OVH, Docker, Containers, Email, TPM, LUKS2, WPA3
After dealing with OVH, I've got only one question. With some companies, it feels is totally pointless to complain about the company, and only question remaining is why is anyone stupid enough to do business with such companies. I'm really feeling that OVH is in this category right now. It's probably time to migrate everything away from OVH. Bad communication, provided disinformation, bad processes, bad tech (won't work) and so on. Bouncing stuff between departments causing critical delays, etc. They won't even provide support because of "invalid business identity". Always so joyful customer experience.
It seems that Ubuntu 20.04 replaces block device i/o scheduler 'noop' (@ Wikipedia) with 'none'. Ok, no problem, yet the 'noop' doesn't automatically match with 'none', so you'll have to update configuration scripts / setting files.
Configured my docker host to use IPv6 properly. Now it works, long time ago dockers IPv6 was totally broken. But this is awesome news. Using IPv6 bridging and my own static /48 address space, allocating desired /64 per container.
Secure containers, because Docker security isn't tight enough. Quickly glanced through options like: gVisor, OPS (Small Secure Fast NanoVMs), Firecracker.
This Hacker News discussion (@ news.ycombinator.com) about running a small SMTP server (@ bridge.grumpy-troll.org) sounds so familiar. Been there done that, and still doing! Yet I slightly disagree about DMARC (@ Wikipedia) r=reject, SPF -all. Those should be the default, because any well run domain can well deal with it. Doing anything else than that, should be a clear mark of very sloppy administration. I know exactly what IP address are being used to send my emails, no exceptions.
Microsoft's attitude towards security is really bad. I don't think they've really thought about this. Prompting repeatedly for passwords, may seem to make the system safer. We'll check all the time, that the user is right and knows the password. But there's a drawback which they seem to forget. Users learn, that they're asking for the darn password all the time. You'll end up having it in notepad and clipboard, so you can just copy paste it when "another popup comes up". Which also leads to the situation, where users are so used to this process, that they really aren't even interested what the popup says. I just want to get rid of this. End result? -> Any scams asking for password will be also "automatically" successful. - Yeah yeah, whatever, password. - This is probably related to the TPM failure.
It seems that this annoying massive Microsoft Windows TPM (@ Wikipedia) fail also affects data encrypted with NTFS / EFS. Users are unable to read their EFS encrypted data. I think I've got nothing positive to say about this.
Funny, it seems that LUKS2 (@ Wikipedia) format uses argon2i (@ Wikipedia) as default password -> password based key derivation function (PBKDF) (@ Wikipedia) and it takes so much memory up, that it won't work even with systems with 8 GB of RAM. That kind of sucks. Well, you can always fall back to pbkdf2 by using --pbkdf option. Or limit the memory usage utilized by key derivation applying parameter: --pbkdf-memory 256. - Phew, both options are working.
Overall, WPA-3 (@ Wikipedia) replaces the four-way handshake with a more secure version (‘dragonfly’) — named Simultaneous Authentication of Equals (SAE) (@ Wikipedia).
Updating Ubuntu (@ Wikipedia) 18.04 -> 20.04 went like expected. IPv6 routing broken, some mounts broken, Nginx, broken... And so on... So annoying. Every time you'll install update, you'll have to reserve at least one week of time to troubleshoot everything that's failing after it. Now it's temporarily working, but if I reboot the server, everything is broken again. - As mentioned earlier. Yes, you can do nice things. But everything you'll do, will end up with endless amount of constant maintenance work. So, if it doesn't work with default settings, it's probably not worth of it. Never change anything, just use defaults. Or if you can avoid using something completely, it's even better.
Very carefully examined some backup processes and made those considerably more sabotage proof. But I can't go into any more details about this. In this case, part of the security is via obscurity. Which means it's better that the details are mostly unknown and undocumented. Isn't it the classic approach?
Read about COVID-19 (@ Wikipedia) vaccines like: ["mRNA-1273: Moderna", "AZD1222 (ChAdOx1 nCoV-19): AstraZeneca", "Ad5-vectored COVID-19: CanSino", "BNT162b1: BioNTech"]. Of course there are many other projects as well.
2021-09-12