Sven Slootweg (soft-deprecated) @joepie91@pixie.town

@cephie The whole "consumption of ultra-processed foods results in health issues" feels a lot to me like the usual "being poor is bad for your health" in a trenchcoat.

I've not read all of the studies that it references on this point, but every single study I've read like it in the past is basically just observing a correlation without being able to highlight *why* it happens (and never talking about the role of poverty), so I'm highly skeptical of such studies by default.

@madcap @katnjiapus I have personally not found any value in it from a security perspective; if you're going to be using your SSH access for server administration, then your account will functionally have to have root access anyway (password-based escalation is really easy to keylog by a hypothetical attacker...) so it mostly just adds an extra step for any administrative command you want to run.

That extra step *can* be desirable to reduce the chance of making destructive mistakes yourself, as an extra confirmation step; though it doesn't protect you from all failure modes. But that's not really a security thing so much as a slightly inconvenient usage safeguard.

@madcap The problem is that these are complex questions to answer without a lot of background knowledge and experience in server management - how would one know if their IP often changes if they haven't already been doing server stuff for a while, for example?

So providing a list with "niche" recommendations that the recipient is then supposed to choose from, is usually the opposite of helpful, and just becomes overwhelming - it still doesn't tell them what they should or shouldn't do, it just creates more questions they now need to figure out.

(The usual heuristic applies here - as soon as you're saying someone could "just" do something, you should take a step back and ask yourself what this actually entails, and whether it is as easy for someone else as it is for yourself.)

I don't know the exact background and experience of @katnjiapus, but given that they ask specifically for a checklist, I would assume that they are looking for a list of "things they definitely should be doing, so they can be confident that it's set up right even if they're just starting to do server stuff and aren't familiar with it yet".

And to be clear, this is not really about you specifically, I see a *lot* of tech folks having this tendency to frontload all the information (relevant or otherwise) when someone asks a beginner question, but that's really something we should all unlearn if we want to have any hope of having people run their own services. Focus on the certainties, add the nuances later.

@liketechnik@chaos.social Yeah. Going from the history described on Wikipedia, it sounds like the whole thing is built on "treating correlation as causation"? It's not clear to me how this classification ever became a scientifically acceptable basis to build research on.

@madcap @katnjiapus Or to put it differently and perhaps more concisely: "fiddling with all the subtle knobs and tradeoffs to get a perfect security profile" is the job of security experts and, especially, designers of systems who then package these decisions into simple-to-reason about policy options/defaults.

This is not something to expect from your everyday server admin, they should only need to select the simple-to-reason about policies - and if you feel that the available policies in existing systems aren't good enough, then that is best addressed by contributing to those systems, not by trying to tell individual server admins to deal with a highly complex landscape of unfamiliar security options.

@madcap @katnjiapus Sure, fail2ban has other usecases, but in this case I was talking about SSH only - other usecases would fall under "application-specific needs" (because modern applications generally handle rate-limiting themselves, and do not need an external tool for this).

For "SSH only from home/office IP", a similar problem applies - it is very easy to lock yourself out if, for instance, your ISP suddenly changes your IP. These sorts of measures are not free to add, so before adding them, you need to understand very well what the tradeoffs are.

There are a million things you could do that theoretically, in some rare edge cases, some tiny amount of the time, might slightly help security - usually more by coincidence than anything else. Using fail2ban against SSH exploits is one of those cases; it is vanishingly unlikely to actually do that under real-world circumstances.

Stacking a ton of those "might as well" measures together is not actually good security policy - you just end up adding a lot of complexity (and therefore new ways for the system as a whole thing to fail, through human error or otherwise), with very little to show for it. It can easily end up making things worse.

So unless server security is your expertise, you should just stick with a small set of known-good security policies (like key-only auth) that has a clear and unambiguous security benefit, and leave it at that, honestly.

@mos_8502 From what I understand, if the contacts are sufficiently worn out along the way, chaining power strips (or any other sort of chaining of multiple imperfect connections) can cause some types of breakers to respond dangerously slowly.

@vkc That's not normal, no. If they refuse to cooperate, I believe you can ask ICANN to step in and force the transfer.