I would suggest the backlash would likely be due to the wording of your original comment.
you stated that "Programmer humor is really cringey."
Cringey is generally a negative sentiment and saying "is" implies that this negative sentiment is a generally accepted fact.
I'd suggest that humour is almost entirely subjective, and therefore attempting to suggest that any form of humour is objectively bad makes no real sense.
If you had said "I find programmer humor to be really cringey" you may well have received fewer negative reactions.
>outside of __our__ cringey humor, __we__ tend to be rather humorless and thin skinned
I appreciate you being constructive, but I thought the pronouns I used made it sufficiently clear that I consider myself as a part of this culture (and thus subject to the characterizations I made about programmer humor). Anyway, I do not mind the negative reactions, even though I may reply in disagreement.
Saying that you're part of the culture doesn't really remove the suggested universal negative, it just implies that you feel that you are part of that demographic.
The point I was going for was that I'd suggest that all humor is so subjective that it's impossible for a universal negative to apply.
In the same way that beauty is in the eye of the beholder, humour is in the ear of the listener.
Prefixing everything with "I think" or "I find it to be" is unreasonable. Of course it's subjective, and of course if someone says something is cringey, that's an opinion and it goes without saying.
Being a part of the group I was characterizing means my comment was not from some perceived position of superiority.
Anyway, I knew what I was getting myself into with that post.
well it's a view of the world that adding two words to a sentence is unreasonable, but (and this is just a suggestion) I think you'll find that you get less negative feedback if you make it clear when something is an opinion rather than a statement of fact.
I went to the one on Arran once, but I seem to recall it was in the Summer or Autumn. There was camping up the glen involved so it couldn't have winter time.
If they like a drink (or several) and a party, indeed it's a good place to go.
I've been to Shetland 7-8 times for holidays, lovely place, but not really in the winter. Apart from anything else the crossings can be really rough, or cancelled altogether if the weather is bad.
I only did the ferry from Aberdeen once in really bad weather, they handed out leaflets to everyone getting on saying it was "at the passengers own risk"!
Lets just say, even several of the crew were seasick on that voyage...
Savitech didn't rebel against control, they were just lazy in not revoking/limiting something they, by their own admission, did not need any more.
If you don't want to participate in mainstream computing with it's certificate authorities and authoritarianism, there are always alternatives for you to use.
Use Linux, use hardware which focuses on freedom and privacy, these options are freely available.
One thing you might want to add is a bit of a warning about the risks of exposing a Docker daemon to the network with tlsverify=false as that would enable anyone who can reach the port on the network to run docker commands and likely take over the host OS.
The challenge could well be that whilst they're growing and making money, they're not making enough money to satisfy their VC backers, having taken $47m in funding so far.
Do you think there's any benefit in reduced log noise making a serious attacker more obvious to SoC analysts?
I.e. if I run SSH on 24956/TCP and start seeing attacks, it's a fair bet this is targeted (someone has taken the time to do 65K port scans, not common for untargeted attackers), so it's a stronger signal for the blue team to look at that activity more closely than the noise on 22/TCP.
It’s worth noting that running sshd above port 1024 on most systems adds the risk that non-root users can bind their own process to its port if they can crash it or wait for it to crash, and if you break into the ephemeral range, you’re risking non malicious conflicts as well.
There are a number of controls available for pretty much every threat model, so I’m not sure what you’re claiming about my point that using an non-privileged port adds risk to the system that would need to be accepted or dealt with.
So to elaborate. Many Internet facing systems are application servers (e.g. web servers). They typically have very few local users, administrative/Ops staff are the primary users.
At that point an attack requiring the ability to execute arbitary code on the host as a local user is possibly less relavant as, if an attacker is in that position, they likely have a number of other options to further their goals.
The reason I made the comment about alternate controls, is that the original discussion and point I was making revolved around Internet focused attackers, rather than local attackers, so it's not too surprising that I didn't try to cover that case :) No sinister intent, honest!
Heck however if we want to then lets theorize that I can just use some form of firewall to port forward the high port that's presented externally to 22/TCP internally to get the best of both worlds, both a less visible external service and an internal port that requires root to bind.
Gotcha. All valid points, and I’m a big fan of firewall-based port rerouting like you describe.
I agree that an attacker who gets code exec on an app server is in a pretty fun spot already, and has a lot of different paths to escalate/persist/etc that don’t involve misuse of your ssh daemons port.
So to me the answer there might be to address the complacense which is the real problem and not remove obscurity ...
The idea of revealing all to improve paranoia rather sounds like the idea of attaching a sharp spike to your steering wheel to encourage safe driving :P
That idea might not actually be all that far-fetched. IIRC there have been a couple studies suggesting that some safety features on roads (e.g. safety rails, lights, etc.) might actually cause an increase in the number of car crashes because drivers become complacent and less paranoid about accidentally driving off a cliff.
runnning a service on an alternate port is generally extremely easy to do and has several benefits
1) It makes it easy to pick out the serious attackers. If you run SSH on 34985/TCP for example and start getting password brute force, you've got an idea it's a targeted attack, whereas on 22/TCP you get hammered by dumb bots all the time.
2) If someone is slamming round as fast as possible popping boxes with an 0-day they'll likely only bother with default ports (e.g. SMB worms, they compromised a lot of systems, but only on default ports)
There are start-ups in the "hearable" marketplace. Things like https://www.nuheara.com/ have products out already and there's various ones like http://www.waverlylabs.com/ coming along focusing on things like instant translation as well as hearing augmentation.
Of course whether they'll all just getting steam-rollered by Apple/Google is another matter...
you stated that "Programmer humor is really cringey."
Cringey is generally a negative sentiment and saying "is" implies that this negative sentiment is a generally accepted fact.
I'd suggest that humour is almost entirely subjective, and therefore attempting to suggest that any form of humour is objectively bad makes no real sense.
If you had said "I find programmer humor to be really cringey" you may well have received fewer negative reactions.