jakejarvis's comments

Absolutely. I'm (cautiously) optimistic that some good can come from all this downtime in that sense.

I feel like this whole year has served as one big reminder of how fragile the internet really is...

You can also set this directly in about:config under network.http.sendRefererHeader:

  0 = never send the header
  1 = send the header only when clicking on links and similar elements
  2 = (default) send on all requests (e.g. images, links, etc.)

If you want more granular control (like sending referrers but only the root of the domain) all of the various network.http.referer flags for Firefox are listed here:

https://wiki.mozilla.org/Security/Referrer

Doesn't have a few of the features that your extension has, but it's done the trick for me!

Great overview.

If anyone's interested, I wrote a guide a while ago on adding these headers via Cloudflare Workers, which can be helpful if you're hosting a static site on S3, GitHub Pages, etc. where you can't add these headers directly:

https://jarv.is/notes/security-headers-cloudflare-workers/

1Password uses the HIBP API too [0] which has actually saved me a few times.

The mechanics behind the v2 API (using k-anonymity with hashes [1]) are pretty interesting too. Troy has clearly put a lot of thought and time into what started as a pet project a few years ago and should be infinitely commended!

[0] https://blog.1password.com/finding-pwned-passwords-with-1pas...

[1] https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

Thanks for posting my weird collection!

A personal spy cam in a rental home is bad enough, but the fact that there are so many open to the world (and therefore indexed on Shodan) makes it infinitely worse.

Absolutely agree about an external monitoring service being a necessity. I was more referring to cloudflare.com (and specifically dash.cloudflare.com) being entirely served through Cloudflare itself, or the AWS console being hosted on AWS, etc.

Always appreciate the transparency from you and Cloudflare. :)

My main fright during this outage wasn't really the outage itself, but the fact that I couldn't log into the dashboard and simply click the orange cloud to bypass Cloudflare in the meantime. I'm assuming that this is now covered by this mitigation:

>> 6. Putting in place an emergency ability to take the Cloudflare Dashboard and API off Cloudflare's edge.

If so, and if this would have prevented the dashboard outage even during the WAF fiasco, this is a huge comfort to me. Just curious, though: how far can you really go in separating Cloudflare "the interface" from Cloudflare "the network?"

And in general, what does everyone on HN think about mission-critical companies using their own infrastructure and being their own customer? Especially when the alternative is using a competitor?

I understand why this feels creepy in our tech bubble, but I think it's worth noting how popular apps like FaceTune have become the past few years [0] [1].

I'm certainly not defending this trend and I think it's incredibly unhealthy — especially for the average teenager who's already naturally self-conscious about their appearances. But a minor eye correction will be peanuts in the eyes of this crowd (no pun intended) compared to the amount of processing that most of their Instagram and Snapchat photos go through before being uploaded.

[0] https://www.theguardian.com/media/2018/mar/09/facetune-photo...

[1] https://abcnews.go.com/GMA/Living/photo-retouching-apps-affe...

That was probably the easiest part of their escapade, sadly — spoofing a WiFi access point with a fake portal comes to mind. Or posing as IT and mass-emailing the university directory (which are rather easy to scrape at most universities), keyloggers on lab computers, etc. Always possible that it could have been as simple as just asking!

Out of ~20,000 students and ~10,000 staff, they only needed to get lucky once, unfortunately.

Agreed about VMs in everyday use, and I'm wondering if the new Windows 10 Pro/Enterprise sandboxes would be a sufficiently safe alternative in these scenarios. After skimming this white paper it seems like they would, but I'm no expert in this area:

https://techcommunity.microsoft.com/t5/Windows-Kernel-Intern...

Not quite sure what you mean by imagination... Of course Toyotas aren't limited to terrorist groups, but it's definitely been a long-standing trend – so much so that the US Treasury Department asked Toyota to open an inquiry internally regarding ISIS and the dozens of Tacomas and Land Cruisers their propaganda videos:

https://abcnews.go.com/International/us-officials-isis-toyot...

The entire decades-long overseas diversion saga surrounding American Toyota pickups has always fascinated me.

Top Gear did an episode [0] trying to destroy a Toyota Hilux (similar to the Land Cruiser) and literally couldn't, which explains why it's so popular with terrorists. It's a worthwhile watch if you want to see truck survive after being drowned in water, fire, and the rubble of a demolished skyscraper. Say what you want about Toyotas, but that's quite the engineering feat in my opinion!

[0] https://www.youtube.com/watch?v=xnWKz7Cthkk

I just put in my own Cloudflare-enabled website and it came back negative as well.

Ditto! For some reason I used to think the more tray icons the better.

But not as bad as when I tried to delete C:\Windows before it would try to stop you. (For science, of course.)

Not at all! I'm really glad you mentioned it, since I wrote this in the mindset of small to medium VPSes used for personal projects and I'll make that more clear in the intro. Backups (like everything else, unfortunately) definitely get exponentially more difficult the more successful you become.

Absolutely. Maybe I should have noted that this is more of a guide to make your existing backup procedures more redundant, which implies that you already have local "backups" being made of whatever you want to redundantly store in S3 or B2 or anywhere externally.

In that case, it does become as simple as just copying files elsewhere. (For example, using the Restic steps in my post to backup a folder of hourly database dumps, like you mentioned.) Replicating databases (and other methods made specifically for DBs) is certainly a much, much better route for mission-critical and/or enterprise data.

Covering every permutation of different types of data to backup would have made a long post much longer, but I'll add writing a part two to my to-do list covering rudimentary database backups since that has been brought up here a few times.

Thanks for the feedback! :)

Good question. I have the same setup on one server hosting GitLab, Pi-Hole, Plex, etc., and I have Restic (and its cronjob) installed on the host and only backup the files that I mount to each Docker container, which are all stored in /srv/docker.

In theory, you need to be ready to literally delete every container at any time and pull them from scratch and be 100% fine, since all of your actual data should be stored on the host and mounted as Docker volumes [0]. It's a good Doomsday test if you're looking for one. ;)

[0] https://docs.docker.com/storage/

Similar story here, but instead of a phishing email it was a legit Find My iPhone email six months later saying her phone pinged from Morocco.

So yup, sounds like they’ve either resorted to stripping them for parts or selling them whole (and still firmware-locked) to innocent buyers in places where you’d have practically no legal recourse — who then become victims to the theft as well, ironically. And by then, of course, you’ve likely had a new phone for long enough to not lose much sleep over it.

Honestly, Cloudflare choosing not to hastily slap a band-aid on a problem like this just makes me feel more compelled to continue using 1.1.1.1.

I hesitate to compare this to Apple calling themselves “courageous” when removing the headphone jack, but in this case, I think the word is appropriate. I’ll happily stand behind you guys if you take some PR hits while forcing the rest of the industry to make DNS safer – since it is understandable, admittedly, for users to conclude that “Cloudflare is blocking websites, sound the alarms!” at first glance.