Trainguyrom

Trainguyrom , 4 days ago

I tried Graphene OS but my banking failed so back to stock Android

Any features in the mobile app that don't exist on the website? I've had good luck checking my bank balance and all sorts of other things through Firefox on Android - pre-edit: I missed that it was app only. That sucks.

For browsing on Android I use Mull and on my android Proton VPN is always on. I visit twitter and twitter ocasionly but always through mull browser.

The VPN really doesn't do much at all for privacy. It just moves the point of trust from the service provider for the current network to the VPN provider, plus now you have extra hurdles as you'll show up as a VPN IP rather than a "normal" residential or cellular IP. Realistically set your DNS to be something like Quad9 or Cloudflare and you'll already be several steps ahead on browsing privacy

For spending habniys I try to use Google pay as little as possible and use my master card.

Realistically any card is going to be selling your spending habits. Cash and crypto are about the only ways to have private purchases, and plenty of places won't accept either

Personally I had a long hard think about my privacy practices and how they only isolated me and made me unhappy, and realized that if I'm already blocking all ads so I never get to see the results of the incredibly dystopian advertising hellscape, does it really matter that much if Google knows I spent $200 on random model train shit last month when they already know I watch a few hours of train-related content on Youtube? So I take smaller steps to not fully given in, but I don't take steps that create extra hassle in participating in modern society and living my life to its fullest.

Trainguyrom , 3 days ago

In regards to the DNS advice should I use that for both my PC and android ? And when would I use a vpn?

You should setup your preferred DNS server everything really. On your phone, on your computer and on your router if you can. DNS is the absolute easiest way to track and block/hijack browsing habits, so hardcoding your devices to use a standard one like NextDNS, Quad9 or Cloud flare will put you very far ahead

Regarding VPNs, commercial VPNs are really overhyped, and thats because they're a cash cow for operators. See Tom Scott's video on the subject if you prefer this britishplained to you. All a VPN is is a tunnel from your device to the VPN server wherever that is, so you'll look like your traffic is originating from that VPN server, plus all of your traffic is going to that VPN server so you have to trust that that server isn't compromised nor slurping up all of the data to sell/provide security agencies. Clear text browsing traffic will also be secured between your device and the VPN server, but that's super uncommon nowadays. Realistically a commercial VPN is best for if you're doing illegal activities such as piracy because it will add layers of abstraction should a private company or public agency wish to investigate your activities and try to identify you. I do use Tailscale with an exit node on my home network when connecting to public wifi just in case the network is misconfigured, but it's really just another layer of Swiss cheese security.

Trainguyrom , 8 days ago

I got one for work. It literally just pastes into ChatGPT

Trainguyrom , 16 days ago

I just hope it makes it out of development hell unlike Kerbal Space Program 2

Trainguyrom , 19 days ago

The thing I don't like about laptops are 1. Noise and 2. The bursty CPUs just don't mesh well if I want to run a swarm of VMs or need to just run a big compress/decompress process. I watched one laptop slowly throttle itself all the way down to 700mhz while I was messing with a bunch of VMs and it really made me miss having a desktop where it can just chill at 5x the speed at 100% utilization and chew through whatever is being thrown at it

Trainguyrom , 20 days ago

My experience when I worked in support for a device manufacturer is that if you get high enough in the support tree and can demonstrate that this effects you (and the support person will also have a matrix of affected devices) you'll still get a repair/replacement outside of warranty for them bricking your computer with a bad update.

We had a specific instance where a specific budget model of phone sold by Boost mobile would brick after a specific update for people who had subsidy unlocked it and taken it to a GSM carrier such as T-Mobile (this was shortly pre-merger) or AT&T. This update rolled out about 2.5 years after this devices release, so most customers were ~12 months outside of warranty. Since the scope of affected devices was so narrow our directions from the top was to replace affected devices regardless of warranty status, and the replacement would come with a standard 30 day replacement warranty

So in short, I would expect HP to repair/replace affected devices that bricked after this BIOS update regardless of warranty status, but I would expect some amount of hassle in terms of reaching a specific support department before you get assistance and standard refusal of service for customer induced physical damage (smashed screen, smashed ports, mashed potatoes in the ports, badly bent, etc.)

Trainguyrom , 23 days ago

I have two different ISPs serving the entire town I live in, both offering symmetric gigabit fiber to the home to the entire town, but can I get a lick of IPv6? Of course not!

Trainguyrom , 23 days ago

Every computer product is made in china these days

Trainguyrom , 23 days ago

People learn and grow and change overtime. If a couple realizes they're no longer compatible, is it not better to separate than to remain together and unhappy/unsatisfied for the rest of your lives?

Trainguyrom , 23 days ago

People grow and learn and change over time. Unless you have the power to predict the future you can't "just not marry someone you'll later resent"

Trainguyrom , 27 days ago

Its one of the challenges that seriously doesn't seem to have an easy solution. Like the closest I can think of is a centralized authority that the service can send a identity verification request to that, then the user can sign into the centralized authority and confirm "yes I am the person you requested to verify"

This would also help with annoying employment verification where I have to bring every document needed to steal my identity to my new employer for them to scan and digitally store indefinitely then return said documents to my safe

Trainguyrom , 1 month ago

I even had to make a login.gov account to apply to some federal jobs (ironically enough one was with the IRS even!)

On a related note, it appears based on their job listings that the IRS will not hire anyone who owes them money

Trainguyrom , 1 month ago

Now, if it was a flat tax, a fixed percent…But they gotta make sure the middle class is paying 22% of their income to the feds and the billionaires pay one tenth of a percent… you know… for reasons.

I fall into the lower end of the middle class (nationally) and my income tax is about 11%, but on top of that, after deductions and credits I end up deducting myself into the lowest tax bracket and collecting credits so I get a nice chunk back every year. To actually pay a full 22% of your income in income taxes, you must be making pretty good bank (and probably spending pretty good bank if you're still considering yourself middle class)

Flat taxes are extremely regressive. The whole idea of tax brackets is that those with more ability to pay pay more and those with less ability to pay pay less. If you only make 22k/year you need all of that and that $2200 can be pretty lifechanging, but if you make 220k per year you can live without that $22k. There's also fun stuff with how much tax revenue the government can actually bring in depending on who they tax harder, and generally it favors taxing the rich at a much higher percentage rate than they do the poor.

Trainguyrom , 1 month ago

I keep bringing up how awesome the new SAVE federal student loan repayment program is. Income based repayments that go as low as $0 with the federal government covering any interest that you payment would have gone towards, plus after 10 years of payments balances of $12k and less are forgiven (11 years for $13k, 12 years for $14k, etc.)

So if you got a low paying degree from a community college, like say an early childhood education degree, you get pretty close to free education since you can make your $0 payments every month and get your entire student debt forgiven after a decade. Or if you have a career that doesn't pay much at first but ratchets up you only make payments when you have the income to make them, and still get forgiven after 10 years, and there's no real penalty to paying the $0 payments earlier since the balance hasn't grown and is still forgiven on the same date. Or like many people who attend community college, if you end up dropping out and getting no degree, you're not penalized like earlier plans would have penalized you.

Trainguyrom , 1 month ago

The really nice thing about tailscale for accessing your hosted services is absolutely nothing can connect without authentication via a professionally hosted standard authentication, and there's no public ports for script kiddies to scan for, spot and start hammering on. There's thousands of bots that do nothing but scan the internet for hosted services and then try to compromise them, so not even showing up on those scans is a good thing.

For example, I have tailscale on my Minecraft server and connect to it via tailscale when away from home. If a buddy wants to join I just send a link sharing the machine to them and they can install tailscale and connect to it normally. If for some reason buddy needs to be cut off, I can just stop sharing to that account on Tailscale and they can no longer access the machine.

The biggest challenge of tailscale is also it's biggest benefit. Nothing can connect without connecting through the tailscale client, so if my buddy can't/won't install tailscale they can't join my Minecraft server

Trainguyrom , 1 month ago

You should NOT have a WG tunnel from the home network to the VPS with fully unrestricted access to everything.

This is what I came here to make sure was said. Use your firewall to severely restrict access from your public endpoint. Your wiregaurd tunnel is effectively a DMZ so firewall it off accordingly

Trainguyrom , 1 month ago

Checking nmap's documentation it looks like it's perfectly possible to detect open udp ports

Trainguyrom , 1 month ago

Huh! Thank you very much for the detailed answer that's extremely interesting!

Trainguyrom , 1 month ago

The biggest red flag is the up-front payment for a year

Another comment pointed out this was probably to prevent them from signing up for a month then using that month to bounce to another provider

Trainguyrom , 1 month ago

There's countless desktop music players out there, so there's no real need to reverse engineer it

Trainguyrom , 1 month ago

My friend who works at an MSP said they're migrating most of their customers to HyperV, but these are mostly extremely small companies with a dozen or so employees and only a handful of services

Trainguyrom , 1 month ago

I've never had that problem. I basically always order milk anytime I eat out. Sometimes they only give me a kids portion or even a kids cup (it was extra funny when my wife ordered it for me and I was away from the table changing a diaper while visiting family), but usually I get a full glass of milk

Trainguyrom , 1 month ago

They usually have the milk on hand for cooking, or just the kids menu. If my family of 4 can easily go through 2 gallons a week, I can't imagine a resteraunt having problems using up milk before it goes bad unless they over-purchase

Trainguyrom , 1 month ago

Evidence suggests those that can tolerate lactose as adults are descended from farmers who drank milk to survive during seasons of bad yields.

Milk is full of great vitamins and minerals. I haven't verified this claim but I heard someone say recently a person can entirely meet their entire nutritional needs on purely milk and potatoes, which doesn't sound super pleasant to have as a diet, it's certainly an easy baseline to meet

Trainguyrom , 1 month ago

It really sounds like you need to dive into firewall rules. Generally you lean on your firewall to allow and restrict access to services. Probably the easiest place to start is to setup pfsense/opnsense since it has a really clean interface for setting up rules. Proxmox's built in firewall is nice too, but configuring the firewall per VM would probably get annoying and difficult after a while

And as you learn more about firewalls learning how subnetting works will allow for more efficient rules (for example, if you have 192.168.0.0/23 192.168.2.0/24 and 192.168.3.0/ 24 for your networks that you're allowing traffic to/from you can just enter one firewall rule for 192.168.0.0/22 rather than 3 separate rules)

Trainguyrom , 1 month ago (edited 1 month ago)

So from my experience you generally will have different zomes of security. Outside Internet is obviously entirely untrusted so block every incoming connection except those you really need, and even then ideally all remain blocked (especially for a home network). Then you generally have your guest network which might need access to some hosted resources but is largely just used by guests to connect to the internet, next is your client network where your computer likely lives which probably gets access to all hosted resources but no management access (or depending on how much you want to trust your primary PC, limit that to just your main PC) and finally your datacenter network where you hopefully trust everything running in there.

You generally work with these zones and write rules based on the zone the traffic is coming from, with some exceptions, such as I might not want to give the guest network any access to my data center network, except for access to my jellyfin so I'll create a rule allowing only tcp web traffic from that network to a specific port on a specific IP/hostname.

A common way to achieve this is with a DMZ network, a network that sits between all of your networks and relies heavily on routing and firewalls. Public services and routers get IP addresses on the DMZ, and your firewall only allows specific paths. The outside Internet can open connections to the web ports of the web server and nothing else, the web server can't open connections to your other networks, only specific machines/networks are allowed to access the SSH port of the web server, etc. the DMZ is where trusted and untrusted connections mix, hence why its named after the zone that belongs to both North and South Korea where both are allowed but also neither are allowed, where one only goes with specific purpose and explicit permission

I was a bit hesitant to do firewall rules based off of IP addresses, as a compromised host could change its IP address

Realistically any identifier you can write firewall rules based off of can be forged in some way. A rogue machine can change it's host name, IP address and MAC address (and many do randomize their MAC address these days) in enterprises this is generally mitigated through limiting a network to only Ethernet access or via 802.1X authentication on WiFi and potentially even Ethernet. (You can also take the approach of MAC address whitelists, and some switches even allow for "sticky" MAC addresses where the first MAC address that connects is whitelisted until either the switch is rebooted or an administrator explicitly clears/allows the MAC address)

However, if each host is on its own VLAN, then I could add a firewall rule to only allow through the 1 “legitimate” IP per VLAN

You could go crazy and do everything at L3 (which your idea is basically doing but with extra steps) but that sounds like far more effort than it's worth, since now you're making every client also act as a router, and you lose a ton of efficiency both in configuration and in routing & switching, plus you've now changed the type of threats you're vulnerable to.

Generally in the enterprise, risks like what you're trying to mitigate are handled through reporting. An automated alert email is sent when a new device connects to a network that should never have new devices connect to it, then you kill the connection and verify with the team of that was any of them and investigate if it wasn't.

Realistically as a home network your threat model is automated scripts and maybe a script kiddie trying to get in. You really just need higher than average security to mitigate such a threat model (and average security is a shit show)

I feel like I may have to allow a couple CT/VMs to communicate without going through the firewall simply for performance reasons. Has that ever been a concern for you?

Security is always a trade off of convenience and speed. You have to decide what is an acceptable compromise between security and efficiency

Generally anything virtual when you aren't sure what to do, you should look at what the physical solution would be. For example, network storage is very bandwidth intensive, latency sensitive and security intensive. This is usually secured at the physical level as a separate network with no routers so that most security can be disabled. So at the virtual level these would be tackled with a separate virtual network connected to a second interface, and firewall rules on other interfaces to disallow incoming and outgoing connections to the storage network

Edit: I just realized I never answered your first question. In short, from what I've seen most enterprises put one firewall from a vendor like Fortinet, Zscaler, Palo Alto, etc. right on the edge of the network closest to the internet then either entirely rely on that for firewall or rely on that for firewalling off the outside Internet then do additional firewalling with a different tool inside the network. For example, a bank I worked at had a pair of redundant L3 switchs (Nexus N9ks specifically) which handled all of the routing for all of the bank's networks, and connected between those and the internet was the Fortinet box which was managed by an outside vendor and while i was there as part of hardening ahead of a scheduled red team audit we setup firewall rules (I'm blanking on the Cisco term for it, but they're ultimately just firewall rules) on the L3 switches to limit access to more sensitive networks and services

Trainguyrom , 1 month ago

No problem! I'm just an information sponge and I've lucked out with really good mentors so far in my career to learn from

Trainguyrom , 1 month ago

when Amerika is looking at a job shortage because of all the offshoring.

Ahahaha no there's not! I work for a national company and we have hundreds of jobs we struggle to fill.

Even if you look at the data for manufacturing, the most infamously offshored sector there's consistently more job openings than hirings

Trainguyrom , 1 month ago

I think the worst part is they entirely ignored the most painfully obvious solution of implementing a "reddit plus" or "reddit premium" or "reddit red" and just gated third party app access behind a $9.99/mo subscription. I have a hard time believing most reddit users' ad views are worth anywhere near that much per month. But instead they decided to burn a significant sum of goodwill on questionable premises and pissed off a significant number of power users.

The feeling I got from all of the communications was that /u/spez was jealous of Apollo and just wanted to kill off Apollo. Which would explain why they took such a scorched earth approach in trying to kill all third party apps

Trainguyrom , 2 months ago

One of my neighbors has a small electric one and I was floored by how quiet it was. I might actually get one this year if my finances add up right...

Trainguyrom , 2 months ago

My neighbor does the lawns once every single week

Until about a year ago I had neighbors on 2 sides of me who'd mow 1-2 times a week. Elderly retired neighbors who seemed to mow as their hobby. I subscribe to the No Mow May philosophy. I don't mow until May because that's about as long as I can get away with before my grass start's getting too excited. I also mow every 2-3 weeks depending on the rate of regrowth to keep it reasonable but also not over-mow. Its a balancing act of what I can do for the environment without having to fight my neighbors, in-laws or city

Trainguyrom , 2 months ago

I feel like the biggest crime is apartment and condo buildings putting individual ACs for every single unit instead of a more efficient full building system. There's fancy systems that pump the heat from the air into the waterheaters and between units to run at more efficient ratios, or radiant systems that basically run a "cold" utility through the building to be tapped into by units and has the benefit of economies of scale, etc.

Trainguyrom , 2 months ago

The last time I ran Linux on my main gaming rig I had a couple of key problems that largely made me call it quits:

1. Games with gold and platinum ratings on WineDB (this was about the time Proton was newly released) would require far too much fiddling to get working if I could get them working at all.
2. A couple of fairly uncommon games I played a lot at the time had weird issues with user-generated content related to filesystem and library case-sensitivity differences.
3. Game crashes from content conflicts more often than not created system crashes, which both obscured crash dialogues which would normally point me to the content to explore why it was crashing, and extended the amount of time needed to troubleshoot an install and get it working

I'll probably try it again at some point in the next handful of years, especially since the Linux desktop has come so far in the 3 years or so since I last tried it out. I already run Linux on about half of the systems I use regularly, so its not like I'm completely out of the game.

Trainguyrom OP , 2 months ago

4th gen intel i5s, 8GB of RAM and 256GB SSDs, so not terrible for a basic Windows desktop even today (except of course for the fact that no supported Windows desktop operating system will officially support these system come Q4 2025)

But don't get your hopes up, when I've bid on auctions like this before the lots have gone for closer to $80 per computer, so I was genuinely surprised I could win with such a low bid. Also every state has entirely different auction setups. When I've looked into it in the past, some just dump everything to a third party auction, some only do an in-person auction annually at a central auction house, and some have a snazzy dedicated auction site. Oh and because its the US, states do it differently from the federal government. So it might take some research and digging around to find the most convenient option for wherever you are (which could just be making a friend in an IT department somewhere that will let you dumpster dive)

Trainguyrom OP , 2 months ago

From the listing photos these actually have half-height expansion slots! So GPU options are practically nonexistant, but networking and storage is blown wide open for options compared to the miniPCs that are more prevalent now.

Trainguyrom OP , 2 months ago

The thought did cross my mind to run Linpack and see where I fall on the Top500 (or the Top500 of 2000 for example for a more fair comparison haha)

Trainguyrom OP , 2 months ago

This is pretty high on the to-do list. I plan on virtualization a bunch of it, but it would be pretty easy to have one desktop hosting each subnet of client PCs and one hosting the datacenter subnet. Having several hosts to physically network means less time spent verifying the virtual networks work as intended.

Also playing with different deployment tools is a goal too. Having 2-3 nearly-identical systems should be really useful for creating unified Windows images for deployment testing

Trainguyrom OP , 2 months ago

I think you're not giving 4th gen enough credit. My wife's soon-to-be-upgraded desktop is built on a 4th gen i5 platform, and it generally does the job to a decent level. I was rocking a 4790k and GTX970 until 2022, and my work computer in 2022 was on an even older i5-2500 (more held back by the spinning hard drive than anything. Obviously not a great job, but I found something much better in 2022) my last ewaste desktop-turned-server was powered by an i5-6500 (which is a few percentage points better performance than the 4th gen equivalent) and I have a laptop I use for web browsing and media consumption that's got a 6700HQ in it.

I've already got a few people tentatively interested, and I honestly accepted the possibility of having to pay to recycle them later on. Should be a fun series of projects to be had with this pallet of not-quite-ewaste

Trainguyrom OP , 2 months ago

State government, and it says they come with SSDs. They came from a school so presumably they're from a lab or are upgraded staff PCs, both would be pretty low sensitivity. Maybe I'll learn the final test answers for Algebra 1 at worst!

Might be fun to do some forensic data recovery and see if anything was missed though

Trainguyrom OP , 2 months ago (edited 2 months ago)

12 cents per kilowatt-hour. I certainly don't plan on leaving more than a couple on long term. I might get lucky with the weather and need the heating though :)

Trainguyrom OP , 2 months ago

Although he’d also need 25 monitors lol

Back to the government auctions then!

Trainguyrom OP , 2 months ago

I won't be leaving all of them on for long at all. I've got a few basically unused 15A electrical circuits in the unfinished basement (can see the wires and visually trace the entire runs) I'll probably only run all 25 long enough to run a linpack benchmark and maybe run some kind of AI model on the distributed compute then start getting rid of at least half of them

Trainguyrom OP , 2 months ago

I already said in the original post I plan on sellong off and giving away ~15 of them, keeping a few as spares, and only actually leaving one on 24/7

bare metal machines which take IP addresses, against just running it in VM’s which have IP addresses

Both bare metal and VMs require IPs, it's just about what networks you toss them on. Thanks to NAT IPs are free and there's about 18 million of them to pick from in just the private IPv4 space

Big reason for bare metal for clustering is it takes the guess work out of virtual networking since there's physical cables to trace. I don't have to guess if a given virtual network has an L3 device that the virtual network helpfully added or is all L2, I can see the blinky lights for an estimate as to how much activity is going on on the network, and I can physically degrade a connection if I want to simulate an unreliable connection to a remote site. I can yank the power on a physical machine to simulate a power/host failure, you have to hope the virtual host actually yanks the virtual power and doesn't do some pre shutdown stuff before killing the VM to protect you from yourself. Sure you can ultimately do all of this virtually, but having a few physical machines in the mix takes the guesswork out of it and makes your labbing more "real world"

I also want to invest the time and money into doing some real clustering technologies kinda close to right. Ever since I ran a ceph cluster in college on DDR2 era hardware over gigabit links I've been curious to see what level of investment is needed to make ceph perform reasonably, and how ceph compares to say glusterFS for example. I also want to setup an OpenShift cluster to play with and that calls for about 5 4-8 core 32GB RAM machines as a minimum (which happens to be the maximum hardware config of these machines). Similar with Harvester HCI

It just takes a lot of extra power and doesn’t achieve much

I just plan on running all of them just long enough to get some benchmark porn then starting to sell them off. Most won't even be plugged in for more than a few hours before I sell them off

there is no real reason to do this and I don’t understand so many people hyping it up.

Because it's fun? I got 25 computers for a bit more than the price of one (based on current eBay pricing). Why not do some stupid silly stuff while I have all of them? Why have an actual reason beyond "because I can!"

25 PC’s does seem slightly overkill. I can imagine 3-5 max.

25 computers is definitely overkill, but the auction wasn't for 6 computers it was for 25 of them. And again, I seriously expected to be out of and the winning bid to be over a grand. I didn't expect to get 25 computers for about the price of one. But now I have them so I'm gonna play with them

Trainguyrom , 2 months ago

If somebody told me five years ago about Adversarial Prompt Attacks I'd tell them they're horribly misled and don't understand how computers work, but yet here we are, and folks are using social engineering to get AI models to do things they aren't supposed to

Trainguyrom , 2 months ago

So for a related fun fact, did you know they used to do this by train?