This is a great post. I don’t personally need it but I love to see these sorts of teaching/sharing posts especially when companies make these sorts of decisions.
Just download it from MS directly and use it unactivated (select “I don’t have a key” when prompted). Why anyone would f- around with their OS, of all things…
If you care to activate, it’s trivial to get a grey key or to find an activation script (though I think they patched out the script – even though MS Support themselves used it)
Microsoft are deep into the government with exchange and Active Directory with most being migrated to Microsoft365 and Azure.
Add in MS Teams, SharePoint, MS SQL, 30 years of business rules living in old excel macros that ends up running the entire company.
Windows enterprise licences would be a tiny part of their spend and far too costly to mitigate away from. Most large corporations are virtualising old windows version just to keep their existing legacy apps runnings.
It doesn’t matter how strong your defenses are and how skilled your IT team is, when fucking Linda in accounting opens EVERY SINGLE GODDAMN ATTACHMENT SHE GETS!!!
SEBSAC (security exists between shoes and computer, or socks and computer, or soles and computer, or sprostherics and computer, or smagic carpet and computer)
Then the IT department sends everyone a Honeypot email and schedules more training and a meeting with a manager for anyone who clicks any links in the email.
It is a great step but it’s rare to have enough buy in from upper managent to enforce any real consequences for repeat offenders. I’ve seen good initial results from this kind of phishing testing, but the repeat offenders never seem to change their habits and your click rate quickly plateaus.
It’s the same way you know the things outside your window are real. You look at the light coming to you from that object and make inferences as best you can. As long as new observations and inferences line up with old observations and inferences, then you can be reasonably confident that your growing model of the outside world is accurate. When something doesn’t add up then you revise your model and keep iterating with new observations.
There’s no difference whether the object appears to be within our solar system or far outside it. We see something and we interpret what we can from the available observations. Occasionally, if something is close enough and interesting enough, we send a robot to orbit the thing or maybe land on it and gather better observations, like how Rosetta/Philae visited a passing comet.
I understand pirating from Netflix and such, cause they’re big companies and their service is shit, but Nebula is run by creators and you support them directly with a subscription. So if you have $5 at your disposal I would highly encourage paying for Nebula.
Privacy/security: Cloudflare terminates HTTPS, which means they decrypt your data on their side (e.g. browser to cloudflare section) then re-encrypt for the second part (cloudflare to server). They can therefore read your traffic, including passwords. Depending on your threat model, this might be a concern or it might not. A counterpoint is that Cloudflare helps protect your service from bad actors, so it could be seen to increase security.
Cloudflare is centralised. The sidebar of this community states “A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.”, and Cloudflare is for sure a service you don’t control, and arguably you’re locked into it if you can’t access your stuff without it. Some people think Coudflare goes against the ethos of self-hosting.
With that said, you’ll find several large lemmy instances (and many small ones) use cloudflare. While you’ll easily find people against its use, you’ll find many more people in the self-hosted community using it because it’s (typically) free and it works. If you want to use it, and you’re ok with the above, then go ahead.
There’s a third point which is: Things in CloudFlare are publicly accessible, so if you don’t put a service on front for authentication and the service you’re exposing has no authentication, a weak password or a security issue, you’re exposing your server directly to the internet and bad actors can easily find it.
Which is why some services that I don’t want to have complicated passwords are only exposed via Tailscale, so only people inside the VPN can access them.
In addition to the above, most of the percieved advantages of CF are non-existent on the free tier that most people use. Their “DDoS protection” just means they’ll drop your tunnel like a hot potato, and their “attack mitigation” on the free tier is a low-effort web app firewall (WAF) that you can replace with a much better and fully customizable self-hosted version.
They explicitly use free DDoS protection as a way to get you in the door, and upsell you on other things. Have you seen them “drop your tunnel like a hot potato”?
Now obviously if their network is at capacity they would prioritise paying customers, but I’ve never heard of there being an issue with DDoS protection for free users. But I have heard stories of sites enabling Cloudflare while being DDoSed and it resolving the problem.
Any stories you’ve heard about websites enabling CF to survive DDoS were not on the free tier, guaranteed.
Please re-read the description for the free tier. Here’s what “DDoS protection” means on free tier:
Customers are not charged for attack traffic ever, period. There’s no penalty for spikes due to attack traffic, requiring no chargeback by the customer.
Will they use some of their capacity to minimize the DDoS effects for their infrastructure? Sure, I mean they have to whether they like or not, since the DNS points at their servers. But will they keep the website going for Joe Freeloader? Don’t count on that. The terms are carefully worded to avoid promising anything of the sort.
They also say “Cloudflare DDoS protection secures websites and applications while ensuring the performance of legitimate traffic is not compromised.”, with a tick to indicate this is included in the Free tier.
You are honestly the first person I’ve heard complain about Cloudflare failing to protect against DDoS attacks. However, I have no doubt that not having Cloudflare, I would fare no better. So still seems worthwhile to me.
The first point is only when you use the tunnel function, right ?
Because I noticed, if use the tunnel function (hiding your private ip) the sites gets an Cloudflare certificate, but if just using it as DNS (without tunnel) the page has my certificate.
If you use DNS with proxy it still applies, you should get a Cloudflare certificate then. But yes, if you use Cloudflare as DNS only, then it should be direct. I believe you get none of the protection or benefits doing this, you’re just using them as a name server.
The Cloudflare benefits of bot detection, image caching, and other features all rely on the proxy setting.
Also if proxying is enabled, your server IP is hidden which helps stop people knowing how to attack your server (e.g. they won’t have an IP address to attempt to SSH into it). You don’t get this protection in DNS only mode either.
Basically if you’re using DNS only, it’s no different to using the name server from your domain registrar as far as I can tell.
I have a cloudflare tunnel setup for 1 service in my homelab and have it connecting to my reverse proxy so the data between cloudflare and my backend is encrypted separately. I get no malformed requests and no issues from cloudflare, even remote public IP data in the headers.
Everyone mentions this as an issue, and I am sure doing the default of pointing cloudflared at a http local service but it’s not the ONLY option.
I’m not quite sure I get what you’re getting at. If you’re using Cloudflare (for more than just a nameserver), then the client’s browser is connecting to Cloudflare via a Cloudflare SSL certificate. Any password (or other data) submitted will be readable by Cloudflare because the encryption is only between the browser and Cloudflare. They then connect to your reverse proxy, which might have SSL or it might be unencrypted. That’s a second jump done by re-encrypting the data.
How does the reverse proxy help, when the browser is connecting to Cloudflare not to the reverse proxy?
Without the loaded malice of some of these comments, sincerely, I forgot beehaw existed. It looked like the place to go during the migration and was constantly getting good word of mouth on all the Reddit move channels. Then the barrier to entry went up with the essay application, which was 100% fine as a decision, but obviously made it a hassle for the masses trying to find a home. Couple that with no open community creation, leaving no landing spot for niche communities and I went elsewhere.
But even after taking a shotgun approach and making accounts on multiple instances when stability and federation was still struggling, beehaw started defederating from everything. Again, 100% your decision. But the reasons were often blatantly showing that beehaw was not willing to engage in the learning process of this new interface with the rest of us.
So, again no malice, I literally forgot beehaw existed till seeing this post. So if your admins and users think you can achieve whatever elsewhere, I don’t see why you shouldn’t.
I think it’s honestly a good way for them to die out. They’re basically a niche of a niche of a niche at this point, and that’s unfortunately probably not the most sustainable thing long-term.
The thing about genocide is that the concept was formalized as a crime, meaning you do actually have a burden of proof, and you do actually have to provide evidence, and requiring, examining, and weighing the evidence is no more offensive than requiring, examining, and weighing the evidence against someone accused of murder.
And you do actually have to do this analysis, because “genocide” is thrown around all over the place as a political tactic, and plenty of accusations are bullshit (or are you a genocide denier if you call bullshit on the accusation of white genocide in South Africa?).
Computer Science was great dont get me wrong, but I totally agree. Comp Sci helped with some of the basics, but didnt prepare you at all on the soft skills that get you ahead, nor why task management, version control, and other such concepts are so important.
It never fails too how many times I have to teach jr devs git right off the bat. Its just weird enough to require a little bit of handholding when they start.
It’s a little unfair to criticise a CS course for not being a SWE course. But I agree that graduating students in CS without having covered the basic requirements in the SWE day job most of them will move into is a disservice.
I did CS (30 years ago) and things entirely missing in the syllabus back then:
any and all soft skills
version control
refactoring
testing and the value of testing
staging and replicated environments for raw dev, QA, live, etc
It doesn't require university level study to understand. You took Comp Sci, not applied software development. If you can pass Comp Sci, you should be able to use a system like git without it having been part of a tertiary level curriculum.
it doesnt require university level study to understand
Yeah you can learn it outside of uni but I could say the same for anything in that course. Students wouldn’t know they need to learn it because they haven’t worked in the industry.
During the course you are doing projects with multiple people. Looking back it would have been a great place to introduce version control.
If you were to study version control in a comp sci degree, you would study the way it's implemented, not how to use it. The data models for how to store and access repositories of many files with many changes is interesting, and can have different aspects depending on if it is text content or binary. Is it optimal to store each file as an aggregate of its diffs, no matter how many. Should there be snapshot points, etc?
Those are the aspects of version control that belong in tertiary level computer science. Learning how to use "git add" and "git push" don't.
Teaching about version control would be preferable to a singular tool. Git wasn’t always the #1 tool nor will it be forever, & there are some great tools pushing against Git as we speak which will be great for all of us when something truly better usurps—like Subversion, the former king. Training on a singular tool is like learning Microsoft Word instead of document processing where the broader concepts are more valuable for your career as you understand not just how but why.
Personally I had a lot of fun giving darcs & Pijul fair shakes in 2023 to understand what makes the patch theory cool to work with. You could probably do a whole course on VCSs & their models since you are correct that they are rather integral to real world teams & projects.
My university created an entirely new school because while the computer science graduates could do computer science they couldn't write an email or contribute to a meeting.
Heh yeah. Lots of fresh grads don’t even really know anything about application development. Like they have a handful of sorting algorithms memorised and can explain what a compiler does (and are thinking about writing one some day) but can’t actually build anything.
Often, they can pick it up quickly, whatever the “it” is… But it doesn’t give them that much of a head start compared to someone who did a shorter program or self-taught.
I’ve never used PuTTY either, tbh… Is that just what Windows users use for SSH stuff?
Not anymore, it’s a terminal emulator but most have transitioned to just using Poweshell to SSH into things. I like multi-tabbed putty and use it heavily when configuring network appliances.
It’s also not a Windows thing lol you can install it natively in Debian, Fedora, and Arch that I know of with the basic package manager of each.
I’ve never used Linux in an Enterprise environment so I don’t know if there’s an easier way to store servers/switches as objects and access them via the standard terminal than MTPuTTY, but yeah I’m not surprised it was originally created for windows and then ported at some later time.
I dunno, most of the job descriptions I see say something like “a relevant degree or equivalent experience…” And lots of places don’t even list an educational requirement, at least for more senior roles.
I basically self-taught while I was working in a different field, and then eventually found a bootcamp with a good alumni network and career placement services. Once you get a little bit of experience, it starts to snowball, but getting that first opportunity (or first few) can be a steep hill to climb.
Oh, and you gotta be pretty good at building software too, of course, but not as good as you’d think to get going-- Most of your learning is on the job, regardless of what educational path you take. In that respect, most go-getters with some diligence and aptitude can exceed the capabilities of a typical compsci grad inside of a year, I’d say.
There will always be employers who think the degree is really important, and there will be roles where it actually is… But plenty just want evidence that you can do the job well.
Usually they’re not willing to pay anywhere close to doctorate money for doctorates anyway, and will end up settling no matter who they pick.
I’m not sure if i’ve ever known any engineer who has met the listed job requirements for their role. They say requirements, but what they mean is “this is my ideal”. Put another way: think of it like a dating app profile. dude may act like he only dates 10s in his profile, but you show him some attention and suddenly you’re just as good as a 10, because he’s lonely and needs affection from someone.
Basically, for most companies, they’re essentially the corporate version of incels. Way too high of standards, but will settle for anyone who is into them regardless of what they think their standards are, because they just need someone ASAP, and their standards disappear quickly once you make yourself available.
I’ve enjoyed a 20+ year long career as a programmer, and I dropped out of college 3 months in because i couldn’t afford it. That’s because early in my career i took a few shitty jobs until i had a decent enough resume that i didn’t have to take shitty jobs anymore. That took study and practice and passion in programming, but i did that for fun years before i even showed up on the university doorstep.
kbin.life
Top