Philadelphia cheese brand is from New York. Presumably, the German market licenses the brand but produces locally in Europe and doesn't import from the US (New York and Wisconsin).
The price of water has gone up for a multitude of factors. One of them is water savings in general, but not primarily because the sewage system requires regular flushes. The reason is that water gets paid per qubic meter and includes a fresh water and a waster water component. The assumption is that almost all fresh water you use ends up as waste water. Now, the grid has a very substantial fixed-price component that's largely independent from the actual current volume being used. Putting pipes in the ground and maintaining them there is an actual costly endeavour. If water use now drops, and the baseline cost remains stable, then it's entirely expected that the price per volume rises. It's simple math. The same baseline cost needs to be brought in via less volume.
This will also happen to people that use residential gas. As less and less people use residential gas, the maintenance of the gas network gets distributed among less and less customers.
> The 'balcony power stations' are the same thing. They get subsidised, and you even get a fixed kWh price when pushing into the grid.
They are subsidized on purchase, but the price they get when pushing energy into the grid is by default fixed at 0. The network accepts the power, but there's no payment. It's also capped at 800W delivery, meaning that at peak power generation, you'd earn a whopping 5 cent an hour with the current subsidy for full scale solar power. So in practice, the only benefit owners have is that they draw less power from the net which is much more attractive because of the pricing structure. You can, optionally, register your balcony power station as a regular solar power plant, but then you're subject to a whole bunch of rules and regulations (for example you need a suitable elctricity meter etc.). This option is generally not attractive for such small power generations.
Fundamentally, though, the same issue as with the water and gas network exists with all localized (solar) power generation. If more and more people use the grid only as a backup, or for winter energy needs, then the overhead of maintaining the grid will have a larger cost contribution to the total cost of electricity.
There are no absolute rights, even in the charter of human rights, which is about as basic as it gets. The reality is that every right, if regarded as absolute, violates another fundamental right, if regarded as absolute.
Take for example Article 3 of the declaration of human rights:
> Everyone has the right to life, liberty and security of person.
The article already has a collision set up in itself: You have the right to live in safety. But also, everyone has the right to live in liberty. If taken as an absolute, the right of liberty would prevent incarceration of dangerous individuals, violating the other individuals right to all life in safety.
Similarly, other fundamental rights get curtailed: The freedom of speech is in balance with the right to personal dignity of article one and other rights.
Not acknowledging that even fundamental human rights are in a tension with each other is just ignoring reality and will get you nowhere in a legal discussion.
The discussion is not which right is absolute, it is about how to balance the tension between the various rights. And different societies strike a different balance here.
Take for example the right to freedom and liberty. Lifelong imprisonment without parole as punishment is not a thing in Germany. There’s an instrument that allows the court to keep the perpetrator locked up in case the court considers the individual dangerous, but until 1998, this could not be retroactively be applied. There was a major legal upheaval with multiple rounds to the constitutional court to change that and it took until 2012/2013 to find a legal framework that wasn’t declared unconstitutional. To this day, however, Sicherheitsverwahrung is not a punishment, but a combination of therapy and ensuring the safety of society and it’s subject to regular checks if the conditions for the lockup still exist. The individuals are also not held in prisons, but in nicer facilities.
On the other hand, many US states still have the death penalty and are proud of it.
> The article already has a collision set up in itself
Yeah, because it's a made up self-contradictory notion with absolutely zero basis in reality. It's the people who believe in "rights" who are ignoring reality. Safety? The world is a dangerous place where you can be randomly killed if you take a wrong turn and no amount of "rights" is ever going to change that. Food and shelter? Simple economics are enough to defeat this, there isn't enough for everybody, rationing ensues almost immediately and suddenly you're forced to decide who's most "deserving" of these resources. Privacy? The FVEY get around it by spying on each other and sharing data because foreigners are always fair game. You can name virtually any right and the inherent contradictions in it are plain to see to anyone willing to go outside and see the world for what it actually is instead of what some "charter" says it should be.
It would be infinitely more honest if these governments simply decided to declare you guilty of whatever you're suspected of when they find your encrypted data. That's what they actually want to do. No need to engage in this song and dance about balancing "rights". If they did this, at least people would see things as they are instead of engaging in this constant abstraction in an attempt to rationalize and justify things by saying that you have the "right" to privacy but actually you don't when it's "in the interests of national security" for you to not have it. That sort of double speak is hazardous for my mental health and I'm tired of engaging in it.
That assumes a device that can enter a VPN. I’d like to run a DNS server for a group of kids playing Minecraft on a switch. Since they’re not in the same (W)LAN, I can’t do it on the local network level. And the switch doesn’t have a VPN client.
Perhaps it seems obvious to some, but it's not obvious to me so I need to ask: What's the advantage of a selectively-available DNS for kids playing Minecraft with Nintendo Switch instead of regular DNS [whether self-hosted or not]?
All I can think of is that it adds obscurity, in that it makes the address of the Minecraft server more difficult to discover or guess (and thus keeps everything a bit more private/griefing-resistant while still letting kids play the game together).
And AXFR zone transfers are one way that DNS addresses leak. (AXFR is a feature, not a bug.)
As a potential solution:
You can set up DNS that resolves the magic hardcoded Minecraft server name (whatever that is) to the address of your choosing, and that has AXFR disabled. In this way, nobody will be able to discover the game server's address unless they ask that particular DNS server for the address of that particular name.
It's not airtight (obscurity never is), but it's probably fine. It increases the size of the haystack.
(Or... Lacking VPN, you can whitelist only the networks that the kids use to play from. But in my experience with whitelisting, the juice isn't worth the squeeze in a world of uncontrollably-dynamic IP addresses. All someone wants to do is play the game/access the server/whatever Right Now, but the WAN address has changed so that doesn't work until they get someone's attention and wait for them to make time to update the whitelist. By the time this happens, Right Now is in the past. Whitelisting generally seems antithetical towards getting things done in a casual fashion.)
Ok, why would I want to do that? Because when Microsoft bought Minecraft they decided to split the ecosystem into the Java Edition (everyone playing on a computer) and Bedrock Edition (Consoles, Tablets, ...) and cross-play is not possible on the official realms. That leaves out the option to just pay and rent a realm for the group.
So we're hosting our own minecraft server and a suitable connector for cross-play - and it's easy to join on tablets, computers and so on because there's a button that allows you to enter an address. But on the switch, Microsoft in its wisdom decided that there'd be no "join random server" button. But there are some official realm servers, and they just happen to host a lobby and the client understands some interface commands sent by the server (1). Some folks in the community devised a great hack - you just host a lobby yourself that presents a list of servers of your choice. But to do that, you need to bend the DNS entries of a few select hostnames that host the "official" lobbies so that they now point to your lobby. Which means you need to run a resolver that is capable of resolving all hostnames, because you need to set it in the switchs networking settings as the primary DNS server.
Now, there are people that run resolvers in the community and that might be one option, but I'm honestly a bit picky about who gets to see what hostnames my kids switch wants to resolve.
Whitelisting networks is impossible - it's residential internet.
The reason I'd be interested in running this behind a VPN is that I don't want to run an open resolver and become part of an amplification attack. (And sadly, the Switch 1 does not have a sufficiently modern DNS stack so that I can just enable DNS cookies and be done with it. The Switch 2 supports it).
Sorry if this sounds complicated. It's just hacks on hacks on hacks. But it works.
(1) judging from the looks and feel, this is actually implemented as a minecraft game interface and the client just treats that as a game server. It even reports the number of players hanging out in the lobby.
Thanks. I suspected that this is where things were heading. I don't see a problem with using hacks-on-hacks to get a thing done with closed systems; one does what one must.
On the DNS end, it seems the constraints are shaped like this:
1. Provides custom responses for arbitrary DNS requests, and resolves regular [global] DNS
2. Works with residential internet
3. Uses no open resolvers (because of amplification attacks)
4. Works with standalone [Internet-connected] Nintendo Switch devices
5. Avoids VPN (because #4 -- Switch doesn't grok VPN)
With that set of rules, I think the idea is constrained completely out of existence. One or more of them need to be relaxed in order for it to get off the ground.
The most obvious one to relax seems to to be #3, open resolvers. If an open resolver is allowed then the rest of the constraints fit just fine.
DNS amplification can be mitigated well-enough for limited-use things like this Minecraft server in various ways, like implementing per-address rate limiting and denying AXFR completely. These kinds of mitigations can be problematic with popular services, but a handful of Switch devices won't trip over them at all.
Or: VPN could be used. But that will require non-zero hardware for remote players (which can be cheap-ish, but not free), and that hardware will need power, and the software running on that hardware will need configured for each WLAN it is needed to work with. That path is something I wouldn't wish upon a network engineer, much less a kid with a portable game console. It's possible, but it's feels like a complete non-starter.
Yep, I agree. It's essentially impossible given the contraints. I'm mostly responding to a post that says "just run it on a VPN" with an example that just can't run on a VPN.
(3) would be easy to handle if DNS Cookies were sufficiently well supported because they solve reflection attacks and that's the most prominent. Rate limiting also helps.
At the moment I'm at selectively running the DNS server when the kids want to play because we're still at the supervised pre-planned play-session. And I hope that by the time they plan their own sessions, they've all moved on to a Switch 2.
Thank you for the explanation, it was most interesting, I had no idea Bedrock could be coerced into talking to java servers.
Here are a few ideas:
1. Geoblocking. Not ideal, but it can make your resolver public for fewer people.
2. What if your DNS only answers queries for a single domain? Depending on the system, the fallback DNS server may handle other requests?
3. You could always hand out a device that connects to the WLAN. Think a cheap esp32. Only needs to be powered on when doing the resolution. Then you have a bit more freedom: ipv6 RADV + VPN, or try hijacking DNS queries (will not work with client isolation), or set it as resolver (may need manual config on each LAN, impractical).
4. IP whitelist, but ask them to visit a HTTP server from their LAN if it does not work (the switch has a browser, I think), this will give you the IP to allow, you can even password-protect it.
I'd say 2. Is worth a try. 4. Is easy enough to implement, but not entirely frictionless.
You could run a DNS server and configure the server with a whitelist of allowed IPs on the network level, so connections are dropped before even reaching your DNS service.
For example, any red-hat based linux distro comes with Firewalld, you could set rules that by default will block all external connections and only allow your kids and their friends IP addresses to connect to your server (and only specifically on port 53). So your DNS server will only receive connections from the whitelisted IPs. Of course the only downside is that if their IP changes, you'll have to troubleshoot and whitelist the new IP, and there is the tiny possibility that they might be behind CGNAT where their IPv4 is shared with another random person, who is looking to exploit DNS servers.
But I'd say that is a pretty good solution, no one will know you are even running a DNS service except for the whitelisted IPs.
Correct me if I misunderstand what you're trying to do:
What you want to do is -on each LAN that has a Switch that you want to play on your specific Minecraft server- report that the IP for the hostname of the Minecraft server the Switch would ordinarily connect to is the server that you're hosting?
If you're using OpenWRT, it looks like you can add the relevant entries to '/etc/hosts' on the system and dnsmasq will serve up that name data. [0] I'd be a little shocked (but only a little) if something similar were impossible on all non-OpenWRT consumer-grade routers.
My Switch 1 is more than happy to use the DNS server that DHCP tells it to. I assume the Switch 2 is the same way.
I can do that for my network - but the group is multiple kids that play from their home. I'm not going to teach all of those parents how to mess with their network. There's just way too many things that can go wrong. Also, won't work if the kid is traveling.
From all this what I got is that Microsoft is connecting to some random servers not using TLS and then somehow outputting that data straight into the Nintendo Switch
There's really a wide range between "not looking after kids" and "watching them every second." Unlike the physical world, digital items allow kids to transition from a totally safe space to an unsafe space within seconds.
For example, I can have my kid do whatever he wants in his room. I know what's in there and while he may have the occasional stupid idea, it's all fundamentally safe.
But even a tablet breaks that barrier. It's entirely safe for him to listen to music and stories and I want him to be able to do that unsupervised. But solid control over content on Spotify isn't a thing. The catalog contains things that I consider not appropriate for him. And they've lately been adding vidoes to the feed and while I know he tries hard to resist, they deliberately push videos further and further up. So we're back to "I can turn on the story for you and you can listen.", which is super stupid and could be much better if I had solid controls that I can trust.
Yes, I know I can talk to him about not watching the videos. How can an 8 year old compete with the combined effort of the Spotify team paid to make him watch videos? That's just not feasible.
If Spotify doesn't give you the controls you want... Don't use Spotify?
If my local park had a series of rotating knives and the council refused to do anything about it, I wouldn't let my kids go down there, supervised or not.
I agree parenting in the digital world is harder. You either learn how to do it to your standard or you don't allow the child to be part of that world if you are incapable or don't want to.
The problem is not that modern cars are somehow less reliable than old cars. They are much more reliable. But they’re also much less repairable without specialized equipment. You can with somewhat accessible technology repair almost all defects on a purely mechanical car. You cannot do the same for a modern car unless you happen to have a chip fab.
This looks a lot as if the facebook/jemalloc repo inserted a single commit 70 commits ago and then rebased the changes in the original repo on top. Because the commit SHAs for the changes pulled in change you see this result.
It's a perfectly not reasonable cookie banner. If you click on Details, you can see that they're not using marketing, statistics, or any other kind of cookies apart from the technically necessary. Which is great, but also means that they don't even need a banner. It could just go away.
Even if tariffs are refunded at some point, the cost of implementing and managing the tariffs, list sales, lost opportunities and so on are not. Nor is the cost of recovering the tariffs from the government.
Credit card and banks should be able to manage the transactions, they keep records for years. If they were smart, they'd be pushing to get the deal and a massive fee
Neither bank nor credit card companies can possibly manage the tariff question for any party. Tariffs get charged on the goods that you import and depend on what specifically you import. Banks manage the financial transaction, but have no specific knowledge what goods you're paying for and at what rate they are subject to tariffs or taxes.
My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen.
So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines.
How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?
Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.
Limit roles, even within the application, here Intune.
Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.
For Stryker specifically? We don't and probably won't know details.
For companies in general? Background checks, security clearance etc are done if the company determines this necessary and are willing to pay for the process and higher salary.
I’m asking if it’s possible to secure the MDM process in a way that Iranian operatives can’t simply torture an administrator into pushing the big red MDM button.
reply