Hacker News new | past | comments | ask | show | jobs | submit | LinuxBender's comments login

Not to mention this should not even be required given the supreme court struct down the vaccine mandate for everything except medicare/medicaid facilities. [1]

[Edit] Apparently federal facilities were not challenged. So only struck down for businesses.

[1] - https://www.reuters.com/world/us/us-supreme-court-blocks-bid...

> Not to mention this should not even be required given the supreme court struct down the vaccine mandate for everything except medicare/medicaid facilities


There were at least three federal mandates:

(1) Federal workforce, (2) Federally-funded healthcare facilities, (3) Large businesses

In recent Supreme Court decisions in cases challenging #2 and #3, #3 was struck down and #2 was upheld, #1 was not challenged in those cases.

This database is concerned with #1, since it's an employee database for an agency within the federal government (hence why the employee database has a federal register notice.)

this mandate covers far more than federal employees. In this case, the mandate covers even contractors working for companies that have a federal contract in place, even if they or even their division has nothing to do with the contract.

Eg, several big banks are covered by #1, the way it is written. These banks have as their contractors, large consulting companies - which now enforce on their end.

Thankyou for the clarification and correcting my misunderstanding.

If your accounting and marketing team are using a mail provider that DKIM signs their emails that would be the most standard and widely adopted method I know of. Each mail provider has different options for what to do with DKIM validation results but most will allow for quarantine, reject, put in a folder, or do nothing based on DKIM/SPF/DMARC results and based on the DMARC rules you create for your domains.

LearnDMARC [1] was posted here recently and can show you how this is validated.

[1] - https://www.learndmarc.com/

I forward skype-in VoIP to wherever or voicemail. Verizon is going to kill my prepaid flip phone in December 2022 so I need to find a new flip phone that can do 4G at least. It's harder now that Walmart and similar stores are a few hours drive away. To be phone free I just power it off.

For navigation I have 2 portable GPS navigation systems. A really old one that I just can't get myself to throw away and a recent Garmin. If that fails I stop and ask for directions and meet new people.

Something you may find useful to reduce the phones attention-seeking behavior is to find a way to disable all sounds on your phone. I don't know if smart phones can do this but my little flip phone can be entirely silent and I can set custom ring tones in the phone book for important numbers. If something is important from a number I don't have they can leave a voicemail.

I am looking forward to seeing a detailed list created by these doctors and scientists with time stamps from the interviews that counter or refute the statements with references both with the interview of Dr. Malone and the interview with Dr. Peter McCullough. If there are alternate sides to the story then we should all have access to them and hear what the medical community have to say. Even better might be if the medical community put forth some doctors to be interviewed on these podcasts.

This. Rogan has had numerous pro-vax mandate doctors and guests on the show.

These scientists are free to ask to come on the JRE and share their views.

It seems unreasonable that listeners shouldn’t be allowed to hear any other viewpoints.

I don’t think it’s reasonable to ask someone to come on the show if they feel misinformation is being spread. A simple list of inaccuracies should suffice.

Here "other viewpoints" means advising to take poisonous, non-FDA-aproved, ineffective horse tranquilizer instead of real medicine to fight a deadly disease during a pandemic.

Who advocated taking horse tranquilizer?

Are you referring to ivermectin?

What, you haven't heard of the ketamine early treatment protocols?

Hah. I’m might need to get in on that protocol

This kind of framing of the “information marketplace” is really really naive. It’s a good sound byte because “who could be against the free expression of ideas” but assumes a world without market distortions caused by people with disproportionate reach and impact.

It’s really really stupid for someone with a huge audience to bring on an anti-vax nut job and uncritically interview them because simply being on the show at all lends their message legitimacy — “this person who I trust to curate content says this is a voice worth listening to.”

The message isn’t “you shouldn’t be allowed to listen to their viewpoints” but “what the fuck Joe, you basically endorsed these idiots and people actually listen to you.”

There's no shortage of media in the information marketplace promoting the pro-vaccine, pro-mask, and pro-lockdown points of view.

Based on the original news coverage I though this mob was just a few clown youtube activists leading a bunch of angry protesters. Someone here on HN corrected me and digging a bit deeper it appears that the corporate news missed a lot of details.

It turns out that everyone knew who would be there, what weapons they would have and their intentions. The only thing they got wrong AFAIK was the clothing. The militia that usually wear Hawaiian shirts were in plain clothes but they were still spotted instantly. Here is a documentary that covers this fairly well and everything leading up to it. [1] No covert communications. The militias were using public podcasts and social media sites to communicate and coordinate with one another and people were using machine learning to predict their actions quite accurately.

The bit I don't quite understand is why the Whitehouse had only a normal contingent of police in standard gear. These police were barely equipped to deal with a black Friday sale at Walmart much less a massive mob with some militia stirring them up.

[1] - https://www.youtube.com/watch?v=v22xC09WSVc

Correct. For that you would populate the variable TMOUT to a positive number in seconds and make that variable read-only

  grep ^read /etc/profile.d/timeout.sh
  readonly TMOUT=7200
This variable can also be set in tmux and gnu screen. People usually figure out fairly quick how to bypass the timer but it is handy when people console into servers via the drac/ilo and forget to log out. Some shells don't do anything with TMOUT so a bastion must only have vetted shells.

Good writup. One thing I would add for bastions if you wanted to harden them would be to disable session multiplexing if you are using MFA/2FA.

  MaxSessions 1
The default is 10. The plus side of multiplexing is that subsequent connections using the same ssh connection channels are not validated against the authorization mechanisms such as login or 2FA. This reduces friction and speeds up the login process because login is not actually occurring. The trade-off of multiplexing is that all subsequent logins using that ssh connection are not logged nor are they validated with MFA. This means a person phishing your team members can easily hijack their connections without needing a password or 2FA and there are no lastlog entries. SSH Session multiplexing combined with passwordless sudo makes taking over a company trivial even if they have 2FA and strong passwords.

Another risk with a bastion model is port forwarding. As an organization you have to decide what is appropriate for that bastion. Unrestricted forwarding? Restricted? Denied?

  AllowAgentForwarding                    no
  AllowTcpForwarding                      yes
If this bastion is for a PCI environment then one may want tighter restrictions. If it is for a development environment then maybe less restrictions and just better auditing on each host to enable forensic remediation.

If your bastion is also used for automation to drop files into a staging area, you can limit that automation to file transfers and even limit what it may do with files. This prevents the automation from having a shell or performing port forwarding.

The keys should be outside of the home directories to prevent malicious tools from appending additional authorized_keys into the account. Make use of automation to manage key trusts and add a comment to keys to map them to an internal tracking system like Jira. This assumes your MFA/2FA is excluding specific accounts or groups via PAM and permitting the use of ssh keys with specific groups or accounts.

  AuthorizedKeysFile               /etc/ssh/keys/%u

  Match Group                      sftpusers
        Banner                     /etc/ssh/banner_sftp.txt
        PubkeyAuthentication       yes
        PasswordAuthentication     no
        PermitEmptyPasswords       no
        GatewayPorts               no
        ChrootDirectory            /data/sftphome/%u
        ForceCommand               internal-sftp -l DEBUG1 -f AUTHPRIV -P symlink,hardlink,fsync,rmdir,remove,rename,posix-rename
        AllowTcpForwarding         no
        AllowAgentForwarding       no
-P sets limits on what may not be done in sftp. -p does the inverse and limits what may be done. [1] -l DEBUG1 or VERBOSE will give you syslog entries of what commands were executed on the files. This is useful for audits. Some redundant settings above are also useful to set explicitly for audits.

Another thing mentioned in the article is iptables. In a PCI environment one may want to also have explicit outbound rules using the owner module to limit what users or groups are permitted to ssh out. So if your organization have a group of people allowed to use this host as a bastions, then one could write a rule like

  iptables -I OUTPUT -m owner --gid-owner devops -p tcp --dport 22 -d -j ACCEPT
Or specify what CIDR blocks, ports, protocols may be used. You can use REJECT rules after this rule to make it obvious a connection was not allowed so that people do not spend hours debugging. This module is also handy for limiting which daemons may speak to your infrastructure. How strict or liberal the rule is entirely at the needs of your organization.

Lastly I would add that bastions should have as minimal an OS install possible and have SELinux enforcing. Actions denied by SELinux should go to a security operations center after you spend some time tuning out the noise and false positives.

[1] - https://man7.org/linux/man-pages/man8/sftp-server.8.html

Thanks a lot, great hardening considerations.

It would be interesting to hear what you think of Keykloak.

Sorry I have never used it so I don't have an opinion. That looks like an oauth/openid/saml ssh integration?

Yes and I have met it once when at a huge Telco, while doing my bastion host in AWS a security architect installed this and used Keycloak as the policy engine to allow connections using SSH keys. It worked really well and also gave us a very strong granular control on who could connect, and a great audit trail.

I wish we could save posts. So this reply is my method… thanks for the write up.

You can click the timestamp on a post, and then click the "favorite" link, and that'll add the comment to your favorites list (which I think would be https://news.ycombinator.com/favorites?id=whynotminot&commen... for you).

TIL! Thank you very much

See also the answer from mindcrime.

There's also one very important difference between those two:

- others can see your favourites.

- you can see both your upvotes and your favourites

so only use favourites for things you don't worry about others seing.

I don't know if this is important for you but for a lot of people here it probably can be.

You can always just upvote the comment. Your profile page has a link to see comments (and stories) you've upvoted in the past. See:


Seems to be working for dns.

  dig +noall +answer @ns3.digitalocean.com -t ns digitalocean.com
  digitalocean.com.       1800    IN      NS      ns2.digitalocean.com.
  digitalocean.com.       1800    IN      NS      ns3.digitalocean.com.
  digitalocean.com.       1800    IN      NS      ns1.digitalocean.com.

  dig +noall +answer -t soa digitalocean.com
  digitalocean.com.       3600    IN      SOA     kim.ns.cloudflare.com. dns.cloudflare.com. 2263777094 10000 2400 604800 3600
They could probably point the https listener to a landing/parking page unless this supposed to be a DoH endpoint but I doubt that is the intention. Have you opened a ticket with them to inquire?

Had opened a ticket about the fact that one of our domains has mysteriously dropped from the internet even though no-one has touched the domain's config.

Figured this might be related but guess not (I'm admittedly kinda ignorant around the intricacies of DNS, hence the question mark in the title).

one of our domains has mysteriously dropped from the internet

Well that's not good. Lets hope they have an audit trail that can tell you what went wrong. Without the details of your domain I could only guess. I'm sure they and cloudflare together could help you figure it out.

Should e-cigarettes be licensed as medicines?

Only if you also require regular cigarettes to be licensed as medicines, or if you want to create yet another illegal market.

The tobacco companies did a good job of making it harder to use vapes. History has made me heavily biased to see any attempt to make alternatives to tobacco harder to acquire something that must be in some way funded by big tobacco. I see that as a personal attack on a family member that has been trying to stay away from tobacco.

Covid-19 does not match the characteristics that the CCP are stating they wish to develop [1] in regards to targeted biological weapons. The closest I could see to calling covid-19 a targeted weapon would be against people that are already sick have comorbidity. Otherwise at best it disrupts every economy to some degree. It has done a good job of dividing people, creating distrust, angst and anxiety but I would argue that impacted China as well. I could however see a disgruntled lab tech that is angry at the world releasing it. People throw their lives away for far less impact all the time think mass shootings. For a government to use this type of virus as a weapon would require first inoculating all of the people they value against it.

[1] - https://www.youtube.com/watch?v=biNxl7tiVSY [video]

Or “inoculating” those they don’t value after releasing it

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact