Sales taxes are state/city level taxes, there are no federal sales taxes (yet). But he is essentially using the tariffs as a way to enact sales taxes without really adding a sales tax.

With the tariffs he can add a massive tax on the people which Republicans would normally be very much against, but he can say it is about being pro American and most of them forget about all of the extra money they will be paying.

This shifts the tax burden further onto middle/lower income homes and lets him give more income tax cuts to higher earners without increasing the deficit so much that congress would turn on him.

The Republicans have actually been talking about this for a long time they called it the “fair tax”. Their fair tax plan was basically a flat ~23% federal sales tax that would replace income tax, but they could never get their base behind it.

Someone on Trump’s team realized that we buy so much from other countries that he could accomplish the same thing the fair tax aimed to do via tariffs while selling them to his party as “buy American”. His lower/middle income base eats that up, and his campaign donors see it as killing their overseas competition.

If it weren’t for the other countries reciprocating it would have been a good plan for them.

Depending on how you setup your reverse proxy it can reduce random scanning/login attempts to basically zero. The point of a reverse proxy is to act as a proxy, as a sort of web router, and to validate that the http requests are correctly formatted.

For the routing depending on what DNS name/path the request comes in with it can route to different backends. So you can say that app1.yourdomain.com is routed to the internal IP address of your app1, and app2.yourdomain.com goes to app2. You can also do this with paths if the applications can handle it. Like yourdomain.com/app1.

When your client makes a request the reverse proxy uses the “Host” header or the SNI string that is part of the TLS connection to determine what certificate to use and what application to route to.

There is usually a “default” backend for any request that doesn’t match any of the names for your backend services (like a scanner blindly trying to access your IP). If you disable the default backend or redirect default requests to something that you know is secure any attacker scanning your IP for vulnerabilities would get their requests rejected. The only way they can even try to hit your service is to know the correct DNS name of your service.

Some reverse proxies (Traefik, HAproxy) have options to reject the requests before the TLS negation has even completed. If the SNI string doesn’t match the connection just drops it doesn’t even bother to send a 404/5xx error. This can prevent an attacker from doing information gathering about the reverse proxy itself that might be helpful in attacking it.

This is security by obscurity which isn’t really security, but it does reduce your risk because it significantly reduces the chances of an attacker being able to find your applications.

Reverse proxies also have a much narrower scope than most applications as well. Your services are running a web server with your application, but is Jellyfin’s built in webserver secure? Could an attacker send invalid data in headers/requests to trigger a buffer overflow? A reverse proxy often does a much better job of preventing those kinds of attacks, rejecting invalid requests before they ever get to your application.

Agreed. The nonstandard port helps too. Most script kiddies aren’t going to know your service even exists.

Take it another step further and remove the default backend on your reverse proxy so that requests to anything but the correct DNS name are dropped (bots just are probing IPs) and you basically don’t have to worry at all. Just make sure to keep your reverse proxy up to date.

The reverse proxy ends up enabling security through obscurity, which shouldn’t be your only line of defence, but it is an effective first line of defence especially for anyone who isn’t a target of foreign government level of attacks.

Adding basic auth to your reverse proxy endpoints extends that a whole lot further. Form based logins on your apps might be a lot prettier, but it’s a lot harder to probe for what’s running behind your proxy when every single URI just returns 401. I trust my reverse proxy doing basic auth a lot more than I trust some php login form.

I always see posters on Lemmy about setting up elaborate VPN setups for as the only way to access internal services, but it seems like awful overkill to me.

VPN still needed for some things that are inherently insecure or just should never be exposed to the outside, but if it is a web service with authentication required a reverse proxy is plenty of security for a home lab.

All of the “snooping” is self contained. You run the network controller either locally on a PC, or on one of their dedicated pieces of hardware (dream machine/cloud key).

All of the devices connect directly to your network controller, no cloud connections. You can have devices outside of your network connected to your network controller (layer 3 adoption), but that requires port forwarding so again it is a direct connection to you.

You can enable cloud access to your network controller’s admin interface which appears to be some sort of reverse tunnel (no port forwarding needed), but it is not required. It does come in handy though.

As far as what “snooping” there is, there is basic client tracking (what IP/mac/hostnames) to show what is connected to your network. The firewall can track basics like bandwidth/throughout, and you can enable deep packet inspection which classifies internet destinations (streaming/Amazon/Netflix sort of categories). I don’t think that classification reaches out to the internet but that probably needs to be confirmed.

All of their devices have an SSH service which you can login to and you have pretty wide access to look around the system. Who knows what the binaries are doing though.

I know some of their WISP (AirMAX) hardware for long distance links has automatic crash reporting built in which is opt out. There is a pop up to let you know when you first login. No mention of that on the normal Unifi hardware, but they might have it running in the background.

I really like their APs and having your entire network in the network controller is really nice for visibility but my preference is to build my own firewall that I have more control over and then Unifi APs for wireless. If I were concerned about the APs giving out data, I know I could cut that off at the firewall easily.

A lot of the Unifi APs can have OpenWRT flashed on them, but the latest Wifi7 APs might be too locked down.

Third party solutions can at least partially fix this. I have this site: https://spotifyshuffler.com/ create a shuffled copy of my playlists occasionally. Then you just play the pre-shuffled playlist with shuffle disabled.

In my case I have a large (several thousand track) playlist, and I turn on Spotify’s shuffle just to pick the first track at a somewhat random spot in the large list and then shut their shuffle off toward continue the pre-shuffled list without their manipulation. Whenever I add content to the playlist I have it reshuffled.

Gerrymandered districts are more in danger not less. Gerrymandering is about spreading out areas which are easy wins, and instead spreading those votes over multiple districts.

You gain more seats, but you make every race closer.

In any KDE app you can connect with SFTP in the open file dialog. Just type sftp://user@server/path and you can browse/open/edit files the remote server. ssh keys+agent make things a lot easier here obviously.

This was a separate outage unrelated to CrowdStrike a few hours earlier that took down a couple of airlines as well.

A majority of the VMs in the Azure CentralUS datacenter went down due to some sort of backend storage issue.

I would think most wifi jamming is just deauth attacks. It is much easier to just channel hop, enumerate clients, and send them deauthentication packets.

This way you don’t need a particularly powerful radio/antenna, any laptop/hacking tool with Wi-Fi is all you need. There are scripts out there that automate the whole thing, so almost no deep knowledge of wifi protocols are required.

WPA3 has protected management frames to protect against this but most IoT cameras probably don’t support WPA3 yet.

Updates for CrowdStike are pushed out automatically outside of any OS patching.

You can setup n-1/n-2 version policies to keep your production agent versions behind pre-prod, but other posts have mentioned that it got pushed out to all versions at once. Like a signature update vs an agent update that follows the policies.

I believe so. The package descriptions for most of the ZFS packages in Ubuntu mention OpenZFS, so it certainly appears that way.

You can still create pools that are compatible with Oracle Solaris, you just have to set the pool version to 28 or older when you create it and obviously don’t update it. That will prevent you from using any of the newer features that have been added since the fork.

Well worse than that, Oracle closed sourced ZFS, so OpenZFS was forced to become a fork, and they are no longer compatible with each other.

As for GPL the CDDL license that ZFS uses made sure that code contributions attribute copyright to the project owners, which means they can change the license as they please without having to track down contributors.

You would think with their investments in Oracle Linux and btrfs they would welcome that license change, but apparently they need excuses to keep putting money into Solaris, and their Oracle ZFS appliances instead.

One nice thing about KDE compared to most of the other DEs is that the window manager (kwin) is separate from the underlying components, and it can be replaced!

There are many walkthroughs like this one out there: https://github.com/heckelson/i3-and-kde-plasma

You get i3 for tiling window management but you still get to use KDE’s system settings to do configuration like display settings, themes keyboard shortcuts, etc, just like you did before. You can also pick and choose which parts of the KDE desktop you want to keep (menu, krunner, etc)

Since i3 is just a window manager and is lacking all of that system level stuff it really rounds out i3 to feel like a full DE instead of having to piece together other tools to do those things.

August 15th. https://discourse.ubuntu.com/t/noble-numbat-release-schedule/35649