Stories
Slash Boxes
Comments

SoylentNews is people

Meta

Log In

Log In

Create Account  |  Retrieve Password


Site News

Join our Folding@Home team:
Main F@H site
Our team page


Funding Goal
For 6-month period:
2022-07-01 to 2022-12-31
(All amounts are estimated)
Base Goal:
$3500.00

Currently:
$438.92

12.5%

Covers transactions:
2022-07-02 10:17:28 ..
2022-10-05 12:33:58 UTC
(SPIDs: [1838..1866])
Last Update:
2022-10-05 14:04:11 UTC --fnord666

Support us: Subscribe Here
and buy SoylentNews Swag


We always have a place for talented people, visit the Get Involved section on the wiki to see how you can make SoylentNews better.

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

posted by martyb on Thursday August 25 2016, @12:17PM   Printer-friendly
from the subject-to-review dept.

Are subjects passé in comments on the post-social media web? Or are they a valid feature to enable human eye-scanning and relevant search results?

It is the opinion of this anonymous submitter that putting "Subjects are an anachronism" [1] or "SubjectsinCommentsareStupid" [2] is unhelpful at best and spam at worst. SoylentNews has a long legacy going back to Chips & Dips, the predecessor site to Slashdot (from whose code SoylentNews was forked).

With that in mind, subjects are not a vestigial feature but a useful and defining one. It makes longer threads friendly to readers, and separates this site from Digg, Reddit, Voat, and so many other disposable social media sites. Just as email would be worse without subjects, so too would SoylentNews.

Taken from actual SoylentNews comments; cf: [1] and [2].

Ed Note: I'm of two minds as to running this story. This is presented as one person's opinion and makes a case for continuing to have a Subject for each comment. As noted, others do not feel the same way. As SoylentNews is a community, your input guides us. So, what say you? Should we continue as-is? Make subjects optional? Dispense with them entirely? Other? What benefits and/or problems are likely to result?


Original Submission

posted by NCommander on Wednesday August 17 2016, @11:23AM   Printer-friendly
from the hrm dept.

So, during the last site update article, a discussion came up talking about how those who work and write for this site should get paid for said work. I've always wanted to get us to the point where we could cut a check to the contributors of SoylentNews, but as it stands, subscriptions more or less let us keep the lights on and that's about it.

As I was writing and responding to one specific thread, part of me started to wonder if there would be enough interest to try and crowdfund articles on specific topics. In general, meta articles in which we talk deploying HSTS or our use of Hesiod tend to generate a lot of interest. So, I wanted to try and see if there was an opportunity to both generate interesting content, and help get some funds back to those who donate their time to keep the lights on.

One idea that immediately comes to mind that I could write is deploying DNSSEC in the real world, and an active example of how it can help mitigate hijack attacks against misconfigured domains. Alternatively, on a retro-computing angle, I could cook something in 16-bit real mode assembly that can load an article from soylentnews.org. I could also do a series on doing (mostly) bare metal work; i.e., loading an article from PXE boot or UEFI.

However, before I get in too deep into building this idea, I want to see how the community feels about it. My initial thought is that the funds raised for a given article would dictate how long it would be, and the revenue would be split between the author, and the staff, with the staff section being divided at the end of the year as even as possible. The program would be open to any SN contributor. If the community is both interested and willing, I'll organize a staff meeting and we'll do a trial run to see if the idea is viable. If it flies, then we'll build out the system to be a semi-regular feature of the site

As always, leave your comments below, and we'll all be reading ...

~ NCommander

posted by NCommander on Monday August 15 2016, @07:01PM   Printer-friendly
from the fiddling-for-the-greater-good dept.

Since people seem to rather enjoy when I run articles on backend upgrades, here's another set of changes I made over the last week as I get back into the full swing working on the site.

The short list:

  • Migrated Beryllium (which hosts wiki+IRC+mail) to Apache 2.4
    • Upgraded said machine to PHP7
    • Needed to support OCSP stapling
    • Validating final checks before deploying HSTS to all public domains
    • Upgraded MediaWiki, SquirrelMail, and YOURLS to PHP7 compatible versions
  • Worked with TheMightyBuzzard and user comments to determine additional XSS protection headers we should deploy
  • Found (and removed) SSLv3 support on postfix and dovecot
  • Deployed DNSSEC on sylnt.us in preparation for signing soylentnews.org (here's the test results)

Read past the fold for more information.

Beryllium Upgrades

Beryllium is our "misc" services box. It basically hosts everything that isn't related to site infrastructure such as the wiki, our IRC server, and mail. Last week, I went through and fixed our SSL configuration on this machine to make sure that we were serving properly validated certificates, and that we had strong encryption on this box. While I succeeded on that front, for performance reasons, Apache 2.4 needed to be upgraded to support a somewhat obscure feature of TLS known as OCSP stapling.

What is OCSP stapling you ask? Well, to answer that, I need to take a moment to go into how SSL certificates work. Whenever a CA generates a certificate, they're essentially saying "this site is who it is and we're attesting to it". In a perfect world, a CA would never make a mistake, private keys would never leak, and we could always assume that a certificate is good. We don't live in that world, as such certificate authorities sometimes need to void a certificate. OCSP (which stands for the Online Certificate Status Protocol) is one of two ways to do this, and is the only method Let's Encrypt supports for certificate revocation.

OCSP is a replacement for older certificate revocation lists (CRLs) which in real-life rarely if ever worked as advertised. It's meant to allow the browser to update in real-time knowledge if a certificate is good or bad and react accordingly. OCSP however requires that the browser checks with a certificate authority's OCSP server, leaking the fact that user X is connecting to site Y. It also means that if access to the OCSP server is blocked, a user might not be aware that a certificate has been revoked. OCSP stapling solves both problems by having our servers grab the OCSP reply (which is timestamped), and sending it as part of the initial connection to our site, both increasing performance, and preventing a privacy leak.

Unfortunately, OCSP stapling requiring Apache 2.4 which required me to build it from source, and then migrate sites over from the older Apache 2.2 install. At the same time, I went through and upgraded PHP 7, and updated the other web applications we were using. For the most part, this was rather painless though I'm still tinkering with MediaWiki to make it happy on the new setup.

Beside the usual Apache pain, I went through and scanned our other major services and disabled SSLv3 support on postfix (SMTP) and dovecot. I need to go through and replace our self-signed certs with real ones here but that's a 'one step at a time thing'

XSS Mitigation

During the last site status article, an AC pointed us at this handy site showing security headers. As such, TheMightyBuzzard and I will be going through and enabling these (with the exception of public key pinning) on production sometime this week. HPKP requires quite a bit of planning to deploy and we're not ready to take that step just yet.

DNSSEC + sylnt.us

I've talked about wanted to deploy DNSSEC before, but various other things kept cropping up. That, and combined with outdated and misleading documentation kept me from actually getting around to doing this for ages. Over the weekend, I finally dug down and figured out the current best practices for DNSSEC, and with the help of audioguy, configured BIND to do automatic signing of the domain and uploaded our keys to our register.

As such, sylnt.us now has a fully validated signature chain, and a green key when checked with the DNSSEC validator. We will be signing soylentnews.org sometime in the near future, however, we ran into some DNS zone transfer issues between our nameservers and Linode which caused the RRSIG records to not properly upload. While this has been resolved for now, we're currently talking with Linode to understand why the transfer went pear-shapped and to prevent a second occurrence.

That's it for now. As always, post questions, comments below. I'll be reading!

~ NCommander

posted by NCommander on Monday August 08 2016, @12:00PM   Printer-friendly
from the now-with-a+-scores dept.

So after an extended period of inactivity, I've finally decided to jump back into working on SoylentNews and rehash (the code that powers the site). As such, I've decided to scratch some long-standing itches. The first (and easiest) to deploy was HSTS to SoylentNews. What is HSTS you may ask?

HSTS stands for HTTP Strict Transport Security and is a special HTTP header that signifies that a site should only be connected to over HTTPS and causes the browser to automatically load encrypted versions of a website should it see a regular URL. We've forbid non-SSL connections to SN for over a year, but without HSTS in place, a man-in-the-middle downgrade attack was possible by intercepting the initial insecure page load.

One of the big views I have towards SoylentNews is we should be representative of "best practices" on the internet. To that end, we deployed IPv6 publicly last year, and went HTTPS-by-default not long after that. Deploying HSTS continues this trend, and I'm working towards implementing other good ideas that rarely seem to see the light of day.

Check past the break for more technical details.

[Continues...]

As part of prepping for HSTS deployment, I went through every site in our public DNS records, and made sure they all have valid SSL certificates, and are redirecting to HTTPS by default. Much to my embarrassment, I found that several of our public facing sites lacked SSL support at all, or had self-signed certificates and broken SSL configurations. This has been rectified.

Let this be a lesson to everyone. While protecting your "main site" is always a good idea, make sure when going through and securing your infrastructure that you check every public IP and public hostname to make sure something didn't slip through the gaps. If you're running SSLLabs against your website, I highly recommend you scan all the subjectAlternativeNames listed in your certificate. Apache and nginx can provide different SSL options for different VHosts, and its very important to make sure all of them have a sane and consistent configuration.

Right now, HSTS is deployed only on the main site, without "includeSubdomains". The reason for this is I wanted to make sure I didn't miss any non-SSL capable sites, and I'm still working on getting our CentOS 6.7 box up to best-practices (unfortunately, the version of Apache it ships with is rather dated and doesn't support OSCP stapling. I'll be fixing this, but just haven't gotten around to it yet).

Once I've fixed that, and am happy with the state of the site, SN, and her subdomains will be submitted for inclusion into browser preload lists. I'll run an article when that submission happens and when we're accepted. I hope to have another article this week on backend tinkering and proposed site updates.

Until then, happy hacking!
~ NCommander

posted by martyb on Sunday July 24 2016, @12:36PM   Printer-friendly
from the ups-and-downs dept.

We just learned that our VM provider, Linode, had to perform some emergency reboots. Three of our servers have already been taken care of, but more are still to come. This led to our site being unavailable for a period of approximately an hour. Here is the reboot schedule:

Identified - Linode has received a Xen Security Advisory (XSA) that requires us to perform updates to our legacy Xen host servers. In order to apply the updates, hosts and the Linodes running on them must be rebooted. The XSAs will be publicly released by the Xen project team on July 26th. We must complete this maintenance before then.

Here's the schedule and status:

Server Purpose Maintenance Schedule (UTC)
lithium Development Completed
magnesium Frontend Proxy Completed
sodium Frontend Proxy Completed
fluorine Production Cluster Completed
helium Production Cluster Completed
hydrogen Production Cluster Completed
neon Production Cluster Completed
beryllium Services Cluster Completed
boron Services Cluster Completed

We apologize for any inconvenience.

[Update: It appears the second round of reboots has completed successfully, and, thanks to the advance notice, the site stayed up throughout. We anticipate that the site will still continue to operate normally through the last-scheduled reboot. Many thanks for your understanding and patience.]

[Update #2: We are taking advantage of a free offer from Linode, our hosting provider, to convert our VPSs (Virtual Private Servers) from Xen to KVM. The rebooting was required to repair a Xen vulnerability. As a bonus, the Xen to KVM conversion gives us a free upgrade to twice as much memory. The additional memory will provide much-needed additional headroom on our servers and possibly provide a performance improvement. Thanks to our redundancy, the changes should not be noticeable when we reboot/upgrade, except for the IRC and e-mail servers as they are single-hosted.]

[Update #3: Thanks to the tireless efforts of paulej72 well into the wee hours of this morning with able assistance by audioguy in straightening out some IP issues as well as Deucalion and TheMightyBuzzard providing guidance and support, all but two of our Xen servers have been upgraded to KVM. This free upgrade doubled the amount of memory available to our VMs, giving us some much-needed headroom. That leaves beryllium (IRC and email) and boron (DNS, Hesiod name service) as the two servers that have not been upgraded yet. Date/time is TBD.]

[Update #4: Boron will be reconfigured shortly, and then Bberyllium after that. Plan on an hour or two, though, obviously, we'll try to keep the downtime to a minimum!]

[Update #5: Boron's second upgrade for the ram sat in the queue for several hours, so Beryllium had to wait until paulej72 got up and finished it this morning (0830 EDT)]

posted by takyon on Monday July 04 2016, @12:53PM   Printer-friendly
from the independence-day dept.

Two years ago, on 2014-07-04, SoylentNews received official confirmation of becoming a Public Benefit Corporation. Though there is no user-visible manifestation of this on the site (or any of the other services we provide), it does stand as an important milestone in our history.

A lot has happened since this site went live. Here are some numbers:

  • 93 - polls posted.
  • 170 - current subscribers.
  • 1816 - journal articles posted.
  • 6278 - registered nicknames.
  • 12252 - stories posted to the site.
  • 14556 - stories submitted.
  • 369411 - comments posted.
  • 41767215 - story hits we've counted (ignores AC hits)

Numbers, however, provide only part of the story. We have been able to keep the site up and running with only a few unplanned site outages, which is a far cry from how things were back when the site launched. To watch this community coalesce and grow to what it is today has been a heart-warming and enriching experience. I've read stories and comments that have changed my view of the world. All thanks to the tireless (and very occasionally tired) efforts of our all-volunteer staff and you, our community. And what a talented and selfless group of people we have! I am continually impressed with the knowledge and professionalism exhibited by the staff — I tip my hat to them all.

One of the comments to last year's story sums it up very well for me:

I[t] feels like much longer than a year ago, maybe because Soylent perfectly replaced the place Slashdot occupied in my heart. Except, it's better. NCommander, Eds, we really appreciate the work, spirit, and intent you've put into the community. It's a mark of distinction that this place feels more like a really big, walnut-panelled study filled with learned colleagues than it does a random, pointless forum. The latter is ubiquitous, the former unique.

It is my fervent hope that we will continue to earn your support and provide you with the best news discussion site we can.


Original Submission

posted by n1 on Thursday June 30 2016, @01:22PM   Printer-friendly
from the oliver-twist dept.

We have been made aware that there were some problems with our site's automatic notification of subscriptions expiring. We are looking into it. I was surprised to find that mine had run out and suspect that others may be similarly unaware.

Please take a moment to load the Subscription Page and verify your status. We appreciate your support and cannot run this site without it. This is a purely volunteer effort here -- none of the staff receive any financial remuneration for their efforts. Your contributions go entirely to keeping this site running.

Please accept my deep and heartfelt thanks to all of you who contribute to the site in other ways: those who helped get the site off the ground in the beginning whether they moved on or stayed. Those who submit stories, post and moderate comments, edit the stories, support our systems, maintain and update the software, and all-round do what they can to make this a community for all of us — we need all of you.

On behalf of all the staff here at SoylentNews, I thank you in advance for your support.

[Update — 2016-06-30 12:45:00 UTC] Many, many thanks to all of you who have updated their subscriptions!

Since this story originally posted, we've had 14 people renew; by my rough calculations, we are now at approximately $2688 towards our $3000 goal for funding this site for the first half of the year. As was noted in the comments, it is possible to give a gift subscription to another user on the site -- just enter their UID on the form. Also, one can change the amount from that offered to a larger value, if you wish. We have one member whose subscription ends in 2026!


Original Submission

posted by janrinok on Tuesday June 14 2016, @01:23PM   Printer-friendly
from the like-maple-syrup dept.

So, the Islamic Terrorist Opens Fire on Florida Nightclub; 50 Killed, 53 Wounded story is up over 400 comments and loading slower than hell. We finally managed to find ourselves a limit to comments under the current code. There's a fix going to be coming in the upcoming site update but for now there are two workarounds; take your pick.

  1. Change your comment view mode to Nested or Flat.
  2. Change Comment Limit under Preferences to five to ten.

The latter solution gives you 5-10 root level comments and all their children not 5-10 comments total. It also allows you to keep using the javascript expand/collapse buttons if you were.


Original Submission

posted by takyon on Saturday June 04 2016, @03:30PM   Printer-friendly
from the just-a-thought dept.

Not infrequently, we receive a story submission to SoylentNews that consists of a single URL. Or, a story that contains but a single sentence or paragraph along with the URL. During weekends and holidays, the story submission queue tends to run dry. We have an IRC channel (#rss-bot) that gathers RSS links from around the web. Hmm.

It would be really handy if there were an automated way to "scrape" the contents of that page. In some cases, a simple redirect of the output of a text-based browser like Lynx would do the trick. Unfortunately, all too many sites subscribe to the idea that a web page needs to pull in Javascript and libraries from a myriad of other sites. Failing to do so displays a blank page.

There must be a way to do it — search engines like Google and Bing must extract the page text in order to index it. It would be best to have a general-purpose solution; having a custom template for each site is time-consuming to create and maintain (think if the site changes its layout). Our site is powered by Perl, so that would be the obvious preference.

So, fellow Soylentils, what tools and/or techniques have you used? What has worked for you?

Maybe I'm approaching this the wrong way? When all you have is a hammer... what am I missing here? Is there another approach?


Original Submission