Compare commits

..

No commits in common. "5ddaa5e3853b24116d206dc5ab6d8a51ffbd700d" and "7ec3d371860844e494059a3ba511fdf906cacf66" have entirely different histories.

3 changed files with 15 additions and 184 deletions

View file

@ -189,5 +189,3 @@ how much impact they have in a retrospective:
- **2024-03-27**: DataBricks open sources DBRX, a 132B parameter MoE with 36B - **2024-03-27**: DataBricks open sources DBRX, a 132B parameter MoE with 36B
parameters active per forward pass. It was trained on 12T tokens. According parameters active per forward pass. It was trained on 12T tokens. According
to user evaluation, it beats Mixtral for all uses. to user evaluation, it beats Mixtral for all uses.
- **2024-04-18**: Meta releases LLaMA3 8b and 70b. 70b is the new best open
model, right around Claude3 Sonnet and above older gpt4 versions!

View file

@ -24,25 +24,25 @@ easily get *inward* access to any port.
The easiest method, and probably recommended for most users, is using Software The easiest method, and probably recommended for most users, is using Software
Driven WAN (SDWAN). This is similar to a VPN, but unlike Wireguard, ZeroTier One Driven WAN (SDWAN). This is similar to a VPN, but unlike Wireguard, ZeroTier One
doesn't<sup>1</sup> require a centralized server. doesn't [[1]] require a centralized server.
Advantages: Advantages:
- Free version is good enough for most small groups
- Very simple setup - Very simple setup
- Very low latency through UDP hole-punching - Very fast through UDP hole-punching
- Free (for up to 25 clients)
Drawbacks: Drawbacks:
- Limit of 25 clients (on the [free
version](https://www.zerotier.com/pricing/))
- Requires installing separate software on all clients - Requires installing separate software on all clients
- Sometimes fails to connect for up to an hour... very hard to debug when it - Sometimes fails to connect for up to an hour... very hard to debug when it
happens happens
- Can only be used by clients on the VPN. For example, a public webserver won't - Can only be used by clients on the VPN. For example, a public webserver won't
be able to use this be able to use this
- Limit of 25 clients (on the [free
version](https://www.zerotier.com/pricing/))
To use ZeroTier: To use ZeroTier:
1. Sign up for an account at [zerotier.com](https://www.zerotier.com/) 1. Sign up for an account at [zerotier.com](https://www.zerotier.com/)
2. Under "Networks" create a network and give it a name. Ensure Access Control 2. Under "Networks" create a network and give it a name. Ensure access control
is private. is private.
3. Install ZeroTier One on all clients you'd like to connect. You can add more 3. Install ZeroTier One on all clients you'd like to connect. You can add more
later. later.
@ -168,171 +168,3 @@ ssh -p 8022 emiliko@172.27.10.10
``` ```
This will be forwarded to port 22 on the server! This will be forwarded to port 22 on the server!
## Reverse Proxy without a Static IP
If you're planning to use a home computer, you'll quickly find that most
internet service providers do not offer static IPs for consumer plans. Luckily,
there's a very simple way around this: Domain Name Servers (DNS).
You will need a domain to achieve this. Domains should not cost more than
$20/year. Here I'll use the domain `example.com` as an example.
The idea is that a domain will point to a specific IP, but this IP is determined
through a lookup to the DNS. This means that if we change the IP the DNS has
every time our computer's IP changes, we'll appear to have a static IP!
First, put your nameservers on a good DNS provider. I use
[Cloudflare](https://pages.cloudflare.com/), it's free and fast. You'll need to
find the DNS page. The URL will look something like:
```
https://dash.cloudflare.com/<long-project-id>/example.com/dns/records
```
There, you'll want to add an "A Record". The name will be the subdomain. So if
my computer is called `mycomputer` and that's in the name field, it'll be
accessible at `mycomputer.example.com`.
Now you need to identify your IP address. This is your PUBLIC IP address, not
your LOCAL IP address. One easy way to do this is `curl -q
https://ifconfig.me/ip`.
Make sure "Proxy Status" is OFF. Proxying the connection appears to make this
whole idea break down very quickly, so don't.
With that "A Record" set, try `host mycomputer.example.com` to see when the DNS
updates. This can take up to 4 hour, but usually takes under a minute in
practice. With this, you should be able to access your computer using the
domain! Of course, make sure your router's ports are forwarding to your
computer.
We now need to make your computer update Cloudflare's DNS, whenever the IP
changes. I use the script below to do this. Fill in the `HOST`, `DOMAIN`,
`TOKEN`, `ZONE_ID`. The `TOKEN` is your Cloudflare application token:
```bash
#!/usr/bin/env bash
declare wan_ip_record wan_ip cf_records host_record cf_host_ip cf_rec_id
declare -r HOST='mycomputer'
declare -r DOMAIN='example.com'
declare -r TOKEN='...'
declare -r ZONE_ID='...'
#╔─────────────────────────────────────────────────────────────────────────────╗
#│ Gετ WΛN IP |
#╚─────────────────────────────────────────────────────────────────────────────╝
if ! wan_ip_record="$(curl ifconfig.me)"; then
echo "Hosts timed out" >&2
exit 1
fi
wan_ip="$wan_ip_record"
#wan_ip="$(echo "$wan_ip_record" | tail -n1 | awk '{ split($0, a, " "); print a[4] }')"
#╔─────────────────────────────────────────────────────────────────────────────╗
#│ Gετ Λ rεcδrd δη Clδμdflαrε |
#╚─────────────────────────────────────────────────────────────────────────────╝
if ! cf_records="$(curl -s --request GET \
--url https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $TOKEN")"
then
echo "Failed to retrive cloudflare zone records" >&2
exit 1
fi
for i in {0..4000}; do # Assuming 4000 is enough
record="$(echo "$cf_records" | jq --raw-output ".result[${i}].name")"
if [[ "$record" == "${HOST}.${DOMAIN}" ]]; then
host_record="$(echo "$cf_records" | jq -r ".result[${i}]")"
break
elif [[ "$record" == null ]]; then
echo "No record found for ${HOST}.${DOMAIN}" >&2
exit 1
fi
done
#╔─────────────────────────────────────────────────────────────────────────────╗
#│ Sετ Λ rεcδrd τδ cμrrεητ WΛN |
#╚─────────────────────────────────────────────────────────────────────────────╝
cf_host_ip="$(echo "$host_record" | jq -r '.content')"
cf_rec_id="$(echo "$host_record" | jq -r '.id')"
if [[ -z "$cf_host_ip" || "$cf_host_ip" == null ]]; then
echo "Failed to find content of A record for ${HOST}.${DOMAIN}" >&2
exit 1
elif [[ -z "$cf_rec_id" || "$cf_rec_id" == null ]]; then
echo "Failed to find A record ID for ${HOST}.${DOMAIN}" >&2
exit 1
fi
if [[ "$cf_host_ip" == "$wan_ip" ]]; then
echo "Cloudflare is up to date @ $(date)" >&2
else
echo "Updating Cloudflare's A record from $cf_host_ip to $wan_ip" >&2
patch_response="$(curl -s --request PATCH \
--url "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${cf_rec_id}" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $TOKEN" \
--data '{
"comment": "'"${HOST} @ $(date)"'",
"content": "'"$wan_ip"'",
"name": "'"${HOST}.${DOMAIN}"'",
"proxied": false,
"ttl": 1
}')"
if [[ "$(echo "$patch_response" | jq -r '.success')" == true ]]; then
echo "Update to $wan_ip succeeded @ $(date)" >&2
else
echo "Failed to update A record. DUMP:"
echo "$patch_response"
exit 1
fi
fi
```
Now we need a systemd-timer to run this script. I run it once every 15 minutes.
Please refer to the [systemd-timers]() blog for more information, but breifly I
use:
```ini
[Unit]
Wants=update_a_record.timer
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/set_a_records.sh
```
Timer:
```ini
[Unit]
Requires=update_a_record.service
[Timer]
Unit=update_a_record.service
OnCalendar=*-*-* *:00,15,30,45:00
RandomizedDelaySec=15min
[Install]
WantedBy=timers.target
```
Then start it with `systemctl enable update_a_record.service`. The name of the
service will be different based on what you called the files.
Now to use this for reverse-proxy purposes, go back to your `client.toml` config
and update the `remote_addr`:
```toml
[client]
remote_addr = "mycomputer.example.com:9001"
```

View file

@ -8,7 +8,7 @@ updateDate: 'March 28 2024'
Passwords are often the main method of digital identification. This means Passwords are often the main method of digital identification. This means
anything you don't want others to access but do want yourself to access is anything you don't want others to access but do want yourself to access is
behind some sort of password. We need to optimize on two fronts: behind some sort of password. This means we need to optimize on two fronts:
- Easy of access: Passwords must be quick and easy to access and use - Easy of access: Passwords must be quick and easy to access and use
- High security: Passwords must be strong to resist attacks - High security: Passwords must be strong to resist attacks
@ -20,8 +20,8 @@ the way we'll learn a lot about password security in general!
## Optimizing for high-security ## Optimizing for high-security
A password is pretty pointless if it's not strong enough to not get cracked. A password is pretty pointless if it's not strong enough to be cracked. Let's
Let's look over some core security concepts! look over some core security concepts!
### Measuring Bits of Entropy ### Measuring Bits of Entropy
@ -148,7 +148,7 @@ result of the output space being lower dimensional than any password with higher
entropy, so any "stronger" password would be projected down to only 256 bits of entropy, so any "stronger" password would be projected down to only 256 bits of
entropy. entropy.
We can also look at how quickly computers can brute-force passwords. We can also look at how fast computers can brute-force passwords.
[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is one of the most popular [Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is one of the most popular
hashing choices for passwords. Assuming a company is decently secure, they use hashing choices for passwords. Assuming a company is decently secure, they use
enough rounds of hashing such that a modern processor takes about 100ms to hash enough rounds of hashing such that a modern processor takes about 100ms to hash
@ -348,10 +348,11 @@ example, if a phone camera records you typing on your keyboard to decrypt the
GPG key, the attacker can't do *anything* with that password alone. They still GPG key, the attacker can't do *anything* with that password alone. They still
need physical access to your system to grab the files themselves. need physical access to your system to grab the files themselves.
An odd benefit of 3-factor authentication is distributing backups. You can An odd benefit of 3-factor authentication is distributing backups. If you
distribute the 3 pieces between 3 third parties you trust. So long as they don't provide people who know you, but mutually don't know one another, you can safely
know each other, having 1/3 pieces doesn't compromise your security, especially entrust your passwords with third parties. This is since they need all 3 pieces
if you trust them. to mount an attack, so giving a trusted third party only 1 piece doesn't
compromise your security.
Malware *could* be both a key logger and grab the files from Malware *could* be both a key logger and grab the files from
`~/.password-store`, but that is some very sophisticated and targeted `~/.password-store`, but that is some very sophisticated and targeted