The Article

I read Hacker News every day. A story on home server security made the front page recently and got me thinking about Tealok security and defense in depth in computing. This primarily came about due to the (excellent) Hacker News discussion of the article.

The story is pretty simple - you don’t need to read the entirety of the original article to get it. Here’s a summary

• The author starts up a Docker container running Postgres
• Docker by default exposes the container to the internet
• An attacker leveraged the default password in Postgres to get RCE within the container
• Attacker installs Kinsing malware to extract value from the exploited server.

One may be tempted to just say this is a “skills issue” on the part of the original author. If they’d known better, they wouldn’t have exposed the database container and there’d be no story here. I think that’s a valid take to a point - the world is full of dangers and experts are experts in part because they avoid dangers. But that’s missing import lessons.

TL;DR

Tealok is a personal cloud technology that empowers you to seamlessly manage your data, connect your devices, and organize your digital tools—all without the need for technical expertise, restrictive systems, or the hassle of platform decay. Imagine it as the smartphone in a world of payphones: always connected, unrestricted, and free from the high fees and limitations imposed by traditional solutions. With Tealok, you’re in control and ready to thrive in today’s digital age.

I live in Gilbert Arizona. I have access to fiber-to-the-home. The fiber is owned by Cox. This means that even though I hate them, Cox is the best option for my home Internet service.

Recently I was working on Tealok, specifically trying to figure out if it’s possible to run a group of containers within Docker Swarm on a single node using IPv6 for incoming traffic. The goal is for Traefik to terminate TLS and run as a reverse proxy for a number of different services that have a web frontend.

Summary

Docker-compose is a tool for working with Docker containers. It solves very real problems with deploying complex applications. By itself it is not enough to make self-hosting applications simple enough for the mass-market. What we need is something like docker-compose, but at a higher level of abstraction that has a concept of SQL databases, local caches, durable storage, service discovery, and resource management.

Too Long, Didn’t Read

We have the means to change how the world works. We can get rid of passwords, password managers, strength tests, password recovery flows, account registration, data breaches, identity theft, and on and on. We can build something better and safer than passkeys. We can use personal certificate authorities.

What?

When we deal with people, in person or via some kind of communication device, we need to be sure we are dealing with the person we expect. The process of determining that the other party is who they claim to be is authentication. In person this may be as simple as recognizing someone by their face or voice. Over a phone we may depend on the phone number of whoever is calling us. Different situations call for different levels of certainty, and therefore different mechanisms of authenticating the other person. If I’m just saying ‘hi’ to a neighbor I really don’t care to ensure they are who they claim to be. If I’m buying a house, I care very much.