Also Canadian. I don't often see "pint" on the menu, usually something like "16oz." Evidently restaurateurs and bar owners are wise to the law. Though I am pleased when I see "20oz" on the menu!
I kind of understand the logic by not serving 20oz and saying "pint". Customers might avoid a place because their "pints are more expensive", when in reality that place is also serving them 4oz of extra beer. A bit like the classic 1/3 lb cheeseburger being "smaller"[1].
Annoyingly, I do find that servers will often refer to their larger size beer as "pint" regardless of whatever the menu says.
Yes, but then you need to select the proper menu option at boot time. Sometimes just moving the hardware stack one to the left and swapping the cables is quicker.
Yes, WipeOS does secure erasing, and can do some mild diagnostic tests (something like MemTest86, but not as extensive). WipeOS can format a bootable USB drive to boot WipeOS if PXE doesn't work for whatever reason (BIOS doesn't support it, bug with NIC, etc). It should be possible to create an ISO from said USB drive, but I'm the only one who uses iVentoy. I haven't made that ISO because I don't mind swapping the ethernet cable during the ~10 seconds it takes to reboot.
Much more sophisticated and reliable than Xfinity.
Good datacenters have redundant and physically separated power and communication from different providers.
Also, in case something catastrophic happens at one datacenter, the author mentions they are peered to another datacenter in a different country, as another layer of redundancy. Cloudflare handles their ingress, so such a catastrophic event wouldn't likely to be noticed by their customers.
They probably sent it from gmail which would pass the SPF check (google.com and gmail.com have the same SPF).
They wouldn't have it signed to pass DKIM, but google doesn't use strict alignment checking so to pass DMARC either SPF or DKIM are acceptable.
Yes, SPF (the original design) is horribly broken and trivially bypassed. The most prominent design flaw is that the inbound SMTP service uses the SMTP (rfc5321) MailFrom address for SPF validation, which is not the same sender address shown to the recipient, they can only see the the message (rfc5321) 'From' header address. SPF originally didn't require the domains in the MailFrom and From addresses to match, so an attacker would simply use a domain they control in the MailFrom address, and the 'spoofed' domain in the From header.
That was in 10 years ago though. DMARC fixed this by adding the alignment requirement, meaning that the domains in the MailFrom and From address must match. By default the alignment policy is 'relaxed', meaning that the MailFrom and From domains can differ in subdomain, as long as they share the same organizational domain. Setting the SPF alignment to strict (aspf=s) like you mention in your post requires the domains to match exactly, with no subdomain differences allowed.
So, it doesn't matter that Google doesn't use strict SPF alignment in the DMARC policy, the fact that they have DMARC already adds the requirement to SPF validation that the domains must match.
Yes, google.com and gmail.com use the same IP ranges in the respective SPF policies, but Gmail will never allow you to send email addresses from a domain that you do not own. This is why domain validation is required when you set up Gmail with a custom domain.
The only scenario where your explanation would hold up, is if the attacker was able to gain control of the DNS of a subdomain of the google.com domain, and successfully validated it as a custom domain in Gmail, then send emails from that subdomain in rfc5321.MailFrom address and the google.com domain itself as the rfc5322.From domain.
Can't practically require both SPF and DKIM with DMARC anyways. Doing so would also be dumb as it would break forwarding (even when DKIM would otherwise remain intact).
Deprecating SPF would do everyone a favour though. Especially for reasons like these.
SPF alignment ensures the MAIL FROM domain matches the From header.
DKIM alignment ensures the From header matches the domain in the DKIM signature header.
In the DMARC policy, you can set both adkim=s and aspf=s.
Google owns and manages all of this, so they can send emails with a google.com MAIL FROM, a google.com header, and signed with a google.com DKIM key. And they could do likewise with gmail.com emails.
I'm not clear on why this isn't practical, perhaps there is something I'm missing though? I would appreciate your viewpoint.
DMARC specifies that SPF alignment is checked for the domain in the MIME From. The domains in SMTP and MIME From do not have to be the same (nor both align).
Your MTA can still check alignment for both HELO and SMTP From as specified by SPF's RFC(s) though and spam filters often do for extra information/signal.
DMARC's adkim/aspf aren't basically supported in practice. Nor they should be. For reasons already mentioned, as you already read.
So any message from Gmail is treated as legitimate for google.com, and yet Gmail can't do its own checks on outgoing mail to ensure that unauthorized people don't put legal@google.com in the From: header? Seriously?
You can deploy production workloads to spot instances, just make sure you have the rest of your infrastructure setup to handle the spot terminations. Excluding spot instances from the discussion, for any robust use case your infrastructure should be able to handle a single point of failure anywhere. See https://netflix.github.io/chaosmonkey/
I kind of understand the logic by not serving 20oz and saying "pint". Customers might avoid a place because their "pints are more expensive", when in reality that place is also serving them 4oz of extra beer. A bit like the classic 1/3 lb cheeseburger being "smaller"[1].
Annoyingly, I do find that servers will often refer to their larger size beer as "pint" regardless of whatever the menu says.
[1]: https://en.wikipedia.org/wiki/Third-pound_burger#Marketing_f...
reply