healthy nor helpful. No point being angry at work, it’s like being angry that your work uniform is made by one textiles vendor not the other.

You get to choose what you use at home in your own time. If you feel good using Linux then, do it!

The bypass is to run your own router, distribute locally hosted dns servers (either the router or pihole) and the dns servers get their lookups over dns over https (443) and your provider can’t intercept that since it looks like regular encrypted Web traffic just like they shouldn’t be able to inspect your netbank.

Australia is different but these isps who do that generally have a +$5 per month plan to go to a static public rout able public Up (instead of cgnat) and unfiltered Internet. They usually are more allowing mum and dad to filter the Web so their kids can’t get too far off track. Maybe just double check on your ISP portal settings but I’m going to assume you’re not in aus.