Test Equipment Anonymous (TEA) group therapy thread

[Mr. Scram]

cloudflare? Seriously? Insiders name them "clownflare".

https://blog.fefe.de/

Sorry, it's in German but one can follow the links.

- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8. is a very bad idea if you are interested in your privacy.
  Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/

I'm staying away from cloudflare as far as I can.

I can believe there being issues with such a large party but I don't know of any specifics. Cloudflare claims not to log anything. Can you elaborate on the privacy issues?

[bd139]

They MITM all the DNS and HTTP traffic by nature of what they do. Thus they are party to that on demand of the US gov potentially. Or if one day they suddenly change their terms.

[Mr. Scram]

They MITM all the DNS and HTTP traffic by nature of what they do. Thus they are party to that on demand of the US gov potentially. Or if one day they suddenly change their terms.

Sure, that's fairly obvious. If it's US based and such a big actor it's a juicy target. Or partner. I thought maybe there were some more concrete examples of logs being collected or something.

[bd139]

No they had a major fuck up though which leaked data https://en.wikipedia.org/wiki/Cloudbleed

[worsthorse]

As for secure DNS, the best solution is go full 1990 and use the hosts file. 

(Yeah, I see that tongue-in-cheek, but I'm on a rampage here, so you get to tag along  )

As I was involved in the development and deployment of RFC 4034/4035 secure DNS, I beg to differ. 

I recommend turning validation on.

Further, the people behind Pi-hole are as far as I can tell trying a bit too hard to help. There is no option to not forward queries to another full service resolver.   I think that this is a very important feature which is missing in Pi-hole. And they sortakinda gloss over the possibility of having the option, by stating that such a forwarder is required . Someone is wrong on the Internet. Today again. 

And, they're using dnsmasq. I can't recommend dnsmasq. Not when the clearly superior unbound exists. Even before unbound, there was BIND. Which is much better than dnsmasq, but not as good as unbound. (And I'm not even starting to talk about PHP, a "language" that is banned from my computers.)

Yeah, worsthorse, I'm throwing spanners in your thought process. Sorry. I think you'll be fine using it, but I, being sort of in the middle of it, am setting higher standards for my own systems. A rabbit-hole, as good as any TE one...

No worries about the spanners, I appreciate the help.

I am always balancing my well-developed black helicopter paranoia against my lack of experience in complex computer system administration, which i fear will cause my network to be infested by five or six botnets or worse.  I do all the stuff I can that I am reasonably sure won't make things worse and take on new stuff, like pi-hole, as I have time to learn how to make it work well enough that I don't have to worry about it. I am clearly not deploying an industrial grade network here, just trying to wall us off as I am able from evil corp and the gummint.

[jjoonathan]

They MITM all the DNS and HTTP traffic by nature of what they do. T

Well, you have to get your DNS from somebody, and they will know what they are giving to you. The big American ISPs don't just let big brother watch, they also sell your requests and put their own ads in place of NXDOMAINs. If you ask me, cloudflare and google are still a step above even if they still sell the data and let big brother watch, so long as they don't mess with NXDOMAINs. Leads on DoH services that don't sell your requests and/or don't let Big Brother watch would, of course, be constructive and appreciated. I just think it's a bit ungrateful to complain that an improvement you're getting for free doesn't go far enough.

Ditto for the Poettering-pocalypse. Yeah, it's annoying as hell when he steps on your toes (the last time it affected me was when systemd-resolved broke dig +trace without an explicit server argument) but on the whole I'm glad it's happening. Name services always should have been handled per-link and per-service and always should go through a system wide cache layer that knows about links going up/down/reconfiguring for cache flushing purposes. /etc/resolv.conf, /etc/nsswitch.conf, and in-process glibc name resolution were always a bad fit for the modern network environment with complications like mDNS, NBT, and split-horizon resolvers from VPN connections and I'm glad somebody addressed that, even if I have to suffer a very minor inconvenience to obtain the benefits of said modernization.

Same goes for systemd as a whole. Compare the pile of RC scripts and runlevels in an old distro with the systemd units in a new distro. Are you really going to argue that declaring dependencies through a distro-specific mishmash of runlevel numbers, RC script precedence hierarchies, serialization scripts, file name alphabetical ordering, magic files, unparsed script comments, parsed script comments, and sleep <magic time> is better than having each unit declare a Require= line? Or that letting every service reinvent supervisory restart, centralized search/compressed/forward-secure logging, start-on-demand, and dependency watching in 5 different ways so as to maximize bugs and minimize knowledge transfer is a good idea? I sure wouldn't. I love being able to get all of that with at most a line or two in a unit file, rather than 30 lines of shell script and a trip every other month through TTY archana, and I *especially* love that the knowledge I gain by doing so instantly translates to all of the other services on my box.

Besides, doesn't it just make you smile every time you

Code: [Select]

journalctl -fu misbehaving-unit or, when things get really rough,

Code: [Select]

journalctl -fk? No? Just me?

[bd139]

My argument is basically not systemd and nothing based on DBus. Anything that fucknugget has touched needs to be burned with fire. That’s as far as it goes. Oh and something which doesn’t require strace to be installed when it goes wrong  . Windows got it more right and that’s saying something.

Still 5 days to go on my next TE purchase. Am getting impatient. Why do these people have to use auctions!

[mnementh]

   And Now for something Completely... On Topic!



Newly-restored Luxo Terea task light working great and looking sexy on my TEA bench.  The natural white LEDs actually make reading transflective LCDs like on the 189 a lot better ; the segments look much crisper and easier to read even without my glasses on, as I often do when poking around a PCB.   

$20 Corsair HX850 is just fabulous; fan spins for half a sec when it first turns on then dead-still. Wish I could say the same for the Intel DX58S0 MB & XEON W3670 CPU; I can't seem to get any POST or BIOS video on the screen, it just sits there and occasionally the HDD light blinks at me. Tried 3 different GPUs every which way in 3 different slots; no joy. Docs say it should generate beep codes for no memory/memory config error or for no video/video config error; It'll give memory error beep code if I try to boot with no RAM, but not if I try to boot without GPU.

After letting it sit powered up for 15 min, chipset/RAM/VR/CPU are warm but not hot, so it's doing SOMETHING... just not willing to report to the outside world.

I've double and triple-checked all the obvious bugaboos... beginning to think duff MB and/or processor.

mnem
Time for the Sledge-0-Matic...

[bd139]

Nice job with the lamp. That looks excellent. 

As for board: eBay spares/repair "removed from working PC but now untested" $100 

That is one reason I refuse to buy components off eBay. You just don't know. Especially gaming stuff which tends to be owned by the sort of person who rags their hardware hard

[Mr. Scram]

Nice job with the lamp. That looks excellent. 

As for board: eBay spares/repair "removed from working PC but now untested" $100 

That is one reason I refuse to buy components off eBay. You just don't know. Especially gaming stuff which tends to be owned by the sort of person who rags their hardware hard

I don't really care about how the hardware was used. I care about idiots assembling and disassembling hardware in the worst ways possible. Much more potential for damage, often subtle enough to be a time sink. One good zap is worth hundreds of thousands of hours of load.

[Specmaster]

All of this paranoia over who is watching your web browsing habits, same goes for smart TV's and speakers, Microsoft, Google etc, people making up their own DNS servers etc always makes me smile and I instantly think of this  

[Mr. Scram]

All of this paranoia over who is watching your web browsing habits, same goes for smart TV's and speakers, Microsoft, Google etc, people making up their own DNS servers etc always makes me smile and I instantly think of this  

Paranoia suggests uncertainty.

[Cerebus]

They MITM all the DNS and HTTP traffic by nature of what they do. T

Well, you have to get your DNS from somebody, and they will know what they are giving to you.

No, you don't "have to get your DNS from somebody". If you run your own resolving DNS server you don't 'get your DNS' from anybody.

When you do that all anyone else can see of your queries (short of wiretapping all your DNS traffic) is the queries you send out to the authoritative DNS servers for the root and the domains you want to contact (that includes the servers for domains that delegate to them e.g. a nameserver for ".com" if you are making a lookup on "random.com"). As you are looking them up presumably to access them that's not exactly a significant data leak.

[mnementh]

Nice job with the lamp. That looks excellent. 

As for board: eBay spares/repair "removed from working PC but now untested" $100 

That is one reason I refuse to buy components off eBay. You just don't know. Especially gaming stuff which tends to be owned by the sort of person who rags their hardware hard

I don't really care about how the hardware was used. I care about idiots assembling and disassembling hardware in the worst ways possible. Much more potential for damage, often subtle enough to be a time sink. One good zap is worth hundreds of thousands of hours of load.

Thanks for the props on the lamp.

Naaahhh... CAD$10 for the MB from The Thrift and CAD$25 for the processor off AliEx. I'll get my money's worth from the MB just in components; I knew I was taking a gamble buying a XEON from some random Chinese vendor, but wasn't willing to risk more than that.  I was more than a bit annoyed to find it came wrapped in plain white EPP foam, however. 

I bought my last GPU off eBay... a LNIB Radeon RX580 for US$138 shipped over a year ago now. I snagged it right when the bottom fell out from under GPU mining; I could STILL sell it for a profit.

Seems weird that everything on the DX58S0/XEON acts like it's doing something tho... I plan to tackle it again tomorrow with a fresh mind; look again for something stupid I overlooked.

mnem
*tzzzzt*

[beanflying]

It is getting to the point where secondhand older CPU/MB combos maybe aren't worth the pain and lack of upgrade path. Not sure how widespread they are yet but the Ryzen 1600 AF is apparently selling for $70 USD and performs toward the last gen 2600. Plenty of current or secondhand B450 MB's out there and depending on the board still a good CPU upgrade path later.

[mnementh]

Naaah... you guys got me all wrong on this. I was just curious about this old MB; I knew it was as old as my 1055T when I got it. I just wanted to see if it would chooch, man. 

I’ll make one last sortie on it again tomorrow; if it comes up cool, if not I get the soldering iron out and start depopulating the board. I’ll make a nice shelf ornament of the INTEL INSIDE YOUR BRAIN logo’d chip cooler. 

mnem
*knocks self unconscious with a dead ThreadRipper*

[mansaxel]

They MITM all the DNS and HTTP traffic by nature of what they do. T

Well, you have to get your DNS from somebody,

No. As Cerebus wrote, when you are running a FSR yourself, you have the most direct and unencumbered view of the namespace possible, which is a big thing. Think of it as Kelvin clamps for DNS. With the added benefit that you make the task of assembling a complete picture of your whereabouts much more expensive. The government also has a budget. They will have to prioritise. Making yourself expensive makes you uninteresting, to a point where your measures will attract attention, of course.

and they will know what they are giving to you. The big American ISPs don't just let big brother watch, they also sell your requests and put their own ads in place of NXDOMAINs. If you ask me, cloudflare and google are still a step above even if they still sell the data and let big brother watch, so long as they don't mess with NXDOMAINs. Leads on DoH services that don't sell your requests and/or don't let Big Brother watch would, of course, be constructive and appreciated. I just think it's a bit ungrateful to complain that an improvement you're getting for free doesn't go far enough.

The landscape is different in different legislations. In Sweden, I'd argue that your ISP's resolvers are almost as good as your own dedicated FSR (which, given unrestrained Internet reach, I argue are the absolutely best). Our telecom laws require the operator to maintain the privacy of the customer, and only allow the government access with a court order. In USA, or UK, not so much. For above reasons. There Cloudflare, which in our case is worse, will come out on top bar your own FSR.

Ditto for the Poettering-pocalypse. Yeah, it's annoying as hell when he steps on your toes (the last time it affected me was when systemd-resolved broke dig +trace without an explicit server argument) but on the whole I'm glad it's happening. Name services always should have been handled per-link and per-service and always should go through a system wide cache layer that knows about links going up/down/reconfiguring for cache flushing purposes. /etc/resolv.conf, /etc/nsswitch.conf, and in-process glibc name resolution were always a bad fit for the modern network environment with complications like mDNS, NBT, and split-horizon resolvers from VPN connections and I'm glad somebody addressed that, even if I have to suffer a very minor inconvenience to obtain the benefits of said modernization.

Same goes for systemd as a whole. Compare the pile of RC scripts and runlevels in an old distro with the systemd units in a new distro. Are you really going to argue that declaring dependencies through a distro-specific mishmash of runlevel numbers, RC script precedence hierarchies, serialization scripts, file name alphabetical ordering, magic files, unparsed script comments, parsed script comments, and sleep <magic time> is better than having each unit declare a Require= line? Or that letting every service reinvent supervisory restart, centralized search/compressed/forward-secure logging, start-on-demand, and dependency watching in 5 different ways so as to maximize bugs and minimize knowledge transfer is a good idea? I sure wouldn't. I love being able to get all of that with at most a line or two in a unit file, rather than 30 lines of shell script and a trip every other month through TTY archana, and I *especially* love that the knowledge I gain by doing so instantly translates to all of the other services on my box.

There are good intentions, if neither reasons nor good judgement of needs hiding under the manure stack of bad implementation, ignorance and annoying behaviour that is Pøtteringland. That much is true. The rest, not so much.

• Name services should NEVER be handled per link for a end host. DNS is a global thing. Anything else is madness.
• Name services should NEVER be handled per service. This shit brought us DoH.
• Pœttering does not understand DNSSEC. It is hard. I've been in the middle or in the fringes of it for 20 years. I still have to think about it, but  the "implementation" in systemd uses non-secure messages without tampering proofing over dbus to convey answers to applications. 
• The system resolver "implementation" in systemd uses custom XML-formatted transport for RRs, again over dbus, that are not transparent to new RR types, adding to the shitstorm of bile and vomit that is typesquatting (all new uses of DNS are figured out by people who believe that new resource records are impossible to implement, leading to metadata in TXT records. Case in point SPF.)
• Binary logs. WHODAFUCK.
• "But it boots fast!" Like I fucking care.
  

  
  $ uptime 
   07:38:43 up 492 days,  8:29,  1 user,  load average: 1,25, 1,20, 1,24
  

  
  
• Solaris (which was really good until Oracle bought Sun) has SMF, and AIX has SRC. Those are boot done right. systemd can't even touch those in stability and correctness.  If systemd was ONLY a boot script substitute instead of a complete userland experience attempt, I'd be more inclined to accept it.
• Now, a lot of applications are so entangled in the perverse pervasiveness that is Pötteringland that us people who want comprehensible computers are left out, and porting applications from Linux to other more free and higher-quality operating systems like *BSD becomes harder.

Yeah, I don't like that shit. Hope I made it clear.

Besides, doesn't it just make you smile every time you

Code: [Select]

journalctl -fu misbehaving-unit or, when things get really rough,

Code: [Select]

journalctl -fk? No? Just me?

No, I get that. Solaris and AIX can do that. AIX starting 1994, IIRC. And working software does not misbehave. 

[Zucca]

Thank mansaxel, bd, horse, Cerebus and the others for the DNS discussion. I really enjoing it, sorry for the others who were annoied by that.

Temped to open a new thread just about that in the "Computing" section, this is so much value it can't be stay hidden in the TEA, or yes it must stay here 

[beanflying]

As a lot of the DNS stuff went over my head for a start I chose to un see it to save my remaining Brain Cells for other things 

For us owners of 419A's or for others wanting to know about photo chopper circuits and why they are a PITA here is an option to remove one. Just a slightly annoying thing that seems to be creeping in is the subtle niggling to join up his patreon account too on maybe 8-10 occasions through the video. Once is plenty and a link is fine too

[grizewald]

• "But it boots fast!" Like I fucking care.
  

That's the thing though: it doesn't!

My laptops (work and private) all run the latest Linux Mint as their base OS. With every release, the systemd mediated boot process becomes more and more inconsistent with boot times from "fast" to "what the fuck is it doing?!".

I'm seriously contemplating moving to Devuan.

[grizewald]

Shouldn't be this far of..

(Attachment Link)

...

This is how volt-nuttery starts, isn't it? Who's to blame? Meter or reference? I must buy more stuff, obviously...

Without doubt, the reference is the problem. I have one of those, from RoadRunner here on the forum which was adjusted by him to 10.00000V before he posted it to me.
The day before yesterday, I put it on the calibration lab's Fluke 8508A and it read 10.0005275V.

Heh, well, I don't know. The order of magnitude of the difference isn't that far of what one might expect from a few years out of cal instrument.

On the other hand, I had some Fluke 8842s around some time ago and they also pointed to an offset of the reference as well...

I'd trust your meters. Putting some closed cell foam around the legs of that LM399 and putting the whole thing in a box will help with stability, but not drift. My gut feeling is that the drift comes from the trim pot used to adjust the reference to 10.00000V and the two other resistors which set the output voltage. I don't see that the fixed resistors are low TCR parts, and the trim pot is never going to deliver single PPM drift the way it is used.

Of course, if you really need a totally stable reference, it's time to get your order in at your favourite component supplier and build yourself one of these:

[AVGresponding]

Functioning on 3 hours sleep after a double shift, so if I make some odd typos, please bear with me...

w10 boots pretty fast for me, though I can't say that I've found a hugely productive use for the 20 seconds or so I'm saving compare to w8. I still have the bizarre gfx resolution issues, not had time/inclination to swap out the 1060 for the GT210 as yet.

If you're really concerned about traffic analysis, and avoiding attention from trying to make it hard by running your own FSR, your best bet is a combination of misdirection and indirection.

Hermes have 2 parcels for me today, I'm guessing one is the 7150, hoping the other is graphic equaliser I won on a maiden bid from some French seller and which has not been fast to show up   

And NO, I'm not an audiophool, and yes, GE's do have a place in a hifi setup!   

It's all very well to say that a perfect amp has no need of any tone controls, well, good luck connecting it to your perfect speakers that have a completely flat response across the entire audio (human) spectrum, and good luck having all that in an acoustically perfect room that has no resonances or dead spots, and good luck with your perfect hearing (especially once you get past 40 and/or like to pump out Frantic Euphoria and/or Metallica out of a 600W car stereo), and good luck finding that perfect turntable/tuner/CD player/tape deck to play your perfect recording on...

/rant

[bd139]

• "But it boots fast!" Like I fucking care.
  

That's the thing though: it doesn't!

My laptops (work and private) all run the latest Linux Mint as their base OS. With every release, the systemd mediated boot process becomes more and more inconsistent with boot times from "fast" to "what the fuck is it doing?!".

I'm seriously contemplating moving to Devuan.

This is one of the thousand reasons I run windows 10 on my desktop and laptop and just use virtual machines and EC2 to do my bidding on that side of things. Also Linux on high DPI laptops with power management and wifi that works consistently appears to be an impossibility.[/list]

[grizewald]

     o "But it boots fast!" Like I fucking care.

That's the thing though: it doesn't!

My laptops (work and private) all run the latest Linux Mint as their base OS. With every release, the systemd mediated boot process becomes more and more inconsistent with boot times from "fast" to "what the fuck is it doing?!".

I'm seriously contemplating moving to Devuan.

This is one of the thousand reasons I run windows 10 on my desktop and laptop and just use virtual machines and EC2 to do my bidding on that side of things. Also Linux on high DPI laptops with power management and wifi that works consistently appears to be an impossibility.

The sysadmins here have policies inspired by Stalin, so keeping my base OS as Linux lets me put Win10 in a VM, where I don't really care if I don't have admin rights on it.
I've never seen any trouble with WiFi on either laptop, or power management for that matter. Apart from booting and the impenetrable nature of systemd, it's a very stable and performant setup with lots more memory spare for VMs than if I had Win10 as the base OS.

[bd139]

For those of you in the UK or Europe, a thing to note. It's £1 listing weekend. That means that all the good shit is going to get listed and it's cheapest to sell your good shit to me at the moment. Go go go. Sell me your HP wares