Too bad, I tried to buy that domain some years ago as soon as I got my first fritzbox. Back then, I did not find a registrar and did not invest much time in finding one.
I am running my own DNS server and configured the fritz.box zone.
I have to admit that I got stung when google released .dev as HSTS only, although that was only for local testing.
I'm surprised that this company didn't realise that this was problematic before this happened. Also, if the response in the article is actually their only one so far, that's a "I'll never touch this company again" response. If they deal with it properly then it's just a bug.
It doesn't matter, it's never been a good idea to use a domain that isn't your own or a special-use domain. At some point this might have been a theoretical worry, but it was 13 years ago that ICANN started creating new TLDs by the dozen. There's very little excuse for not correcting this mistake for new hardware at some point in the past 13 years.
Nice article with interesting thoughts and I appreciate the quotes - but I respectfully disagree that 'finishing a personal project you’re doing just for yourself is impossible'
I think it's really important to first reflect on the purpose when doing something: is it to solve a problem, is it to learn something, is it to achieve a target, is it to keep yourself busy to wind down and because you like doing it, or is it to promote yourself.
The next step is to define a goal and a scope - not a deadline.
When realizing it, it is important to take a pragmatic approach. All activities should lead towards achieving the goal - do not overengineer.
This way, projects can actually get finished.
From personal experience, I have been successful in software projects, sports competitions, building objects and furniture, and doing musical projects.
Success being defined as achieving the set goal and having completed the project.
Their purpose was never to selfpromote and the activity rarely involved creating art. So maybe art is a niche that is never finished...
Mid next year, I want to pick up writing a blog. The primary purpose is to 'keep myself busy' because I have never delved into this activity and I am curious about the process. The secondary purpose is to improve my literacy: I want to be able to read and write more efficiently, because my new job will require that. And the tertiary goal is to self-promote.
Elaborating on the topic of finishing projects would make a perfect first article. Thanks to the author for your inspiration!
I sew clothes. The vast majority of projects I start get finished. Sometimes I'm happy with the result, sometimes I'm not. I wear them regardless. My kids wear them. After a while they grow out of them.
Good point about being happy with the results! I think this could be added to the definition of success.
Some results can not be improved, like sewed clothes, but there can be a review to learn something (why are you not happy with the result?) and a feedback loop, for the next project to turn out better.
Completely agree on not setting a deadline, it will likely lead to disappointment as we tend to set unrealistic deadlines anyway, even more so for personal projects which rely on having time off of work and other responsibilities. I would even skip the "define a goal and a scope" part. Just go for it and see where it will take you, it might go into a totally different direction, which is fine.
I started recording songs for a Christmas album in 2007 and just published them this month. I thought I would never release them. And every time Christmas was over, I didn't feel like working on them anymore. So I only had about a month per year to occasionally work on them. There were years when I didn't touch them.
So after 16 years, I could see the home stretch and I decided to make it to the finish line. (I recorded the final music video today, actually.) If you had pushed me to name a deadline back in 2007, I would've said 2008.
I have a whole bunch of "projects" lying around, some of them are just ideas at this point. They will get finished eventually. Or not. No pressure.
Sometimes, deadline for private projects are necessary and for some projects they could be completely irrelevant. Also, it is a matter of personal choice and character to set one.
The idea part is very interesting. Basically ideas are the raw, unstructured parts of projects. There is an exploration aspect to it and to realize them may bring a lot of joy - without calling them a project just yet.
So maybe your decision to finish all those ideas, wrap them up, put them together, create the video, is the very incarnation of the project. For that you probably set some purposes and goals and maybe even a deadline.
I feel like I've read too many blogs that were started by an author who wanted to develop writing skills, self-promote, etc. - but didn't seem to have many interesting things to say, and those few things were padded by large quantities of unnecessary text.
I greatly prefer the occasional blogger who focuses on quality over quantity.
Yeah, you need to have a clear target and aim while starting. Milestones start to show themselves once you're experienced enough.
While we're at it, experience is also a must. Everybody starts from the bottom, and needs to work their way up, and I found kaizen is a great way to do it.
Author here - thanks for the kind words. I mostly agree with your comment, the problem is less of not being able to achieve targets and more of the number of targets increasing as you get more and more ideas to add to something. Do start a blog, it's really fun!
> is it to solve a problem, is it to learn something, is it to achieve a target, is it to keep yourself busy to wind down and because you like doing it, or is it to promote yourself.
Is it because you feel the need to keep yourself busy, but too lazy to plan what you're trying to achieve.
Not sure what you mean with your comment, but 'keeping yourself busy' should not be confused with procrastinate or simply passing time. Procrastination, passing time, doing nothing, and feeling bored should also deserve time on its own.
However, I would not call them projects.
Anyway, there may be a feeling of burning on, or burning out, when private projects start to feel like a todo list...
I meant this purpose in the sense that an activity brings joy, the purpose is pleasure.
Doing something while procrastinating may be enjoyable. But along with it often comes guilt - sooner or later. I had issues with procrastination and occasionally still do. Even though some outcomes of alternate activities may be good, projects should not have the purpose of procrastination.
Passing time is when you deliberately do not work on any project. I think projects can not have and should not have the sole purpose of passing time. If a project brings you joy, good, if not, the activity should not be called project.
I have been using KDE as my only DE for over ten years, including some years for work. Previously used Windows and currently, I have been forced to use Mac for about 4 years.
Window management in Mac is an outright disrespect for power users and built-in applications for Win are just not up to speed. In KDE, I just use most apps from KDE universe and most of them are a perfect fit.
KDE managed to take the good from Mac and Win and even improve upon it - and if you don't like it, you can most likely easily change it in the System Settings panel or application preferences. With Kubuntu, everything (hardware) has mostly worked out of the box and upgrading since Kubuntu 7.04 has been working pretty flawlessly.
When they release new features, it is evident that they care about users. The theming is consistent, elegant and yet heavily configurable. Plasma and Kwin support you in the way that YOU want to work and does not force some workflow upon the users. I can control my Hue bulbs from the desktop and interact with my phone (through KDE Connect) bidirectionally.
The only missing thing was auto dark mode and I created https://github.com/adrium/knightadjuster for it. Even without reading much documentation, I could accomplish what I wanted simply by experimenting with qdbusviewer.
Thank you KDE developers - thank you KDE community! Keep up the good work and thanks for caring about users!
Sorry, I was referring to the bundle that Asahi Linux is using. I had a bad time trying to uninstall each package one-by-one and decided to just start with a minimal install instead.
Same on FreeBSD. It comes with the basics. Some apps like Krita or Kdenlive are pretty heavy but also incredibly powerful. So I have opted to install them but they are not in the base package.
I think some small apps like Konsole, Kate, Dolphin and KWallet come in the default install but you can't really do without them.
240/4 was reserved for future use more than 30 years ago. When is 'the future' if not now. Furthermore, reservations for 0/8, 127/8, and 224/4 seem mostly useless at this point.
Also Ford, Daimler, and Prudential owning huge network blocks and neither even doing business in networking, nor announcing prefixes can be referred to as outright IP squatting (if that term exists). The US DOD seems to be a squatter, too.
Based on professional experience, I doubt that networking equipment can not handle reserved blocks. And if it does not indeed, patches could be provided by vendors for sure within reasonable time.
The problem is not severe enough: neither for a switch to IPv6 (also conceived almost 30 years ago!) nor to make use of unused blocks.
I refuse to believe that IPv4 address exhaustion is actually a thing.
Imagine how many problems would be caused by releasing 0/8 and 127/8 space. There are so many places those are hardcoded, including an uncountable number of internal company applications.
It is irresponsible to use (let alone to hardcode) those addresses in the first place. But in any case, fortunately, software can be patched and it has been done so already in 'tricky' cases: Y2K and X.509 UTCTIME are examples.
My company operates big networks and it caught us off guard when 44/8 got used on the public Internet. Internal tooling used the space because it was assumed to be non-routable. Assumptions like this always carry a risk and sooner or later, they need to be fixed. In our case, a workaround could be produced within hours, and it was fixed within weeks.
0/8 support has been added in the Linux kernel as well.
Edit: scdown.qq.com resolves to 0.0.0.1 and is possibly related to WeChat. I am not sure, if the address is actually routable in China, though.
I doubt anything containing 0.0.0.1 is advertised in China (it's definitely not outside of China). Looks like an address someone would use to indicate an error condition.
... which is just another example of the zillions of cases that would have to be dealt with.
Sure, each one is probably quite easy. But the sheer number of them is huge, and many of them will only be uncovered after they fail, setting off a frantic search for the retired guy with the source code.
With Y2K there was a combination of self-interest and hysteria that motivated organizations to tackle it. With this, it's harder to make that case because IPv6 is here already. I'm sure very few of those applications with hardcoded 0.0.0.0/8 are IPv6-ready, but everyone else can move ahead with IPv6 and those old apps will keep working for years to come. Unleashing 172.0.52.7 as someone's residential IP address will result in seemingly random failures that cause headaches for the ISP, application developers, and corporate IT departments. It'll be a very unpopular idea.
My principal reason for proposing that 127 be reduced to a /16 instead of a /8 was to help unwind the kubernetes hairball.
I have no idea to what extent 0/8 is being used today. I do see quite a bit of 240/4 in private networks. It's a shame that last may never be publically allocated.
I have a similar experience: Some hosting providers / AS host shady stuff and I understand that VPS ranges end up on block lists quite easily.
I only block AS 4134 and AS 4837, some AS that host services like shodan, and aggressive crawlers like semrush.
Anything that sends packets to my server get ratelimited quickly. Still barely noticeable for occasional human interaction. I also started with /24, but I am now up to /12.
PS. By the way, has anyone ever seen spameri@tiscali.it in the logs? It shows up almost on a weekly basis as RCPT TO address from literally all over the world.
> By the way, has anyone ever seen spameri@tiscali.it in the logs? It shows up almost on a weekly basis as RCPT TO address from literally all over the world.
I have been running my own mail server for two years on my private ISP and have less problems than expected - even with the dynamic IP address (in practice, it changes once in 6-12 months) and no PTR. I also switched the ISP once. I have SPF, DKIM, DMARC.
Edit: The nice thing about running the mail server personally and without a relay (like mailgun) is that mail is to-my-end encrypted. If the other party is running its own mail server, it could even be E2E encrypted. Considering the vast amount of personal information that going through email, this makes me feel good in terms of privacy.
I have never heard of UCEPROTECT and fortunately, I never had to deal with it. The language on the webpage somehow reminds me of Kryptochef...
A small inconvenience is that I had to unblock the IP on Spamhaus PBL every month. By now, it feels as if they know me, because I now only have to do this once if I get a new IP...
Many mail servers are nice and provide the reason for the block even with hints how to unblock it. I successfully unblocked it on Abusix and Microsoft. Never had an issue with Google.
GMX on the other hand will never accept my email because they require a proper PTR record. They are the only company I have come across and I find that scandalous.
I like running my own mail server but I don't want to waste time on filtering spam so mismatches with ptr and hostname are an instant rejection from me.
A PTR match is a very strong signal that I am looking at a hosted server or business connection which is configured to send email and not a compromised windows PC on consumer dsl which used to be a huge problem. ISPs supply those dsl ranges to blocklists as well.
When I first started hosting my own mail it was on an old repurposed linux PC on ISDN in the early 2000s and even then my ISP offered configurable PTR records along with static IP in a small business package.
I moved my family email vps to a different region recently and it took me a few seconds to update the ptr records for ipv4 and ipv6. It seems a very low bar for such a strong signal that you are dealing with a mail server and not some random compromised machine.
Your comment about no issues with no valid PTR surprised me.
Spamhaus PBL is build based on your ISP telling Spamhaus which IPs are dynamic and which IPs should not send email. Your ISPs seemed to be nice enough to allow you delisting from it, which not all ISPs will allow.
Abusix has a similar list, but its completely build based on dynamic looking or no PTRs. You can create an account and delist without any issues.
Never the less there is way more services than GMX that block based on dynamic or no PTR. A lot of smaller solutions have this option checked by default. And it actually has been a best practice for decades to have a proper PTR.
Does it really come as a surprise that apps are exploiting the clipboard?
TLDR: Drag and drop sensitive stuff. If necessary, copy only part of sensitive information, enter the rest manually.
The amount of usability obstacles in the name of security is getting ridiculous. For example, when I got a new company mac, I had to enter my keychain access password and grant access to folders countless times - and I still have to do that after one week of using it occasionally.
Similarly annoying are the cookie questions. In the beginning, I found it interesting and tried to reduce the number of cookies as much as possible - now I just click what ever button brings me to the site fastest (or don't click a button at all, if it is still possible to scroll and see about half of the page on mobile).
Don't you also feel some kind of fatigue?
Now please do not cripple the clipboard the same way. By the way: Qubes OS takes an interesting approach here. Similar to suggestions by some of the commenters. [1]
Don't get me wrong: I am extremely sensible to security - but also to usability. I want to use my daily-driver system conveniently and it should "just work" and I want to trust it fully [2]. I do not just install any trash app, simply because there is one available.
On the desktop:
1. Only applications from the official repos get installed. I may install other open source software occasionally. So yes, the trust lies with the distro.
2. Other software (potentially untrusted or good to be isolated) like banking or tax software or zoom get a proot environment or a new user profile.
3. Most software can be run in the browser anyway and it is actually quite a nice sandboxing tech. Web apps can not simply read the clipboard. [3]
4. Clear cookies on browser exit. I have a whitelist for about two or three sites to keep the state for convenience.
5. Browser extension that manages and fills passwords on request(!). No need to copy-paste around. [4]
6. If I need passwords elsewhere, I use drag and drop. I believe this is extremely convenient and very secure. That works 90% of the time, otherwise, I copy only part of the sensitive information and enter the rest manually.
On mobile:
1. Same goes for app installation: open-source only from F-Droid.
2. Other apps get put in a work profile and disabled when not used. [5] No trash like games and social media.
3. Do not copy paste sensitive information, but use IME apps (keyboard apps that actually "type" passwords). Personally, I like KeePassDX and sometimes use KDE Connect. [6]
Accounts:
1. I own several domains and mobile numbers, all companies that want my info get different data.
2. Fill in bogus information if possible.
I may have gone overboard with this :-D But I don't even care about MFA that much at this point... And it is an interesting experiment to see what company leaks data.
"For example, when I got a new company mac, I had to enter my keychain access password and grant access to folders countless times - and I still have to do that after one week of using it occasionally."
I just tackled that recently myself - mainly to publish my music library.
Glancing over the blog post, it almost feels overengineered.
Conveniently, the Chrome Bookmarks file already is JSON and I created a small tool that takes it as input and renders it with Handlebars templates. It also includes a simple way to get thumbnails and an HTML template with expandable folders (no JavaScript needed).
Used KeePass and pass in the past. KeePass is nice, but has much more features than I really need. I wanted something lighter and simpler, so I migrated to pass in 2015. Even though it is nice that it relies on tools like gpg and git, it complicated things more than not. It is (was?) hard to use on every OS except Linux. And in addition to backing up the database, the gpg key now needs to be backed up, too. Password management is messy.
When searching for alternatives, I found the concept of stateless password managers. Proprietary cloud solutions are off the table for me. Because I travelled a lot in 2018, a new criterion emerged: How does bootstrapping work? How do you get any password from the database on a device that you do not own? This is obviously difficult with a traditional approach. I quickly migrated most important logins and never look back!
Besides storing passwords, a password manager should also help using them. KeePass provides Auto-Type for this. Eventually, most passwords will be used in the browser. Having a compatible browser extension became a must. Copy-pasting is a dealbreaker, because every application can read the clipboard! Most desktops support text drag and drop and on mobile, the application should provide a custom keyboard or accessibility feature.
In the meantime, I am using my own browser extension and wrote a converter plugin for KeePass to occasionally copy them (for convenience only) to my mobile. Typing the master password is cumbersome, so I use a random file (one of the dozens) in the Downloads folder as keyfile. In case of emergency or for bootstrapping, there is a web app.
If you can stomach some more features, KeePassXC is well-maintained and has an excellent browser extension as well as FDO secret service integration on Linux for CLI access via secret-tool.
I am running my own DNS server and configured the fritz.box zone.
Very unprofessional of the vendor to assign a public domain. Good reminder to always use https://www.iana.org/domains/reserved and maybe https://www.theregister.com/2018/02/12/icann_corp_home_mail_...
They should just release a firmware update that replaces the domain suffix and ultimately to make it configurable.