It all comes down to where the boundary for data access is implemented, and how strictly.
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
Plus addressing (or movable periods in gmail addresses, etc) is increasingly pointless for a whole host of reasons.
It may keep out the bottom x% of spammers/hackers but it doesn't do much for the increasingly sophisticated scams that are appearing.
If the bit before the + ends up in your inbox anyway then it'll just get stripped off and used. Spammers seeing this kind of thing across several breach dumps:
and will leverage that to target spam at you for other sites, or just email bob@example.com as there's a good chance that'll get through.
Years ago I did a test with my own domain where I created who unique aliases with plus addresses, e.g. steve.smith+iawer@example.com, bob.jones+wpoqe@example.com
It didn't take long for emails to start arriving to steve.smith@example.com and bob.jones@example.com even though that email address had never been used anywhere ever before.
As others have said, you're better off just creating unique emails with `pwgen -s 16` such as wmR5pNhGI8yidU7N@example.com and storing that in your password manager alongside a similarly random password. (Yes, this is roughly what those unique email address services provide.)
Also many services/sites/providers simply assume the username is immutable. $DEITY forbid you might have to change your email address at some point in the future.
Can confirm it's free. I tried it based on the GP comment. There are various ways to prove it is your domain: token sent to one of a small number of email addresses like {admin,security,webmaster}@, DNS TXT record, place a small file in the root of the website, etc.
The only extra bits I saw for the other emails on my domain was a plus address I'd used for last.fm which had been leaked. None of the other emails (wife, kid, family, etc) appear in any breach.
I'm slowly moving away from using my own personal domain as it's becoming an ever increasing burden. I'm also concerned that my wife/kid will be left with something they may not have access to, or would stop working at some point, if I suddenly dropped dead.
Someone in the house pressed the button to update the printer (Brother DCP-L3550CDW) firmware and the CSV page that was the basis for an existing Prometheus exporter (drum/toner lifespan, page counts, etc) stopped being a thing. Instead there was an HTML page with all of the information buried in various divs/etc.
I'd planned on writing something myself to parse the HTML and write a suitable exporter but I thought I'd give Claude a chance.
In a sandboxed VM I gave Claude a single static HTML file of the status page from the printer, also in the directory was the equivalent of "hello world" in Go, literally just the minimum needed to do `fmt.Printf("OK\n")`. The directory was called `brother-exporter`. That was it. No other instructions or information. I hadn't told it what it needed to write. I hadn't said what it should do. I hand't told it what language it was supposed to use.
Just by doing a `/init` in that directory Claude decided that it needed to write a Prometheus exporter in Go that would fetch and parse the HTML file from a printer (defaulting to 192.168.1.1) and then present the associated metrics in a way that they could be scraped by Prometheus.
It did this flawlessly in about 10 minutes.
I could have done it in several hours but this was definitely an "oh shit" moment for me. I think the biggest thing was the fact that it guess/assumed so much (correctly) from so little information in the beginning.
For my own 10G homelab network I jumped the gun and got a couple of Intel X540-T1 cards for my two servers and balked at the cost of the RJ45-SFP+ transceivers (Unifi's version is ~USD60). (I'm sure there are cheaper options for the "not hot" flavour transceivers but I didn't want to have to gamble again.)
In the end I just replaced each X540-T1 with a X520-DA2 which are pretty much the same price on eBay (under USD20) and then I can just use a DAC that's a fraction of the cost of the RJ45-SFP+ transceivers.
Yeah its better to avoid rj45 entire for 10gig if one can. It's unavoidable though for some places. e.g. A lot of consumer boards have a spare X1 PCIE slot...which is enough for 10gig if its gen4.
...but all the 1X cards I've seen are rj45 and didn't want to take a chance on seeing if a X4 sfp card can run in a 1X at full 10gig
My wife is trying to sort something with a famous Irish airline who are well known for messing people around. She has LPA/POA for her mother but rather than the airline accepting the VCode (this is the UK) the airline are requesting to see the original POA certificate which is just ridiculous. They seem to be moving a little quicker now there is solicitor involved.
Given how much back and forth there has been it's probably cost the airline more than just refunding the amount at the first request. We'll keep going to prove a point.
The "Sasha" section brought back a load of memories from my childhood. As an Alex growing up in Western Europe with no connections to anything East it was just my Russophile father that used to call me Sandy or Sasha some of the time.
I'm waiting for 3 DACs and a few other bits to arrive today to move closer to 10G networking at home. Moving house soon and the new place will have 2.5Gbps FTTP (both up and down) so I wanted to be prepared for that. Given my existing broadband is only 500/75Mbps FTTP I was fine with a 1GbE internal network and Wifi-6 meshing. I could have planned to move to 2.5GbE but it may have been a bottleneck at some point, so may as well push straight on to 10G.
I have a USW-Aggregation with 8 SFP+ ports arriving today too. Just have to install Intel X520-DA2 cards in two of my servers (Proxmox host and a general Linux server), and the NAS also has a 10G SFP+ port, and then connect it all up.
Most of it second hand from eBay for half the usual retail price.
I really have to wonder what can you use 10G for? I have 500M down from my ISP, and it is faster than I can imagine ever needing, unless I get into data-hoarding 8k movies.
My homelab has a 10G fabric (switched) for NFS, iSCSI, NVMe-OF, etc. and a 25G fabric (a mix of back-to-back and switched) for clustering (Ceph, DRDB, ZFS replication, migrating VMs).
I spun up some iSCSI-backed SQL Server a few months ago and 10G couldn't keep up with the workload, so I dropped in a pair of 100G ConnectX-4 cards with iSER (iSCSI Extensions for RDMA) support for that particular use-case.
Just because your uplink is less than 10G doesn't mean the rest of your network can't be a bit more capable. :)
True, I don't really feel limited by my existing 500Mbps down, but knowing I'll be having 2500Mbps up/down soon means I want to have the infra to handle it.
Basing things on 2.5GbE would certainly have been cheaper but some things don't support it (they either do 1GbE or 10G SFP+) so settling on 10G where possible made more sense to me. My future ISP also has a 5Gbps up/down option, but even I can't justify that right now.
My wife and kid just want their phones/laptops to work, and to be able to stream stuff to watch, they don't care about the underlying speed.
Having a faster network may make some of my work related things run a bit quicker. A few times a day I'll need to pull something big down (either an ISO or a bunch of docker images) and that can take up to 2 minutes with 500Mbps down. Having those take a fifth of that time will make it seem less of a roadblock to doing work. 2 minutes meant I went and got a cup of coffee and often got more distracted, 30 seconds should keep me at my desk and focused on what I was doing. That's not a big enough reason to justify it on its own obviously.
I also want to do offsite backups with/for various family members, so something better than 75Mbps up is going to be a huge boost. Getting 1Gbps+ out will be huge (assuming whatever is at the other end can support that).
I don't do any kind of data hoarding, I think I've got something under 4TB of data that I actually care about, and most of that are family photos/videos.
Deep down it's mostly because I'm a networking geek so it's fun to play with some new kit and make blinkenlights.
Going for a cup of coffee means physical walk. Detaching from focussed mode means your mind gets in diffused mode. This is where/when creativity ensues.
One thing to remember is 2.5 gbit/sec uplink is shared between all clients. So if one client is on 1 gbit, and one client could saturate their 1 gbit while switch and router can handle better. An advantage of that is QoS isn't needed to be applied manually.
So, for example, it maybe worth it to have higher than 1 gbit uplink on switch to router, and maybe a server to switch, but devices such as your TV or WLAN clients do not need such.
75 mbit up is pretty good compared to DSL (I bet it is cable), and yes 1 gbit up is nice for off-site backups. But the upsell of going above 1 gbit symmetric IMO isn't there.
Cable providers know this. Which is why they sit below 1 gbit symmetric, at a level average subscribers are comfortable with.
> Going for a cup of coffee means physical walk. Detaching from focussed mode means your mind gets in diffused mode. This is where/when creativity ensues.
Sure, but I want to choose when I do it, not have it forced upon me.
> 75 mbit up is pretty good compared to DSL (I bet it is cable)
It is FTTP not DSL or cable. BT Fibre 500 in the UK. Almost all of the deals through the legacy/monopoly provider (BT/Openreach) are asymmetric like this.
The 2500/2500 at the new property is a different provider that has their own network and so isn't tied into reselling Openreach's GPON infra.
It's less "what new thing can you do" and more "what things involve noticeably waiting, how long is the waiting, and what else is impacted". E.g. updating a game on Steam practically takes slightly under half the time for me (1.2 Gbps actual rate) and has absolutely 0 impact to any other traffic in the house. If it was 10x the price to get 10x the bandwidth I wouldn't bother but it was actually about the same as my old cable modem plan.
It just makes everything feel faster. I went from 500m to 2.5g thinking I would immediately go back (I really just wanted the upgrade to XGS-PON to run my own network) and then I couldn't go back. Its very much like using a higher refresh rate or a faster CPU...
I went from one dev machine to two at my desk so I connected them via 25GBe. With about 2.8GBps TCP throughput and RDMA available I don't have to think too much about task placement or cross-traffic. (specific hardware: Mellanox ConnectX 4 LX cards + a DAC cable).
For most people, 500M is probably fine. But once you have a few family members, each streaming 4K movies to their devices, and a parent that needs a video call to work seamlessly, you start to see the benefits.
10G is probably overkill, but it's also future proofing. The way things are going, loading the NYtimes will require 10G just for the advertising alone...
The card is obviously 16-lane, but it also has two ports; 40Gb total. In a server that’s fine, but if you want 10G in a desktop you’ll have a problem.
I’m probably not telling you anything new. NICs using newer PCI generations are rare as hen’s teeth. It should be possible to do this with four lanes, but isn’t…
Unless you find a 25G dual-port card, in which case the single lane my secondary slots hand out does at least suffice for 10G one way.
PCIe is also a full duplex connection so 2x10G is still just 20G instead of 40G. For PCIe 2.0 an x8 connection should get you full bandwidth on both ports simultaneously while x4 will fall just short for simultaneously usage (but still higher than 1 port). Unless you're really hankering for that full 20G, in which case a 25G NIC is definitely the better pick, that means you can just slot it in an x4 slot off the chipset on even a standard desktop PC.
Funnily enough, if you want a dirt cheap PCIe 3.0 based card the MCX353A-QCBT and MCX354A-QCBT give 1/2 ports of 40G QSFP+. They support QSFP+ to SFP+ adapters, so you can plug a 10G SFP+ into the QSFP+ port, but they don't support 4x10G breakout unfortunately. I ended up using the 2 port variant in both of my NASes - one port is 40G between the 2 for dirt cheap fast backups and the other is adapted to 10G to connect to the rest of the home network.
I've started buying Intel E810s for most purposes, even for 10G links. (SFP28 ports are generally backward-compatible with SFP+ DACs and transceivers.) The ones you can get on eBay for cheap typically run Dell firmware but it's serviceable. An E810-XXVDA2 is Gen4 x8; as long as the host slot can physically accept the card connector you only need Gen4 x1 electrical for a single 10G link or Gen4 x2 for dual 10G or single 25G.
I'm only planning on using one of the SFP+ ports on each of the cards, the dual port cards were just more common and cheaper on eBay.
The specs say they require PCIe v2.1 x8 lane.
My Proxmox server is quite old and has a Gigabyte GA-X79-UP4 mobo and has loads of spare PCI slots. One slot is taken up by a generic graphics card as the Mobo has no on-board graphics. (I think I went for this mobo because of the number of SATA ports, but it was over 10 years ago so not entirely sure.)
My general Linux server is newer and has an ASUS Prime H610M-A D4 mobo. Only two PCI slots (not used at the moment) and so the Intel X540-DA2 will use up the PCIe 4.0 x16 slot leaving just a PCIe 3.0 x1 slot. But that's fine as this machine is just a CPU (i7-13700), 64GB RAM and a 2TB NVMe. Sticking a good graphics card in it for GPU related fun had been on my list for years but I never got around to it, now the prices are just insane so I'll ignore that for now or something second hand falls into my lap.
I just went through the same process over the last few months. I had a USW agg and ran out of ports so now I have the big dog 24-port version. Mainly wanted L3 routing capability but it’s nice having more ports to lagg connections.
The limiting factor for me is that I'm renting so I can't put my own cabling in to the property. And with the new place there's no existing cabling, nor any conduits to run anything in, and chasing things into the walls/etc is going to be prohibited by the landlord or just too expensive if I'm only in this place for a year or two.
The spools of bend insensitive fibre are pretty cheap and very discreet so I'll probably have a couple of those running along skirting boards/etc in order to connect disparate areas of the house. (The ONT is ~15m away from where the majority of the equipment will live, that's the main bit I have to bridge.)
> The spools of bend insensitive fibre are pretty cheap...
For the benefit of other folks reading, I'll note that even regular, boring OM4 bends okay. I have mine running along the outside of preexisting molding and baseboards. My runs get down to a 1/4" bend radius in places and it seems to work just fine. Bend-insensitive fiber is definitely useful, but it may not be required for the run one is planning.
Though, one thing that regular OM4 is not is discreet. That two-strand cabling in its aqua-colored jacket is quite distinctive.
I used to sneak cabling around the basement and pop it out of AC register vents when I was renting. I had one cable coming out the access panel to a bathtub which was conveniently in my office as I was next to the bathroom.
Edwardian houses in the UK rarely have that level of access. No basement at all and I can't lift the carpets and floorboards to get to where I might be able to pass things through/around. No AC ducts. No coax to be able to use MoCA either.
But, yes, that video is exactly the kind of thing I had in mind for the bend insensitive fibre.
It all depends how I set things up (and I can't tell that until I've had more access to the property). The ONT and the rack with the USW-Aggregation switch are 10 yards apart, in terms of absolute distance, but probably 20 yards if you follow the walls/skirting-boards/etc.
The FTTP is presented as 2.5GbE Ethernet (apparently) so I can either:
However this will be sub-optimal in terms of Wifi and I'll probably need extra APs to cover all three floors and out into the back yard.
b) put my Unifi Express 7 in the hallway in the middle of the house (which should give me full Wifi coverage with no extra APs). This would mean a short (2m) DAC to connect it to the USW-Aggregation nearby, and I can use a 20m long flat/flexible Cat-6 Ethernet cable to go between the ONT and the Unifi Express 7.
I did similar with the Mikrotik CRS305-1G-4S+IN and some surplus eBay gear. The nice thing is the NAS and my MacBook dock both have 10G and are connected - and it’s noticeable.
I had a big debate with myself whether to go Mikrotik or Unifi. Being EU based I really wanted to go Mikrotik but ended up with Unifi as I'd had more experience of it when helping out friends/neighbours.
Maybe my "last house" (i.e. the one we'll get to see us through to retirement and beyond) will be Mikrotik based. By then I'll probably want as little computing stuff as possible and will just sit in a comfy chair doing crosswords and sudoku with a pencil.
If one wants to play around with the shell and other administrative tools, one can download a bootable x86 install image from [0] that works fine in qemu. I assume it'll work fine on any other major VM that can boot Linux and provide virtual NICs that work with in-tree drivers.
It's documented (but -IMO- poorly) that the default username is "admin" and the default password is the empty string. The brand-new-as-of-today docs site is at [1], the "older" docs site is at [2], and -as documented on the older docs site- you can get a PDF of the docs at [3].
If you ever find yourself with an entirely spare hour or two, fire up the VM just to play around with the interactive shell that they have built. I may not have worked with enough Enterprise Devices to have an informed opinion... but once I understood what the shell was telling me, I found its use of color to be helpful both when attempting to learn the basic syntax of the shell and as a reminder of what tokens are valid in which contexts. I've never worked with another interactive shell that has such nice syntax-and-data validity hinting.
I use UniFi for most of my home network so It Just Works™, but I've thought about mixing in Mikrotik for e.g. the compute rack so I can play around with 100G+ links and more esoteric stuff like VXLAN.
I've started buying E810s even for 10G links. PCIe Gen4, lower power draw, RDMA support, generally backward-compatible with SFP+ DACs and transceivers, and relatively inexpensive. Not nearly as dirt-cheap as the X520s but not crazy expensive (last I looked, at least). As I gradually replace switches over the next few years I can start taking advantage of 25G.
They've been stable for me but I'd be lying if I said I'd only heard good things.
Looks like prices on the E810-XXVDA2 have come up since the last time I looked while prices on the ConnectX-6 Lx have come down, so that'd be a good option!
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
reply