towerful

@[email protected]

This profile is from a federated server and may be incomplete. View on remote instance

towerful ,

I remember during COVID, trying to reduce my bills. Called my mobile operator. For £200 fee I could buy out early, and pay £15 per month. Or I could continue paying something ridiculous like £60 per month.
Absolute no-brainer, and I would never get a contract phone again.

towerful ,

The 1 or 2 kB of lyrics are a few orders of magnitude smaller than the song being streamed.
The album art probably takes up more space than the lyrics.
So, album art should also be a paid feature?

Microsoft has gone too far: including a Game Pass ad in the Settings app ushers in a whole new age of ridiculous over-advertising ( www.techradar.com )

Windows 11 is getting out of hand with its push for advertisments, frankly - remember the recent full-screen pop-up to persuade users to install Edge or other Microsoft services? Then another advertisment was placed in the Start menu, and now Microsoft has finally worn my temper thin - with a new Game Pass ad coming to the...

towerful ,

A quick Google reveals https://github.com/linux-surface/linux-surface/wiki/Supported-Devices-and-Features#feature-matrix

towerful ,

I don't. But the person I replied to said they were having trouble with Linux on a surface.
So, that's a project dedicated to Linux on surfaces. I would presume they had tried the usual distros and found them lacking

Mac users served info-stealer malware through Google ads | Full-service Poseidon info stealer pushed by "advertiser identity verified by Google." ( arstechnica.com )

Mac malware that steals passwords, cryptocurrency wallets, and other sensitive data has been spotted circulating through Google ads, making it at least the second time in as many months the widely used ad platform has been abused to infect web surfers....

towerful ,

Larger sites cater towards scriptless web for accessibility requirements.
Smaller sites don't need SPA, so will most likely work to some degree.
The better (not necessarily bigger) blog systems will use scripting for fancy things, but will have fallbacks and will still work.

It's the middle tier web-app (and sites that want to be a web app but have no reason to be) that will run SPA without any fallback. You know, the ones that want to send notifications and know your location and all that fun stuff.

towerful ,

Any good RPG has a solid fishing mini game tbh

towerful ,

The cheap Chinese stuff often uses knock-off ICs tho.
They can be fairly difficult to detect, and will work for a short time or under very light loads. But they will be nowhere near the spec of the data sheets.
They might massively overheat, not provide the correct currents or voltages, run at lower speeds. All sorts of corners being cut to turn a $2 IC into a 50¢ IC. Or a 50¢ ic into a 5¢ one

So yeh, might be the same PCB layout inside, it might visually look the same (or very very close) but the parts are likely to be counterfeit.

Of course, it's also probable that name brands might be hit with counterfeit parts inside as well. Hopefully their QA picks that up

towerful ,

VMix popularity exploded during the pandemic. A lot of conferences became a blend of teams/zoom/Google and VMix.

Might be hardware based like a multi-m/e video mixer (blackmagic make cheap ones), or maybe more of a screen manager (like barco e2, analog way livecore). But, unless there are production requirements, vmix is much more likely. It's (now) proven, and much cheaper!

OBS can absolutely do it. There are other open source softwares that can do it.
I've seen people bastardise Resolume into something that looks decent.
There are some online studio systems so everything you do is virtualized. Streamyard used to be like this, till it was bought by hopin (I think it was hopin)

towerful ,

When metrics become targets they fail to be metrics any more

towerful ,

USB-C is also ridiculously future proof and flexible, because it's just a connector.
We are already doing 200w power and 40gbps data transfer rates, using various standards.

Now, standardising on a standard would be neat. But that isn't going to happen

towerful ,

Obviously, you need the hat-bag to carry spare hats.

towerful ,

Too advanced for me. Hannah Montana OS for me

towerful ,

You can do reverse proxy on the VPS and use SNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
This way, you don't have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren't standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.

I haven't found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven't found that to really be an issue. I don't really have a use case

towerful ,

Tests is the industry name for the automated paging when production breaks

towerful ,

If Trump loses this election, where does the Republican party have to go?

Denial, subversion and violence?

towerful ,

I was kinda hoping the UK was past exploiting the ill-informed, idiots and reckless. Especially after the wild wild success of Brexit.

But no, apparently not.
Exploit the AI hype that a lot of people probably don't understand.
Somehow argue that a computer is more human than a human.
Put this absolute garbage of a solution on the ballet, and watch everyone go "well, politicians aren't working, let's try breaking the system" and vote for some untested hallucinating predictive text algorithm to lead a country, while employing twice as many staff to fix/feed/spin/manipulate/fake the results of the AI.

towerful ,

I had a huge rant about this, but ditched it.

Steve is the actual politician, but will vote according to crowd sourced opinions on the topics.
And that's where AI Steve comes in. AI Steve helps generate policy ideas, and they are voted on by the approved community members. Parliamentary topics are also voted on by approved community members.
So AI Steve is the lube, but it's essentially direct democracy for the approved community members.

So, very cool idea (the direct democracy).
No idea if it would work on a wider/country scale.
Of course it's a Tory doing it.
Pretty sure this could be done just with an online voting/polling platform and 1 or 2 people doing data entry/gathering.

However, the "better than the past few PMs" is a dangerous rhetoric. Cause all it needs is also a "both sides the same, labour is Tory lite, etc", and suddenly a bunch of voters will vote disruptively and we get Brexit 2.0 (whatever that might be).
Voting disruptively is absolutely fine, but I'm fairly sure it's the easiest method for foreign influences to meddle in elections

towerful ,

I'm gonna sound like a fanboy, but the alternative is Tidal.
Better audio quality, better (imo) suggestions, and not wasting money of podcasts and weird AI bs.

towerful ,

The certs are still valid.
They are just not implicitly trusted

towerful , (edited )

LE certs can always be "side loaded" by acme.sh or LEbot or whatever, and the reverse proxy restarted to use the new certs. So, the whole "pro subscription to use specific certs" shouldn't be a factor, except a little more work/config (so, money Vs time).

Now for my opinion...

For base security, all it's doing is looking at whatever you tell it to look at in an http request and forward/drop/block as such.
HAProxy is well battle-tested. Nginx is well battle-tested. Traefik and caddy are comparably newer contenders, but considering their adoption they are probably well battle-tested.
Which means, an established reverse proxy is only going to be as secure as the software it's forwarding traffic to.

If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible...
But at least an attacker only gets access to the reverse proxy server. Which is why it's worth having that in a locked down isolated VM, ideally built in a way that is extremely easy to rebuild (declarative configs like docker-compose and some scripts, or even something like nixos for an immutable OS).

As for add-ons... Most WAFs only look for things like XSS injection or SQL injection or exploitative HTTP request formats. Very very basic attack vectors that any decent HTTP stack and reasonably built software shouldn't have to even worry.
Any DDOS protection is more likely to blast your network connectivity, which (for self hosting) a WAF isn't going to be able to do anything about.
I'm not sure how good they actually are against a DOS attack that is caused by bugs/inefficiencies in the application. Maybe they monitor for long/increasing response times, and block further requests to them? Might cause a lot of false-positives for your users.

So, the only real benefit - that I see - are zero-day exploit protections.... and that only matters if they are built around near-realtime updates like crowdsec is. I don't know how it compares to cloudflares WAF, tho.
Any zero-day protection that isn't being managed and updated in near-realtime is about as effective as you monitoring news of your installed services/programmes and updating them regularly. Because you are likely to update your WAF and apps when you hear about those, or regular scheduled updates will deal with them before you even learn about them.

I guess there is security in layers, and if layers of security is more important than CPU consumption/response time/requests per second (ie have an abundance of processing, servicing few users, etc) then it might be a no-brainer.

The only other time I can see a generic WAF being useful is if you have rolled your own framework and HTTP stack, and are running your own software. Because, you won't get that right... So might as well have the extra protection of a WAF.

Or, I guess, with really old unsupported software.
But surely there is a newer take or fork of it?

There is also the "am I worth it" factor.
Like, what is your actual threat model?
Defend against the usual script-based attacks (IE low hanging fruit), only expose/forward ports that are actually required, use some sensible security that isolates more vulnerable systems (IE a proxy) from more sensitive (ie a database or storage), and update regularly on stable/lts branches.

Edit:
I just googled bunkerweb.
First we had firewalls. Then we got web application firewalls. Along came next generation firewalls. Now we have Next Generation Web Application Firewalls with paid features like "Pay per protected services" and "Best effort support included"

Maybe I'm just salty

towerful , (edited )

That got a bit long.
Reading more into bunkerweb.

Things like the "limit" feature are going to doink people on cgnat or large corporate networks. I've had security stuff tripped by a company using my software, and it's a PITA cause all the requests from legit users come from only a few IP addresses.

Antibot isn't going to be helpful for things like JS requests, because cookies aren't included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).
And captcha. For whatever that is worth these days.

Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

Country is just geo-ip.

Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP's IP is blocked for a day.

This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users

towerful ,

So, is public accessibility actually required?
Does it need to be exposed to the public internet?

Why not use wireguard (or another VPN)? Even easier is tailscale.
If you are hand selecting users (IE, doesn't actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

Like I asked, what is your actual threat model?
What are your requirements?
Is public accessibility actually required?

towerful ,

Haha, as soon as they said "pluto only needs 4.8km/s [dV]" I was like "great, let's sun-dive our waste from pluto, then"... Like, glossing over the whole "getting the waste to pluto" part.
Which they then went on to discuss.

towerful ,

Apparently Amelia Tyler - the Narrator for BG3 - checked in on some random twitch stream, and they had an AI voice trained from her narration controlled by twitch chat - which was saying some fucking horrendous stuff.

Scary as fuck.

Remember to talk to everyone you know about voice scams. Scammers absolutely are leveraging this tech, and piling it on top of the usual "I've flushed my phone down the toilet, I'm texting from a mates phone and I need money to buy a new one for my job interview tomorrow" kinda scams.
Agree on a password or something, so that if "you" ever call (edit: or text) and put them under pressure then they ask for the password. Scammers will instantly divert or bail.

towerful ,

Trees!
Trees store lots of environmental and atmospheric data in their trunks. When they get fossilized a lot of that information remains intact.
Also, ice cores. Layers of ice protect previous layers of ice from further contamination, so are a pretty good snapshot of the environment/atmosphere at a given point in time.

https://www.bbc.co.uk/newsround/67074940

Wiki has more detailed information on how Miyake Events are "stored" in trees and ice cores.
https://en.m.wikipedia.org/wiki/Miyake_event

towerful ,

Between those that watched the short and those that didn't?

Do companies store facial and voice recognition data from the thousands of hours of zoom/teams calls that their employees use?

I heard a person call into a show the other day, voice only, and talk about some poor working conditions at a factory. Made me think about how it would probably be so easy for nefarious bosses to be able to identify that person through voice recognition SW with all of the data that comes from us looking directly into cameras and...

towerful ,

Companies would only do it in response to an incident.
Same as any IT related thing. IT will block bad websites, maybe have some alerts for common stuff, but will only sift through logs when something goes wrong so they can assess the extent, impact and fixes for things.

The exceptions are probably like Amazon where they have the processing power and dev-time to do things like this to their own employees, which might also turn into a marketable product for other companies.
Military contractors might as well (Boeing...)

"Hacked" Instagram

My other half discovered that some dodgy person/company had managed to send instagram messages advertising handbags to all of her followers from her account. She changed her password immediately, but what could have happened here? Is it the case that a “hacker” had access to her full instagram account, or would they have...

towerful ,

She’s just been through her junk email folder and found a “We’ve noticed a new login” email from instagram yesterday

The junk-ing security notices is so common.
A few months ago, my dad said "uh, I got some email from my bank, and now my credit card doesn't work".
The email was describing some problem with his account which would have been so much easy to fix before they cancelled the card.
Similarly, I lost a domain name because the registrar notifications for renewal ended up in my junk mail.

It's probably quite a significant issue. Companies can go "well we tried to contact you" and wash their hands.
Doesn't matter that they also spammed bullshit marketing emails from the same address that issues security/renewal notifications.
Doesn't matter that spam email has been such an issue it is near-impossible to host your own email server (and expect delivery) for a decade or so now.

towerful ,

Training will never stop, tho.
New models will keep coming out, datasets and parameters are going to change.

towerful ,

I tried to wash my brain, but I couldn't find enough clean water

towerful ,

Maybe the amount of shoplifting hasn't changed that much, but reporting and detection of it is better?
https://www.sfchronicle.com/sf/article/shoplifting-data-Target-Walgreens-16647769.php

towerful ,

I think a man would be more likely to recognise a woman as a woman.
A bear doesn't care. The bear sees the woman as a human, and acts accordingly.

So yeh, the bear would be more predictable.
Imagine if humans treated all humans as human.

towerful ,

Unimogs are exciting

towerful ,

I feel like Talos Linux is NixOS applied to a very specific purpose: kubernetes.
I've recently been playing with kubernetes, and talos linux feels like cheating.

I think NixOS could has a huge market unexplored of server side deployments. Install NixOS, connect to the fresh install via a CLI tool, apply the patches (flakes?), and have an easy way to reset to base NixOS when you make a mistake so you can try a different set of patches.
All from the cli, all with idempotent config files.

Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’ ( www.theguardian.com )

More than half a million UniSuper fund members went a week with no access to their superannuation accounts after a “one-of-a-kind” Google Cloud “misconfiguration” led to the financial services provider’s private cloud account being deleted, Google and UniSuper have revealed.

towerful ,

Actually, it highlights the importance of a proper distributed backup strategy and disaster recovery plan.
The same can probably happen on AWS, Azure, any data center really

towerful ,

This was a meme that made me start looking into having ADHD.
I always thought it was because I was an introvert.
I described it to a few folk, and they were like "I don't think that's being an introvert".
More Google led to "waiting mode" which describes it perfectly.
Everything from a weekend being "the only commitment is work on Monday, so I better do nothing to make sure I make the most of it". Through "dentist at 13.00, might as well have a lie in" and still being late.

towerful ,

Up to 3 things are going to blow up

Does anyone know of a FOSS Firewall for Windows

I currently use TinyWall Firewall, it works very well, it's small/portable, no complaints I even donated to the Dev but I would really prefer open source, also it needs to be user friendly like TinyWall so my non-tech family members can/will use it like they do with TinyWall.

towerful ,

Do people really run zenarmour, snort or suricate on their desktop?
Feels like a network firewall thing to do DPI for the whole house, instead of a per-machine thing.

After announcing increased prices, Spotify to Pay Songwriters About $150 Million Less Next Year ( www.billboard.com )

When Bloomberg reported that Spotify would be upping the cost of its premium subscription from $9.99 to $10.99, and including 15 hours of audiobooks per month in the U.S., the change sounded like a win for songwriters and publishers. Higher subscription prices typically equate to a bump in U.S. mechanical royalties — but not...

towerful ,

I'm enjoying Tidal

towerful ,

I'm enjoying Tidal

towerful ,

Unfortunately, I've only found a wrapped up web client thing. Using the web page is probably similar.

The wrapped up web client works better than the native client on windows, tho. Not sure on sound quality, I haven't had an issue tho

towerful ,

Yeh, it's pretty amazing.
Only thing I miss from Spotify are the user generated playlists, where I can search for something like "liquid drum and bass" and get a bunch of playlists

towerful ,

Yeh, the electron wrapped Tidal HiFi for Linux. I just checked the GitHub, and it says it supports High and Max settings thanks to Widevine.
I swapped from Spotify to Tidal on windows and was blown away. Shortly after I started daily-driving Linux. I haven't done an A/B between the Linux electron version and the windows desktop version, but it hasn't annoyed me like Spotify did.

towerful ,

Yeh, that's where I'm at with it.
I've seen comments that chromium does 48khz, and the high quality is 44.1khz, so there's is sample rate conversion happening yada yada yada.
I'm not going to let perfection stand in the way of good.

Hopefully Tidal releases a native Linux client. That would be ideal.
Either way, it's better than Spotify. I'm not bombarded by podcasts, I'm not funding podcasts I wouldn't touch with a 10ft pole, and Tidal pays artists more than both Apple and Spotify.
It ticks enough boxes for me, and I'm super happy with Tidal

towerful ,

A good investment, you say?

towerful ,

Have you had other monitors working from the laptop? From that port?

You might need to RMA the monitor.
You've tried other cables, and if it's all fine with other monitors then it points at bandwidth over the HDMI connection (ruled out by using a lower resolution/refresh rate) or it points at the monitor itself.

Disabling it in device manager is such an odd fix, it is nothing I've even remotely heard of, seen or come across. Googling around it is turning up nothing.
It hints at a software issue, but that might be a red herring. Disabling the device might make windows send "safe" resolution, refresh rate, bit depth, HDR etc. so if a dodgy port/cable/monitor can't handle the higher bandwidth, the safe signal is lower bandwidth and hides the underlying issue.
But it feels like that has been ruled out.

Maybe contact the manufacturer, see if they can help? Make a list of everything you have tried, and what happened. That way, you can hopefully break through T1 support or get a fast RMA approval

towerful ,

Only reason I can think that disabling the monitor in the Device Manager is that it disabled freesync or HDR or stops windows trying to send CEC power saving commands or whatever.
I have no idea why it's a fix, but it clearly stopping windows from trying to do something which causes the screen to flash.

I would be surprised if changing between limited and full-range fixed it. That's a hangover from old broadcast standards. It doesn't change the data rates.

It seems like it's working at lower data rates?
So 1440p60 is working but 1440p144 isn't?
Which points to an HDMI cable issue, a GPU issue or a GPU driver issue (and I mention GPU/Driver because of freesync)

towerful ,

Tweaked some things

+2543; -5642;

  • All
  • Subscribed
  • Moderated
  • Favorites
  • kbinchat
  • All magazines
    •