Yup, I’ve done this. I use a fly.io proxy that runs nginx, fail2ban, and that forwards to my tailnet where Caddy resolves to the actual instance. It’s critical that you disable local registration - I have authentik (only available on the tailnet) as an IdP but you can also just disable reg after making your own account of course. I also have a robots.txt that disables some stuff like all the individual rendered git commit views otherwise scrapers get stuck in an endless loop and also I strictly forbid access to the forgejo package repository since I have some private packages and the permission granularity there is not what I want it to be, still dialing that in. I’m keeping an eye on it and so far nothing terrible has happened. docs.eblu.me if you would like details… I could also link straight to the infra code if you like.
You’re welcome! I only ran in to this last week and I might not have this straight yet because I haven’t had time to sit and untangle it. I have a private repo that has a release workflow that publishes a Python package to the forgejo package repository using my public user profile. I mistakenly assumed that because the repo was private the package would be as well but that link is not enough to set public/private and it is instead fully public. Listable and everything, no PAT needed. This is where I’m less clear: I think I could make my user profile private and this would hide the packages, but I want my profile public. So I just black-holed the entire packages api outside of the tailnet.
This is called KYC and is a standard part of operating a financial service. Seems to me like it should be part of internet infrastructure services as well. And, I thought, in some cases already is?
... and financial services companies huge and small still go out of their way to help their clients move money around in a myriad of ways, because it's very lucrative and there are so many loopholes and ways to obscure things. Offloading the responsibilities of law enforcement and regulatory bodies to private companies makes things worse for everybody. Providing non-crime services to criminals should not be a crime any more than selling a candy bar to a criminal is. As long as you aren't actively aiding or covering up for a crime, not reporting criminal activity is not even a crime in many areas, and if KYC can effectively identify criminals, law enforcement should be able to do it themselves.
No fintech within reach of the US government is going to give money to terrorists under sanctions on the SDN without facing severe fines/consequences. That various groups have faced consequences for giving money to terrorists is a sign of the system working, not that it doesn't work. No system is going to be 100% perfect, but the US is pretty serious about having no one they have control over sending money to eg North Korea.
Ok, terrorists and countries we've been at war with for 70 years. What about drug dealers, mafias, hitmen, corrupt politicians, white collar criminals, scammers, etc? Criminals that actually threaten Americans? Nobody cares about whether terrorists or whatever tinpot dictator can get funding through US banks, because the CIA is bringing pallets of cash to them anyway.
Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)
Honestly, the "acted upon" part needs to be highlighted in tangible ways, otherwise people will be suspicious that nothing ever happens to our reports, leading to fewer reports being submitted.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
My assumption is that they at least have an intern read them, but only act on reports likely to lead to major cases, for some value of "major" that includes cases where terrorism, large sums of money, or Important People are involved, or more generally cases that could lead to seriously good/bad PR if pursued/ignored.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
"Acted upon" in these sorts of bulk data contexts typically means "charge them for an extra count when we pick them up for something else".
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
Same. I lost a lot of photos this way. I've recently moved over to Immich + Borg backup with a 3-2-1 backup between a local synology NAS and BorgBase. Painful lesson, but at least now I feel much more confident. I've even built some end-to-end monitoring with Grafana.
Thanks... hence, 3-2-1 backups with offsite :) appreciate it though. Will definitely be rolling my own NAS in the future, I just needed something easy at the time.
I've recently started hosting my own forgejo instance. It works so well! Free tailscale for connectivity. I expose mine over fly.io proxy, also free, but not to be done without caution.
Correct. Not sure about a sql archive, but the kiwix ZIM archive of the top 1M English articles including (downsized but not minimized) images is 43GiB: https://download.kiwix.org/zim/wikipedia/
And the entire English wikipedia with no images is, interestingly, also 43GiB.
It goes a lot further than plan mode though, in fact I would say the key difference of mikado refactors from waterfall refactors is that you don’t do all the planning up front with mikado. If anything you try to do as little planning as possible.
