Good to know! I saw that mentioned on some (apparently outdated) Comodo marketing copy as a benefit over LE

EV certs give you an extra green bar or something along those lines. If your customers care about it, then you have to. If they don’t - and they probably don’t - it’s a waste.

What exactly are you trusting a cert provider with and what are the security implications?

End users trust the cert provider. The cert provider has a process that they use to determine if they can trust you.

What attack vectors do you open yourself up to when trusting a certificate authority with your websites’ certificates?

You’re not really trusting them with your certificates. You don’t give them your private key or anything like that, and the certs are visible to anyone navigating to your website.

Your new vulnerabilities are basically limited to what you do for them - any changes you make to your domain’s DNS config, or anything you host, etc. - and depend on that introducing a vulnerability of its own. You also open a new phishing attack vector, where someone might contact you, posing as the certificate authority, and ask you to make a change that would introduce a vulnerability.

In what way could it benefit security and/or privacy to utilize a paid service?

For most use cases, as far as I know, it doesn’t.

LetsEncrypt doesn’t offer EV or OV certificates, which you may need for your use case. However, these are mostly relevant at the enterprise level. Maybe you have a storefront and want an EV cert?

LetsEncrypt also only offers community support, and if you set something up wrong you could be less secure.

Other CAs may offer services that enhance privacy and security, as well, like scanning your site to confirm your config is sound… but the core offering isn’t really going to be different (aside from LE having intentionally short renewal periods), and theoretically you could get those same services from a different vendor.

You can get wildcard certs with LetsEncrypt (since 2018): https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

In AD&D, you still had access to the abilities of your retired classes, but if you used them you had experience penalties (if you use them in an encounter, you gain no experience for that encounter and your experience for the entire adventure is halved) . The reason was that you were supposed to be learning to do things a new way, and if you fell back to the old way, you weren’t pushing yourself anymore. From the AD&D PHB, under “Dual-Class Benefits and Restrictions”:

This is not to imply that a dual-class human forgets every-thing he knew before; he still has, at his fingertips, all the know-ledge, abilities, and proficiencies of his old class. But if he uses any of his previous class’s abilities during an encounter, he earns no experience for that encounter and only half experi-ence for the adventure.

The paragraph goes on to explain what’s restricted (everything but HD and hit points), then ends with:

(The character is trying to learn new ways to do things; by slipping back to his old meth-ods, he has set back his learning in his new character class.)

Sorta turns the AD&D mechanic on its head. And it makes more sense than the way it was done in AD&D - I like it!

Context: in AD&D, humans could “dual class,” which is similar to what you described - effectively retiring in one class and beginning to advance in another - and non-humans could “multi-class,” where they gained experience in two or more classes at the same time, leveling more slowly but getting the benefits of both classes.

Eligible libraries, archives, and museums have a few exemptions to the DMCA’s anti-circumvention clauses that aren’t available to ordinary citizens, but these aren’t unique to the Internet Archive. For example:

Literary works, excluding computer programs and compilations that were compiled specifically for text and data mining purposes, distributed electronically where:

(A) The circumvention is undertaken by a researcher affiliated with a nonprofit institution of higher education, or by a student or information technology staff member of the institution at the direction of such researcher, solely to deploy text and data mining techniques on a corpus of literary works for the purpose of scholarly research and teaching;

(B) The copy of each literary work is lawfully acquired and owned by the institution, or licensed to the institution without a time limitation on access;

© The person undertaking the circumvention views the contents of the literary works in the corpus solely for the purpose of verification of the research findings; and

(D) The institution uses effective security measures to prevent further dissemination or downloading of literary works in the corpus, and to limit access to only the persons identified in paragraph (b)(5)(i)(A) of this section or to researchers or to researchers affiliated with other institutions of higher education solely for purposes of collaboration or replication of the research.

This exemption doesn’t allow them to publish the content, though, nor would it provide them immunity to takedown requests, if it did.

These exemptions change every three years and previously granted exemptions have to be renewed. The next cycle begins in October and they started accepting comments on renewals + proposals for expanded or new exemptions in April, so that’s why we’re hearing about companies lobbying against them now.

Dunno, I think regardless of the method used by the extension, I think any extension called “Bypass Paywalls” that does what it says on the tin can pretty unambiguously be said to be designed to circumvent “technological protection measures”.

“Bypass” and “Circumvent” are nearly synonymous in some uses - they both mean “avoid” - but that’s not really the point.

From a legal perspective, it’s pretty clear no circumvention of technological protection measures is taking place*. Yes, bypassing or circumventing a paywall to get to the content on the site itself would be illegal, were that content effectively protected by a technological measure. But they’re not doing that. Rather, a circumvention of the entire site is occurring, which is completely legal (an obvious exception would be if they were hosting infringing content themselves or something along those lines, but we’re talking about the Internet Archive here).

* - to be clear, I’m referring to what was detailed in the request, not the part that was redacted. That part may qualify as a circumvention.

In this case, it circumvents the need to login entirely and obviously it circumvents the paywall.

Following the same logic, Steam could claim that a browser extension showing where you can get the same game for cheaper or free circumvents their technological protection measure. It doesn’t. It circumvents the entire storefront, which is not illegal.

That’s the same thing that’s happening here - linking to the same work that’s legally hosted elsewhere.

Though as you said, these guys should probably be sending DMCAs to the Internet Archive

Yes - if they don’t want their content available, that’s what they should do. They might not want to do that, because they appreciate the Internet Archive’s mission (I wonder if it’s possible to ask that content be taken down until X date, or for content to be made inaccessible but for it to still be archived?) or they might be taking a multi pronged approach.

Maybe archive.today is the problem? Maybe they don’t honor DMCA requests.

Good point. If so, and if their site isn’t legally compliant in the same ways, then the extension becomes a lot less legally defensible if it’s linking there. That’s still not because it’s circumventing a technological protection, though - it’s because of precedent that “One who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, going beyond mere distribution with knowledge of third-party action, is liable for the resulting acts of infringement by third parties using the device, regardless of the device’s lawful uses,” (Source), where “device” includes software. Following that precedent, plaintiffs could claim that the extension promoted its use to infringe copyright based off the extension’s name and that it had knowledge of third-party action because it linked directly to sites known to infringe copyright.

The Digital Media Law Project points out that there are two ways sharing links can violate the DMCA:

• Trafficking in anti-circumvention tools - which is obviously not what’s going on here
• Contributory copyright infringement - which is basically doing something described by the precedent I shared above.

I’m not sure how the extension searches web archives. It if uses Google, for example, then it would make sense to serve Google ae DMCA takedown notice (“stop serving results to the known infringing archive.piracy domain”), but if the extension directly searches the infringing web archive, then the extension developers would need to know that the archive is infringing. Serving them a DMCA takedown (“stop searching the known infringing archive.piracy domain”) would give them notice, and if they ignored it, it would then be appropriate to send the takedown directly to their host (Github, the browser extension stores, etc) citing that they had been informed of the infringement of a site they linked to and were de facto committing contributory infringement themselves.

Given that they didn’t do that, I can conclude one of the following:

1. The lawyers are incompetent.
2. The lawyers are competent and recognize that engaging in bad faith like this produces faster results; if this is contested they’ll follow up with something else, possibly even the very actions I described.
3. The archives that are searched by the extension aren’t infringing and this was the best option the lawyers could come up with.

How is the accused project designed to circumvent your technological protection measures?

The identified Bypass Paywalls technology circumvents NM/A’s members’ paywalls in one of two ways. [private]

For hard paywalls, it is our understanding that the identified Bypass Paywalls technology automatically scans web archives for a crawled version of the protected content and displays that content.

If the web archives have the content, then a user could just search them manually. The extension isn’t logging users in and bypassing your login process; it’s just running a web search for them.

Damage taken from being the Fall season would be called “Fall damage” in English though.

If I’m in a fight, I’m fighting. If I’m on a walk, I’m walking. On a hike? Hiking. If I’m at a party, I’m partying. If there’s rain in the air, it’s raining. If I’m applying butter to my toast, I’m buttering my toast. If I’m on a boat, I’m boating. If I’m in the middle of a fall, I’m falling.

Is it hard to understand that someone is referring to the act of entering Fall (or being in the middle of Fall) when they call it “falling?”

Regardless of whether you find that difficult to understand or to accept, it’s a well-established linguistic phenomenon known as “verbification.”

You are not falling. It is fall. Falling is only from a present tense verb of fall.

You’re wrong on several counts.

First, you don’t suffer “falling damage” from falling. You suffer it from landing after falling (refer to page 183 of the PHB if you don’t believe me). However, casting Feather Fall is a reaction that you can take when you or another creature “falls,” so it was appropriate to cast it at the start of the season.

Second, “falling” is not the present tense of “fall.” The simple present tense of “fall” is “fall” or “falls,” but other “present tenses” include: the present perfect simple (“He has fallen”), present progressive/continuous, and present perfect progressive.

“Falling” is the present participle, and it can be used both as an adjective (“The falling bard”) and as part of the past continuous/progress (“The bard was falling”), present continuous/progressive (“The bard is falling”), and future continuous/progressive (“The bard will be falling”) verb tenses, as well as with their perfect variants (had been falling, has been falling, will have been falling).

I use --format-sort +res:1080, which, if my understanding of the documentation is correct, will make it prefer 1080p, the smallest video larger than 1080p if 1080p isn’t available, or the largest video if nothing 1080p or larger is available.

res is the smallest dimension of the video (so for a 1080x1920 portrait video, it would be 1080).

Default sort is descending order. The + makes it sort in ascending order instead.

Does your script handle bi-directional sync or one-way only?

What makes sourcehut better?

From a self-hosting perspective, it looks like much more of a pain to get it set up and to keep it updated. There aren’t even official Docker images or builds. (There’s this and the forks of it, but it’s unofficial and explicitly says it’s not recommended for prod use.)

Yes, but only in very limited circumstances. If you:

1. fork a private repo with commit A into another private repo
2. add commit B in your fork
3. someone makes the original repo public
4. You add commit C to the still private fork

then commits A and B are publicly visible, but commit C is not.

Per the linked Github docs:

If a public repository is made private, its public forks are split off into a new network.

Modifying the above situation to start with a public repo:

1. fork a public repository that has commit A
2. make commit B in your fork
3. You delete your fork

Commit B remains visible.

A version of this where step 3 is to take the fork private isn’t feasible because you can’t take a fork private - you have to duplicate the repo. And duplicated repos aren’t part of the same repository network in the way that forks are, so the same situation wouldn’t apply.

Misleading title.

The title literally spells out the concern, which is that code that is in a private or deleted repository is, in some circumstances, visible publicly.

What title would you propose?

If my thing was public in the past, and I took it private, the old public code is still public.

The “Accessing Private Repo Data” section covers a situation where code that has always been private becomes publicly visible.

Doesn’t their API also require you to allow-list IPs, making it basically useless for dynamic DNS?

From https://www.namecheap.com/support/api/intro/ under “Whitelisting IP.”

Reverse proxies aren’t DNS servers.

The DNS server will be configured to know that your domain, e.g., example.com or *.example.com, is a particular IP, and when someone navigates to that URL it tells them the IP, which they then send a request to.

The reverse proxy runs on that IP; it intercepts and analyzes the request. This can be as simple as transparently forwarding jellyfin.example.com to the specific IP (could even be an internal IP address on the same machine - I use Traefik to expose Docker network IPs that aren’t exposed at the host level) and port, but they can also inspect and rewrite headers and other request properties and they can have different logic depending on the various values.

Your router is likely handling the .local “domain” resolution and that’s what you’ll need to be concerned with when configuring AdGuard.

reasonable expectations and uses for LLMs.

LLMs are only ever going to be a single component of an AI system. We’ve only had LLMs with their current capabilities for a very short time period, so the research and experimentation to find optimal system patterns, given the capabilities of LLMs, has necessarily been limited.

I personally believe it’s possible, but we need to get vendors and managers to stop trying to sprinkle “AI” in everything like some goddamn Good Idea Fairy.

That’s a separate problem. Unless it results in decreased research into improving the systems that leverage LLMs, e.g., by resulting in pervasive negative AI sentiment, it won’t have a negative on the progress of the research. Rather the opposite, in fact, as seeing which uses of AI are successful and which are not (success here being measured by customer acceptance and interest, not by the AI’s efficacy) is information that can help direct and inspire research avenues.

LLMs are good for providing answers to well defined problems which can be answered with existing documentation.

Clarification: LLMs are not reliable at this task, but we have patterns for systems that leverage LLMs that are much better at it, thanks to techniques like RAG, supervisor LLMs, etc…

When the problem is poorly defined and/or the answer isn’t as well documented or has a lot of nuance, they then do a spectacular job of generating bullshit.

TBH, so would a random person in such a situation (if they produced anything at all).

As an example: how often have you heard about a company’s marketing departments over-hyping their upcoming product, resulting in unmet consumer expectation, a ton of extra work from the product’s developers and engineers, or both? This is because those marketers don’t really understand the product - either because they don’t have the information, didn’t read it, because they got conflicting information, or because the information they have is written for a different audience - i.e., a developer, not a marketer - and the nuance is lost in translation.

At the company level, you can structure a system that marketers work within that will result in them providing more correct information. That starts with them being given all of the correct information in the first place. However, even then, the marketer won’t be solving problems like a developer. But if you ask them to write some copy to describe the product, or write up a commercial script where the product is used, or something along those lines, they can do that.

And yet the marketer role here is still more complex than our existing AI systems, but those systems are already incorporating patterns very similar to those that a marketer uses day-to-day. And AI researchers - academic, corporate, and hobbyists - are looking into more ways that this can be done.

If we want an AI system to be able to solve problems more reliably, we have to, at minimum:

• break down the problems into more consumable parts
• ensure that components are asked to solve problems they’re well-suited for, which means that we won’t be using an LLM - or even necessarily an AI solution at all - for every problem type that the system solves
• have a feedback loop / review process built into the system

In terms of what they can accept as input, LLMs have a huge amount of flexibility - much higher than what they appear to be good at and much, much higher than what they’re actually good at. They’re a compelling hammer. System designers need to not just be aware of which problems are nails and which are screws or unpainted wood or something else entirely, but also ensure that the systems can perform that identification on their own.

That’s still a single point of failure.

So is TLS or the compromise of a major root certificate authority, and those have no bearing on whether an approach qualifies as using 2FA.

The question is “How vulnerable is your authentication approach to attack?” If an approach is especially vulnerable, like using SMS or push notifications (where you tap to confirm vs receiving a code that you enter in the app) for 2FA, then it should be discouraged. So the question becomes “Is storing your TOTP secrets in your password manager an especially vulnerable approach to authentication?” I don’t believe it is, and further, I don’t believe it’s any more vulnerable than using a separate app on your mobile device (which is the generally recommended alternative).

What happens if someone finds an exploit that bypasses the login process entirely?

Then they get a copy of your encrypted vault. If your vault password is weak, they’ll be able to crack it and get access to everything. This is a great argument for making sure you have a good vault password, but there are a lot of great arguments for that.

Or do you mean that they get access to your logged in vault by compromising your device? That’s the most likely worst case scenario, and in such a scenario:

• all of your logged in accounts can be compromised by stealing your sessions
• even if you use a different app for your 2FA, those TOTP secrets and passkeys can be stolen - they have to be on a different device
• you’re also likely to be subject to a ransomware attack

In other words, your only accounts that are not vulnerable in this situation solely because their TOTP secret is on a different device are the ones you don’t use on that device in the first place. This is mostly relevant if your computer is compromised - if your phone is compromised, then it doesn’t matter that you use a separate password manager and authenticator app.

If you use an account on your computer, since it can be compromised without having the credentials on device, you might as well have the credentials on device. If you’re concerned about the device being compromised and want to protect an account that you don’t use on that device, then you can store the credentials in a different vault that isn’t stored on your device.

Even more common, though? MITM phishing attacks. If your password manager verifies the url, fills the password, and fills your TOTP, then that can help against those. Start using a different device and those protections fall away. If your vault has been compromised and your passwords are known to an attacker, but they don’t have your TOTP secrets, you’re at higher risk of erroneously entering them into a phishing site.

Either approach (same app vs different app) has trade-offs and both approaches are vulnerable to different sorts of attacks. It doesn’t make sense to say that one counts as 2FA but the other doesn’t. They’re differently resilient - that’s it. Consider your individual threat model and one may be a better option than the other.

That said, if you’re concerned about the resiliency of your 2FA approach, then look into using dedicated security keys. U2F / WebAuthn both give better phishing resistance than a browser extension filling a password or TOTP can, and having the private key inaccessible can help mitigate device compromise concerns.

If you only need one factor to log into your password manager, you’re doing it wrong.