I had medical debt to dispute, which requires certified mail. Every time the debt was resold I had to print, sign, stuff an envelope, and go to the post office again.
I built it so people could push back without the logistics.
Then I realized that nobody wants to deal with mailing at all and certified mail is used for way more than debt disputes, so I expanded it into a general legal-notice service.
I am a little confused because I got a 401 when I tried to pull an image from there. Do I need a login or something? For a free image it sure doesn't feel that way.
I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.
Every job I've had with Gusto has managed to screw up payroll at some point. The support from Gusto is very poor, even a supervisor that's offshore when you call em won't be able to understand your basic questions.
My brother had an issue with Gusto, but I've not yet, after having used them for... probably at least 10 years now. Maybe longer. I was a refuge from quickbooks payroll which managed to screw up state filings such that I had 2 years of bad filings with the state where they were charging me late fees for things QP screwed up. Huge hassle, cost me days of time and a drive to the state capital to turn in paperwork in person. I swore off quickbooks payroll and have been happy with gusto ever since. But... I'm a single person who occasionally does payments to subcontractors, not dealing with payroll for dozens/hundreds.
lol they use LLMs to respond to support requests now and they don't seem to read what they're sending. I got an email from them where the LLM assumed I was the Gusto support representative:
> This was concerning to us, as we rely on Gusto to handle these automated compliance filings.
This was concerning to Gusto, as Gusto relies on Gusto to handle these automated compliance filings.
What were you doing to get traffic from the open Internet to your webserver at home? I always felt that was a risky proposition, but I might just be stupid.
I've hosted at home for years and if you have it properly setup it's not any more risky than using a VPS. I have 443 open on my router and basically all web traffic is routed to a container on my server. The container is on an isolated vlan and basically runs nginx as a ssl reverse proxy.
The actual web services behind the proxy run in their own containers and with proper isolation and firewall rules the effects of a security compromise are limited. At most an attacker will be able to take over the containers with an exploit (and they could do that with a VPS as well) but they won't be able to access the rest of the network or my secure internal systems.
If I was this guy and wanted to let people connect directly to my vapeserver I would simply host it on another vlan and port forward the HTTP connection. Even if someone manages to take over such an obscure system they're not going to be able to do much.
Done it since before I properly knew what I was doing. Haven't had issues. Even though n=1, also now that I'm actually working in IT security, I don't think the risk was ever much bigger than what I could oversee
The main thing is that, if someone gets onto the server system, then they're in my network and they can do attacks on other devices in that LAN (guest wifis are a nice way to isolate that nowadays; that didn't exist back when I started). Same as when I take my laptop to school for example, then others can reach it. I've had issues with others in school doing attacks because the internet was unencrypted http back then (client-side hashing in JavaScript limited the impact though), but not from anyone who tried to hack into the server. Only automated scans for outdated Wordpress, setup files for Phpmyadmin, ssh password guessing... the things they simply try blindly on every IP address. If any of this is successful, you're most likely going to be turned into a spam-sending server or a DDoS zombie; not something with lasting impact once you discover the issue and remove the malware
Most attackers don't do targeted attacks on your system or network unless you're a commercial entity that presumably can pay a nice ransom, or are a high-profile individual. Attackers aiming for consumers send phishing emails and create phishing advertisements, look for standard password vaults if you run their malware, try using stolen credentials on Steam and hope you've got a payment method stored... the usual old things. Having a server doesn't make any of those attacks easier, and besides, self hosting is very uncommon. Even if you and I had a similar enough setup at home with a straightforward path to exploitation, it's a few thousand people that self-host in a country with millions of people. It's not worth developing attacks for
> What were you doing to get traffic from the open Internet to your webserver at home? I always felt that was a risky proposition,
How times change.
Once nearly every self respecting IT pro ran servers from there home network. The modern drive to outsource and consolidate the interweb to a handful of big players I find rather odd; perhaps even counterproductive in the long run.
VPS with public ipv4, connected to home network over Tailscale and forward the traffic with socat. You'd probably be fine opening a port directly but a small VPS is free most places so might as well make the most of it.
Could you elaborate more on the "a small VPS is free"? Except Oracle's free tier offer, I am not aware of others; I'd appreciate it if you could point me in the right direction.
For this I used GCP free tier -- not sure why everyone acts like Oracle are the only free tier around when GCP and AWS offer always-free tiers too. It's just runing socat to forward to the vape over tailscale. Is there something I'm missing?
GCP outbound data is limited to 1GB/mo and I believe by default it doesn't have any cap, it will just charge for additional traffic with the credit card you are required to enter in order to get a free tier account. So I would be careful publishing anything with it.
I'm not sure where to go for the free VPS, other than Oracle Cloud, as you mention, but a Cloudflare tunnel will get traffic into your LAN even behind CGNAT or other nonsense.
You can put the public facing stuff on a separate VLAN and have firewall rules that don’t give the VLAN access to LAN stuff. I only know how to do this with IPv4 though, IPv6 confuses me and I’m scared to get it wrong so I disabled it.
I heard on npr, can't remember which radio show, that customers these days do a really poor job of punishing poor companies. They cited the statistic that the most pissed off customer is only 2% less likely to use a service/product than the most loyal customer.
Dude you do not understand how bad those "APIs" are for booking flights. Customers of Travelport often have screen reading software that reads/writes to a green screen. There's also tele-type, but like most of the GDS providers use old IBM TPF mainframes.
I spent the first two years of my career in the space, we joked anything invented post Michael Jackson's song Thriller wasn't present.
reply