February 28, 2025
Every one of us probably has some physical keys in our pocket or purse right now.
This familiarity with this common object might make us forget about how the security of those objects actually works.
I see pictures of keys shared very often in groups or on social media.
Sometimes this happens because a set of keys has been found somewhere, and the person uploading the picture is trying to help their owner to identify their keys.
Other times is simply a picture where the keys are not the subject, but are casually in frame.
Read More 
December 31, 2024
Although the definitions of Open Source are related to specific software characteristics (i.e., the license), the reality is much more complex.
Open-source is way more related to a social contract that the software’s creator and its users morally sign than the definition might lead you to believe.
This social contract’s key aspect concerns the software’s current license and the licenses of future versions.
This is because although users of open-source software usually do not pay to use it, they incur high costs to do so.
Examples of those costs are training costs and potential costs to replace a certain technology should it become unavailable in the future.
Read More 
November 30, 2024
I often talk with people about Service Level Agreements (SLAs) in public cloud contexts, and I discover that their idea of what those SLAs are is often distorted.
I believe SLAs need to be approached with a healthy dose of skepticism.
In reality, they often provide little meaningful recourse when things go awry.
There are two big issues, in my opinion, with the SLA provided by many companies, including the hyperscalers:
Read More 
October 31, 2024
We have had Nebula VPN within the Fedora repositories for a couple of years.
A couple of months ago, I changed the default systemd service unit.
More specifically, this is the change:
-ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml
+ExecStart=/usr/bin/nebula -config /etc/nebula
Although the change is only a few characters, this change allows for a much more flexible use of Nebula.
Before this change, the configuration could only be placed in the config.yaml file.
After this change, all YAML files in the folders will be read, merged, and used as configuration.
Read More 
August 26, 2024
This summer, I found myself multiple times reading out-of-office emails.
Actually, this is not a new phenomenon: it has happened every summer since I started working.
Obviously, it also happens outside the summer, but it is far easier to notice it during the summer.
I think the majority of people should not configure an out-of-office replyer.
By recipient
Many people might write to you and receive an out-of-office email if you have set up an out-of-office replayer. Let’s analyze the various personas that might send you emails and whether the out-of-office message makes sense for them.
Read More 
April 30, 2024
VPNs can be used in different ways based on the desired objective.
If the goal is to reach some specific web pages served only within a network, using a proxy will probably do the trick.
Another common use for VPNs is to ensure the confidentiality of data transferred between a remote system and a safe site.
In this case, we might want to ensure that all traffic from the remote system reaches the safe site via the VPN.
Read More 
March 31, 2024
A while ago, I posted about using SSH to proxy traffic within a Nebula network context.
In the last few months, I changed my implementation because SSH required some steps and accesses that I was not fully happy with.
In the previous iteration, I was using SSH as a SOCKS proxy.
The problem, though, is that I need to set up the connection every time and use my SSH credentials, so it becomes difficult to have it always on.
A different SOCKS proxy software needs to be used to achieve the same result without SSH.
Read More 
March 29, 2024
For many years, VPN companies have advertised their VPNs as a necessary tool for all people who want to preserve their privacy.
For the same amount of time, I tried to explain to the people that this view made no sense if not for those company’s sales.
As an example, Onavo, a Meta subsidiary, used to advertise its services, highlighting that, among other advantages, using their product “protects your personal info”.
This claim would not be a problem by itself, but it becomes one when a court finds out that this is not actually true and that new courts documents seem to indicate that the behavior was worst than initially thought.
Read More 
December 31, 2023
Since the merge of Quadlet in Podman, I’ve been moving multiple services to Podman Systemd services.
I find them to be easy to create, manage, and automate.
I recently migrated a complex system to Podman Systemd, where multiple processes write in a folder, and one process reads the folder’s content.
Before the migration, everything worked properly since all the processes were running natively on the machine with the same user.
After the migration, there were some permissions issues.
This issue allowed me to dive a little more deeply into the whole implementation of SELinux for containers and realize a few interesting things.
Read More 
September 18, 2023
One of the aspects that I have always loved about Ansible is that it integrates very nicely with the rest of the system where it is running.
For example, you can easily configure all the SSH configurations directly by changing the ~/.ssh/config file.
I’ve seen multiple cases where the SSH configuration file needs to be tweaked.
A case that comes up occasionally is an environment configured in a way that requires Ansible to use a different SSH key for each machine it manages.
I’m aware that this is not an ideal setup since it is not increasing the security as much as the person who came up with such a rule was expecting.
Still, it is a requirement that some companies have for various historical reasons and, usually, it is impossible or impractical to challenge.
However, the same process applies to any other SSH connection tweaking that can be performed in the SSH configuration file, such as proxies, ciphers, host checks, etc.
Read More 
(Fabio Alessandro Locati|Fale)'s blog