Yes, a parents attention is a limited and valuable resource. It is a parents job to monitor the environment for dangers to their children. Not to neuter the entire adult world to make it pseudosafe for kids.
Junk food and processed sugar creates dietary based ADHD kids.
One's information diet also changes how the brain develops, that's not a pseudo threat.
I sense some trepidation around not having unfettered access to swim in the whole ocean as a child with more and more sharks and angel fish floating around.
The environment to monitor is increasingly digital, not just in person. See my note above about parents who think their kids are safe at home, when they're letting the entire unfiltered world into their kids devices, eyes, minds without context.
If it's simple to begin with doing this, or things to try specifically that can build any parents skills and competencies in this area, mind sharing that?
It's starting to change in places, including in the US.
The reality is it's not the smartphone, but the slot machine type software running on it.
There's more than enough science that placing this kind of content in front of humans before their prefrontal cortex is fully formed at age 25-26 leads them to leaning on the pre-frontal context of the adults around them, and missing that, whatever they're spending the most time with that's then possibly raising them.
Screens at lower resolutions and quality didn't seem to be as much of an issue compared to the hyper saturated motion with sound effects that are consciously chosen to keep eyeballs.
Like anything, digital can be used for good, or bad, and in lieu of good, the other can to happen and become more of a default.
I agree but it is much harder to stop people from building slot machines than to stop children from using them. Even easier than telling people to stop using them.
And hey, maybe if we actually take some autonomy and remove that market from actors who don't want to build the things the market is requesting then they'll actually build the things the market is requesting... it's easy to say we want something but no one listens when we still buy the thing we say we hate. Maybe it's addiction but it's still hard to fight against. (Though we could still do better by accommodating those who are trying to break the network effects. You can complain how hard it is to get off Facebook but if you're not going to make the minuscule extra effort to accommodate those who do leave then how can you expect the ground to be laid for you to?)
At the end of the day though, with kids, the OP's argument fails because it either assumes smartphones are an inevitability or that the benefits outweigh the costs. It's a bad argument.
Many parents think their kids are safe when they are inside the home, without realizing they are letting in the entire world, including things worse than they ever imagined into their homes, through the devices.
In the past, the general disconnection of the world and information had a natural insulation factor. Probably less so today.
Rather than admonish adults, it's actually quite common that many people in many professions don't know how to purchase, or implement software in their day to day work, let alone at home.
Maybe, this is is an aspect of digital literacy that has been lacking - we know that the consumer habit loop that smartphones go after is not always about digital health, or the user's digital literacy, it's about capturing their attention.
Parents actually seem to want the same kind of quality curation not just with the internet, but all areas of their children's lives.
The free for all they may have grown up with 20-40 years ago is simply not the same any more online, or offline.
In that way, even trying to make an effort sometimes isn't enough I'd say. Ignorance is one thing, but maybe it could seem like negligence to others.
Would there be some possible solutions or approaches you or others could offer here to help parents build the skills that lead to not giving up? Sincerely curious where folks see the starting point of these skills.
>Ignorance is one thing, but maybe it could seem like negligence to others.
In person I've found the difference to be usually very clear. It's why I distinguish between the sympathic attitude of "I don't know where to start" and the contemptible reaction that "therefore I will act as if nothing is wrong, or write it off as someone else's fault."
>Would there be some possible solutions or approaches you or others could offer here to help parents build the skills that lead to not giving up? Sincerely curious where folks see the starting point of these skills.
It's a hard problem. I've spent a lot of time thinking about it, and almost as much time talking to relatives with children. I have come to no happy, easy answers.
Carey Parker's Firewalls Don't Stop Dragons is a good starting point to Security and Privacy, but not really how computers work. There are various books I remember from childhood about how computers work, but I don't really remember the process of coming to understand computers distinctly because it was both early and continuous over a long period.
I think the best we'll do as a species is one-to-three computer people per extended family. And I think the key will be teaching those people how to be of service to their families. But there's not really an existing framework for a "computer court wizard" in each family nor for what maxims and/or proscriptions such a person might teach computer illiterate family members in order to use computers safely and protect the family's children from the worst of dark algorithms, surveillance, and abuse/predators online.
TV channels used to get managed. Magazines used to get managed.
There is a lot more volume now, obviously.
Tools like Circle can provide some level of family level DNS which can help.
Something that stands out is also helping parents get a handle on their own consumption and habits to be able to better teach kids on what to look out for.
The conceptual frontier of a world of networked computers is uncharted, and we are in the well along into that dark frontier now. I don't think TV or magazines are a good point of comparison, nor anything from the analog world of yesterday.
Analog mass media couldn't dynamically adapt itself to individual viewer proclivities in order to attract attention. Parents can understand that children shouldn't watch TV at night because society has agreed to constrain more mature programming to when children are mostly asleep. We can understand not to leave a Playboy magazine lying around in reach of children or, better, not to have such things in a family home at all. But digital media defies more than convention... It defies all points of reference a human computer-layperson might have in the analog world that could help to understand it fully.
Try to explain to someone on the street the sorts of things that are and are not possible with computers and networks, and why various things fall into one or the other category. Watch their eyes glaze over. Absent points of reference and useful context it's almost anticomprehensible.
>Something that stands out is also helping parents get a handle on their own consumption and habits to be able to better teach kids on what to look out for.
Strongly agree. I've always shied away from algorithmically managed feeds and dark patterns. It felt instinctual to me but I think those instincts were born from coming to understand computers at a young age. Humanity at large has basically zero instincts for the digital world... Yet. Square one may be feeling the difference when you cut slopfeed content and targeted advertising out of your life. Square two may be new, computer-age fables to cultivate those instincts among those who aren't (and largely won't ever be) deeply computer literate. The sort of parables every single American grew up deciphering in McGuffey readers, once upon a time, but concerning things like, "a person can pretend to be anyone online, and that can cause trouble," or, "the boy who gave away his secrets could never get them back."
The work and interest in local coding models reminds me of the early 3D printer community, whatever is possible may take more than average tinkering until someone makes it a lot more possible.
Kind of confusing to expect zero competition for a valid opportunity, then you're a category founder with an uphill battle to educate the customer for free, fail, and let the next co swoop in.
I never said there shouldn't be competition. What I implied is that Netrinos looks to be deficient in features and also has no market trust. My question was sincere: why should I trust them? This is a VPN.
Not as often as you might think. Hardware doesn’t fail like it used to.
Hardware also monitors itself reasonably well because the hosting providers use it.
It’s trivial to run a mirrored containers on two separate proxmox nodes because hosting providers use the same kind of stuff.
Offsite backups and replication? Also point and click and trivial with tools like Proxmox.
RAID is actually trivial to setup.l if you don’t compare it to doing it manually yourself from the command line. Again, tools like Proxmox make it point and click and 5 minutes of watching from YouTube.
If you want to find a solution our brain will find it. If we don’t we can find reasons not to.
Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server?
Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home).
If you plug in a machine at home, it is behind the router, and behind the router's firewall.
If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti
The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine.
If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally.
It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like.
One thing I don't really get is why it is "more dangerous" to expose a port on my home IP, versus exposing a port on a Cloudflare tunnel. In both cases, a random user from the Internet can reach my server, and if I host a vulnerable application on that exposed port, it can be exploited.
Right?
In order to host my server at home, but keep it outside my LAN, I have been considering having two routers: a "perimeter" router (not sure if that's how it's called) that connects to my ISP, and my normal "LAN" router. The LAN router does not expose anything, as usual. I connect my server to the perimeter router, so that it is in the "DMZ" between both routers. And on the perimeter router, I expose the port to my server. My idea being that if my server gets hacked, it doesn't affect my LAN. A bit like if my server was on a remote VPS.
And then I can run something like proxmox to separate my different services on my server.
But doing this, I expose my home IP instead of a Cloudflare IP, so now I'm concerned that maybe it is a risk? :-)
- exposes the port to be available for inbound connections from anyone on the public internet. When we use a web browser, it's outbound first which initiates responses.
- with an exposed port, you are that much more at the mercy of your firewalls ability to protect and defend the open port, which becomes more of a consideration.
- some people take additional security steps to only allow certain IPs to connect to the exposed port if it works for their scenario.
Compared with the Cloudflare Tunnel:
- if it's a website, for example, nothing is open to the public at all. The CF Tunnel (or a similar tool) conencts first outbound to Cloudflare to setup a secure link between your home server.
- having this amount of security can make it harder to connect back to your own server for admin - this is where a tool like Tailscale (also free) can be handy, where you can continue to have full secured access to the server, and the public side only has whatever you want to expose to the public internet.
- if there's a port or service in specific you're looking to sort out feel free to ask.
Network design:
- keeping a server at home outside of your LAN is a good idea, it could be a perimeter router. DMZ can mean exposed to the internet without a firewall.
- if you read the guide I posted above, it's sounds like an exact match for what your'e trying to figure out - it achieves it with multiple VLANS to separate traffic rules. The PDF has some nice graphics to break it out - I wish I had somethign like this when starting out. The concepts described in the PDF should be possible on most equipment that exposes the settings, and while I don't endorse a particular product, the Ubiquiti EdgeRouter X for the $50 or so is very capable as a starting point for what you are after to be the main router. In thet case of adding a dedicated router like this, you would have to switch your modem into "bridging" mode to let this be the main router for everything. Wireless access points can then be individually added to it. Alternatively if something like pfSense interests you, their parent company makes Netgate equipment that a lot of people seem to love. Both are well represented and supported on Youtube to learn from as well.
Not expose the server IP is one practice (obfuscation) in a list of several options.
But that alone would not solve the problem being a RCE from HTTP, that is why edge proxy provider like Cloudflare[0] and Fastfy[1] proactivily added protections in his WAF products.
Even cloudflare had an outage trying to protect his customers[3].
No provider is perfect - It's totally possible to run your own FW behind it, or run CF Tunnel on a separate container that routes traffic to individual application containers using something like traefik, nginx proxy manager, etc.
The firewall could run on a piece of dedicated equipment, where it might not be a server, or it could run in a container, on a dedicated computer, which might be the server.
Again, I'm only speaking about what I have experience with in addition to my past experience and have surprisingly found to run well despite thinking I'd never self-host again.
DNS is no issue. External DNS can be handled by Cloudflare and their waf. Their DNS service can can obsfucate your public IP, or ideally not need to use it at all with a Cloudflare tunnel installed directly on the server. This is free.
Backend access trivial with Tailscale, etc.
Public IP doesn't always need to be used. You can just leave it an internal IP if you really want.
Free way - sign up for a cloudflare account. Use the DNS on cloudflare, they wil put their public ip in front of your www.
Level 2 is install the cloudflare tunnel software on your server and you never need to use the public IP.
Backend access securely? Install Tailscale or headscale.
This should cover most web hosting scenarios. If there's additional ports or services, tools like nginx proxy manager (web based) or others can help. Some people put them on a dedicated VPS as a jump machine.
This way using the Public IP can almost be optional and locked down if needed. This is all before running a firewall on it.
The tunnel doesn't have to use the Public IP inbound, the cloudflare tunnel calls outbound that can be entirely locked up.
If you are using Cloudflare's DNS they can hide your IP on the dns record but it would still have to be locked down but some folks find ways to tighten that up too.
If you're using a bare metal server it can be broken up.
It's fair that it's a 3rd party's castle. At the same time until you know how to run and secure a server, some services are not a bad idea.
Some people run pangolin or nginx proxy manager on a cheap vps if it suits their use case which will securely connect to the server.
We are lucky that many of these ideas have already been discovered and hardened by people before us.
Even when I had bare metal servers connected to the internet, I would put a firewall like pfsense or something in between.
What does the tunnel bring except DoS protection and hiding your IP? And what is the security concern with divulging your IP? Say when I connect to a website, the website knows my IP and I don't consider this a security risk.
If I run vulnerable software, it will still be vulnerable through a Cloudflare tunnel, right?
Genuinely interested, I'm always scared to expose things to the internet :-).
With the amount of automated bots that port scan looking for anything/everything that's open, as well as scanning DNS records for server IPs that could be targeted, one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind, to effectively be internal.
As for what's exposed to the web, let's say the payload of a website, if there was something vulnerable in the javascript, that could be a weakness hosted anywhere.
Cloudflare can also help achieve this without too much fuss for self-hosted projects, be it personal, and production grade, assuming the rest of the trimmings are tehre.
> one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind
Oh I see, so that I benefit from the "professional" firewall of Cloudflare, as opposed to my own that I may have possibly misconfigured or forgot to update etc?
Or is there more, like Cloudflare will block IPs that know to come from malicious actors and things like this?
Many ways. Using a "bastion host" is one option, with something like wireguard or tinc. Tailscale and similar services are another option. Tor is yet another option.
Its often possible to lock down the public IP entirely to not accept connections except what's initiated from the inside (like the cloudflare tunnel or otherwise reaching out).
Something like a Cloudflare+tunnel on one side, tailscale or something to get into it on the other.
Folks other than me have written decent tutorials that have been helpful.
reply