mlfh

But root can scrape that password as soon as you enter it, and has access to that encrypted data as soon as you decrypt it. That’s what I’m saying.

If you think anything on a *nix system is “safe” from root or a user that can elevate to root, you’re deluding yourself with wishful thinking.

Nothing at all is safe from the root account, or from any user that can elevate to root. Think of the root account as the system itself - the thing you’re trying to protect may be encrypted and safe at rest if you’ve brought it in from elsewhere, but as soon as you enter a password and decrypt it, you’re handing that password and decrypted data over to a system fully controlled by that root account.

Unless there’s more information on what kind of files and what kind or sorting needs to be done, this sounds like something that could be done with a simple shell script.

(I wouldn’t trust an ai agent to do it with accuracy, but I’m the kind of luddite that doesn’t trust an ai agent at all.)

Where Should We Begin? is a podcast by the psychotherapist Esther Perel, where each episode is a full couple’s therapy session with an anonymous couple. It’s nice, and sounds like a match for your question.

Hahaha no I’m just an idiot and accidentally swapped the url and text, thanks for catching that - fixed now

modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into make localmodconfig to build a kernel that only includes those modules, or use the data to build a modprobe whitelist.

Sabrina Carpenter 💅

It might yet come back, the page has a banner saying they ran out of storage and the community has donated a bit to add more.

I spun up my own server in the meantime though, and even if sdf does come back, I’ll probably stick to using this one as my primary.

I love lemmy.sdf.org the best - it’s a unixy ragtag underdog cyberpunk kind of place running on a pubnix cluster, whose frequent downtime only adds to its charm. Three-character dot-org domain name (aura). Broad spectrum of users, unified by finding something like a pubnix cluster cool.

Usually the downtime lasts a day or two at most, the plucky pubnix admins get it back online and we celebrate. But it’s been down for over a month now :(

This comment sent me down a fun rabbit hole learning about ARPS and packet radio, and I’m finally gonna get my license now. Thanks!

You have enough failures on each disk to make me suspect an issue with the usb-connected drive bay. I ran into similar issues with a cheap pci-e sata adapter, where little hiccups and latency in the communication layer would cause zfs to take disks offline randomly. Read, write, and checksum errors would slowly accumulate across all of the disks. Switched that machine to a proper enterprise hba, the issues vanished, and the disks are all healthy 3-4 years later.

That’s a really really good story idea, and I love the thought and sentiment behind it - even with my own way of looking at machines, I’d never thought of things that way. You should write it!

I (mostly jokingly, but also a little bit really and sentimentally) believe that physical baremetal computers/servers have souls, and must therefore have hostnames that are names, because names are powerful and soulful and you should have respect for things that have souls. Which is why I kind of hate the “cattle, not pets” model in my own practice.

Stick identifying categorizing prefixes on it, of course, and you can group clusters under the same name with a numeric suffix, but it’s gotta have a real name in there somewhere.

deleted by creator

I made it sound a bit like that haha, but no, just the very big loud music

A friend of mine was once the organist at a cathedral with a grand pipe organ. He invited me to see it one day and hear him play, and for the finale he had me climb up into the forest of towering pedal pipes, crouching between the rows, dwarfed by their looming height, while he played Bach’s Toccata and Fugue in D Minor.

The sound hit me like a wave, so vast and tremendous and perfect. I felt utterly annihilated - tiny and shaken apart into nothing, a speck swept away in a cascading ocean of music, like the whole world was exploding in cataclysm and fractal rebirth all around me. Dazzling and enormous.

And when the fugue peaked, I think that’s the closest to nirvana I’ve ever been. Just blown clean off the face of the earth.

A partial solution to this evil-maid attack vector is Heads firmware (a replacement for the bios/uefi itself), which lets you sign the contents of your unencrypted boot partition using a gpg key on a hardware token, and verify the integrity of the firmware itself using a totp/hotp key stored in the tpm.

All the benefits of secure boot, but you get to control the signing keys yourself instead of relying on a vendor. It’s great stuff.

Everything I run, I deploy and manage with ansible.

When I’m building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it’s time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

It’s more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).