Hacker News new | past | comments | ask | show | jobs | submit | alfons_foobar's comments login

Prometheus is not agent based though

reply


kudos for actually looking what the problem is.

As a (former) NetEng, it bothers me to no end that so many people claim "it's the network" when their application is slow / broken, without understanding the actual problem.


This.

I often use generator expressions for the intermediate values (so I don't allocate a new list for each step), but I find this to be much more readable.


> Just write:

    if key not in table:
        return default_value
    value = table[key]
I think this could/should be shortened to

    value = table.get(key, default_value)
    ...
    return value
No?

In case you disagree, I'd be happy to hear your thoughts!


I assume you're basically referring to this quote from the article?

"Ignore fields coming from the API if you don’t need them. Keep only those that you use."

IMO this addresses only one part of the problem, namely "sanitize your inputs". But if you follow this, and therefore end up with a dict whose keys are known and always the same, using something "struct-like" (dataclasses, attrs, pydantic, ...) is just SO much more ergonomic :)


> This is a lie. A "session through the NAT" does not really expose the host to the outside world, because in 99% of the cases this is a TCP session, and the NAT machine would drop all "out of order" packets.

No, it's not. NAT only translates addresses and does not inspect the TCP "internals" (like sequence number etc, which would allow it to block certain packets).

What you are describing is a stateful firewall that allows "reply packets" for an established TCP-session.


>No, it's not. NAT only translates addresses and does not inspect the TCP "internals" (like sequence number etc, which would allow it to block certain packets).

Yes it is. How would it forward response packets back if it doesn't track connections?

In real life I haven't seen "stateless NAT" for about 20 years.

But cgnat machines usually go beyond that and even verify sequence numbers.


FYI, it's called "node_exporter" ;)


Glad I am not the only one feeling "weird" about the separate branches thing :D

Probably just a matter of taste, but I think having the files for different environments "side by side" makes it actually easier to compare them if needed, and you still have the full commit history for tracking changes to each environment.


> only international peering

The concepts of "national" and "international" don't map very well to the internet.

Many companies run multiple ASes, and many companies are peering at IXPs all over the world...


At the very least, limiting such regulations to international-only limits their blast radius.

With China specifically it could work, because they internally control their points of peering with the rest of the world. With Russia, less so. With a "normal" Western country, likely infeasible, but in the latter case the internet access is not controlled and weaponized by the government, so there is no real need, self-regulation suffices.


"Nationalizing the internet like the telephony system" is a meme and agenda among some ITU people, originating from China and Russia. And now the American FCC comes with this... Perhaps the FBI's counter intelligence branch should do a better job because this smells fishy.


They need to. Honestly we need a way to completely segregate Chinese and Russian networks off, as well as anyone who peers with them. They are using our open networks to brazenly attack us in broad daylight… it’s time to fight back.


How many ways do they have to transmit to Western networks? Proxies, tunnels, rooted machines, sending balloons with 5G modems that dwell in our airspace for days? I would much rather see a 100:1 defensive effort in operating system security. Lockdown mode in macOS is like Spinal Tap's amplifier that goes to 11. Why not just have 10 be the most secure, and make it go up to 10?


Because lockdown mode makes a lot of compromises for user experience that most people don’t need to worry about — disabling JIT, for example.


You only need one weak link in the chain. Computer security is effectively an oxymoron.


> Some form of cryptographic ownership verification is the logical next step to prevent these things from happening.

a.k.a RPKI


I don't understand how RPKI prevents route hijacking. It just signs that a certain AS owns a certain prefix, right? How does that stop another network from pretending to be peered with my network, then announcing an indirect route, copying the signature from my valid announcement of the same prefix?


RPKI stops jack shit thats why ASPA was invented it just needs to be implemented


It's DNS all over again, basically.

> it just needs to be implemented

Do you know BGPKit [1]? I'm not sure what the state of the project is, but I remember vaguely them implementing ASPA and being involved in the RFC back then.

[1] https://github.com/bgpkit


I love how it will only ever be one leaky abstraction after another (incompleteness theorem) with a Lindy value of a few years to realize that and have to hallucinate something new, but you all keep trying to secure what physics won’t allow us to.

You all should go touch grass and learn to roll with our human frailty and imperfection rather than drive yourselves mad bouncing off the walls of your language and mathematical primitives.

Just remember you’re one of billions and no one needs you specifically. Just enough people overall so that life isn’t so shit one would be better off dead themselves


Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: