Mastodawn

Viss Jul 16, 2025

if you put a webserver up on the internet. anywhere, hosting anything, you will see "the background radiation of the internet", and it looks like this:

Show thread

Viss Jul 16, 2025

and what you can take away from this log is that the reason they are blasting the entire internet, every webserver with these requests - most of which are 'im gonna hit myself in the face with a brick now' level of bad from a config/dev/admin perspective - is squarely because it has worked for them enough times that they feel spraying the internet will nab them more.

look.
just look at the shit they're collecting and how easily theyre doing it.

this is because docker
this is because k8s

Show thread

Viss Jul 16, 2025

this is because everywhere has gone "DX" - or "optimizing for the developer experience above all else, at the cost of everyone else. "

make things as easy as possible for the devs/devops, we dont care how bad the security becomes, how many layers of abstraction get installed, how many dozen new js frameworks appear this afternoon, how public the data is, how bad the architecture is - burn the building down

just make sure the devs are comfy

Show thread

Felix 🐊Jul 16, 2025

@Viss

"this is because docker
this is because k8s"

I'm curious to hear more about this take. I'm only a hobbyist at this point, but I run some docker services on my local network, nothing (to my knowledge) exposed to WAN or ports forwarded. Surely this can't be *mostly* docker and DX's fault that the internet is like this, can it?

The reason I ask is because I care about my services and network being secure, and in the future I would like to host public web servers, though probably not from my home network. Inevitably there will be something I'll miss when embarking on a project like that, but I'm wondering if there's a takeaway I'm missing from these posts aside from avoiding abstraction as much as possible when designing web services.

Show thread

Viss Jul 16, 2025

@crocodisle i have seen the inside of probably 30 companies worth of k8s infrastructures.

ive seen things.

Show thread

Viss Jul 16, 2025

@crocodisle if you want free advice:

- if you want to host a thing and you want that thing to be public, do not host it inside of docker or k8s.
- there are many many reasons why, and i dont want to turn this into a 300 post long thread
- whoever decided that all the secrets need to be stored in env vars or in files called .env should not be allowed to touch computers anymore
- do your coding/building behind a firewall
- push static content to 'a host'
- do not run docker or k8s on that host.

Show thread

viq Jul 17, 2025

@Viss @crocodisle all those issues are older than containers. And the trying about configuring via environment variables, I think I've seen mostly nodejs stuff insist on that.

Show thread

Viss

@viq @crocodisle yep. containers just make it way way way way way way easier to host content with the same problems that have plagued us for decades.

these problems "do not exist because of docker/k8s" but "these problems are made way way way way worse by docker/k8s"

Show thread

viq Jul 17, 2025

@Viss @crocodisle "lowering barrier to entry increases amount of sludge making it over the barrier"

Show thread

Viss Jul 17, 2025

@viq @crocodisle thats exactly right. thats my entire point. as an industry we are moving backwards. little to no functional security improvements for 'baseline and defaults', but easier and easier to deploy absolutely dogshit code, zero-auth defaults, bad dev/qa stuff, and generally 'slouchy posture' in architecture land

Show thread

Joe W Jul 20, 2025

@Viss @viq @crocodisle Nah, don't think that containers make stuff easier. Just apt-get install apache - at least nowadays there are some of the more stupid options deactivated (same with sendmail and exim and....)