Crowdstrike didn’t target anyone either. Yet, a mistake in code that privileged, resulted in massive outages. Intel ME runs at even higher privileges, in even more devices.

I am opposed to stuff like kernel level code, exactly for that reason. Mistakes can be just as harmful as malice, but both are parts of human nature. The software we design should protect us from ourselves, not expose us to more risk.

There is no such thing as a back door that “good guys” can access, but the bad guys cannot. Intel ME is exactly that, a permanent back door into basically every system. A hack of ME would take down basically all cyber infrastructure.

Cal state northridge?

https://wiki.archlinux.org/title/List_of_applications/Internet#Pastebin_services

That pages shows how to use curl to upload to 0x0.st.

I’ve used the pastebinit program listed on that page to upload to paste.debian.net, but it supports other sites as well.

Because forgejo’s ssh isn’t for a normal ssh service, but rather so that users can access git over ssh.

Now technically, a bastion should work, but it’s not really what people want when they are trying to set up git over ssh. Since git/ssh is a service, rather than an administrative tool, why shouldn’t it be configured within the other tools used for exposes services? (Reverse proxy/caddy).

And in addition to that, people most probably want git/ssh to be available publicly, which a bastion host doesn’t do.

So, I’m not gonna pretend flatpak doesn’t use more space then normal apps, but due to deduplication (and sometimes filesystem compression), flatpaks often use less space than people think.

[nix-shell:~/Playables/chronosphere]$ sudo /nix/store/xdrhfj0c64pzn7gf33axlyjnizyq727v-compsize-1.5/bin/compsize -x /var/lib/flatpak/
Processed 49225 files, 21778 regular extents (46533 refs), 22188 inline.
Type       Perc     Disk Usage   Uncompressed Referenced
TOTAL       53%      898M         1.6G         3.6G
none       100%      499M         499M         1.0G
zstd        34%      399M         1.1G         2.6G

[nix-shell:~/Playables/chronosphere]$ du -sh /var/lib/flatpak/
1.7G    /var/lib/flatpak/

I only have one flatpak app installed, and du says that takes up 1.7 GB of space… but actually, when using a tool that takes up BTRFS transparent compression into account, only half of that space is used on my disk.

I recommend using compsize for a BTRFS compression aware version of du and flatpak-dedup-checker for a flatpak filesystem deduplication aware checker of space used.

I think flatpak absolutely does use up more space, because yes, it is another linux distro in your distro. But I think that’s a tradeoff people accept in order to have a universal package manager for graphical apps.

Also, you can flatpak cli tools. They are just difficult to run at first because you have to do the flatpak run org.orgname.appname thing, but you can alias that to a short command. Here is a flatpak of micro, a terminal based text editor.

(I prefer nix for cli tools though, and docker/podman/containers for services).

So based on what you’ve said in the comments, I am guessing you are managing all your users with Nixos, in the Nixos config, and want to share these users to other services?

Yeah, I don’t even know sharing Unix users is possible. EDIT: It seems to be based on comments below.

But what I do know is possible, is for Unix/Linux to get it’s users from LDAP. Even sudo is able to read from LDAP, and use LDAP groups to authorize users as being able to sudo.

Setting these up on Nixos is trivial. You can use the users.ldap set of options on Nixos to configure authentication against an external LDAP user. Then, you can configure sudo

After all of that, you could declaratively configure an LDAP server using Nixos, including setting up users. For example, it looks like you can configure users and groups fro the kanidm ldap server

Or you could have a config file for the openldap server

RE: Manage auth at the reverse proxy: If you use Authentik as your LDAP server, it can reverse proxy services and auth users at that step. A common setup I’ve seen is to run another reverse proxy in front of authentik, and then just point that reverse proxy at authentik, and then use authentik to reverse proxy just the services you want behind a login page.

I dunno what’s most appropriate for email, but I often joke:

Isn’t open source kinda like a cult?

It’s a not a cult I swear! Just switch to free software, and free yourself!

I’ve also heard my friend say something along the lines of:

Free software, free culture, free people

Or maybe it was free world or free trade? I can’t remember.

Although, for slogans like this, I might go with something that has more of an immediate effect, like shilling an adblocker.

• Install uBlock Origin. Blocking ads is one of the easiest ways to increase your security.
• Install uBlock Origin. It blocks more than just ads, but also tracker scripts that follow you around the net and collect your data.

Or the ever so simple:

• Free software means free as in freedom — not as in beer.

Anyway, I partially agree with the other poster, but I think a one sentence quip at the end of an email is unobtrusive enough that it gets a pass. Of course, it depends on your specific workplace and how strict they are, but I would assume most workplaces have a little space for humanity.

First things first: Check if any data was actually leaked/breached.

Many times, the data leaks news sites like to report in the most alarmist manner, don’t actually contain any new data, and are just aggregations of older breaches that already happened. Although still worth reporting, sadly, due to the way ads and clickbait works, they are incentivized to play it up and report it as the LARGEST DATA BREACH EVER 2024 CLICK ME IMMEDIATELY.

But yeah. My recommendation: Find high quality sources which either don’t report this stuff, or I like lemmy (and used to like reddit), because when stuff like that gets posted, it gets called out by users in the comments.

Disabling javascript increases security, and offers a little bit of privacy. Those are both separate from anonymity, but people conflate the three often.

For example, javascript can be made to do arbitrary websoccket or http connections to any ip/hostname your computer has access to — even local networks or localhost.

I use the browser extension Port authority to block it.

Of course, port scanning is used by ebay to scan users computers, and discord.

Disabling javascript prevents websites from tracking exactly what you do on each site, or what local ports you have open. This is definitely an increase in privacy, as it relates to hiding what you’re doing. However, you noted it comes at the cost of anonymity, as you become uniquely identifiable.

Anyway the centralized nature of Revolt Chat makes it no very appealing for me.

I agree with this. I will probably stick with either matrix or xmpp due, to their federated nature, and strong E2EE. Matrix is a better discord replacement, as it has more features, is more standardized, has a better web client, and has “spaces”, which are somewhat analogous to discord servers.

Xmpp however, is much more lightweight on both servers and clients than matrix, and it’s E2EE works more reliably (none of that "failed to decrypt nonsense), and makes a better E2EE messenger.

I attempted to find evidence to support this.

I found one reddit post claiming this, but they themselves did not provide any evidence.

freedom of religion is a human right bruh i did not say anything but i believe in god the banned me and claimed i was being homophobic 1. i said nothing about it 2. stfu even if i was

​Not exactly the most compelling piece of evidence, and this was all I could find.

Pip in a venv doesn’t get you non python tools.

Conda also has venvs, for seperate environments for stuff as well.

https://rclone.org/drive/

https://rclone.org/crypt/

No way to protect emails, google chats, or many other things AFAIK. Yeah, I hate it too.

https://tryhackme.com/games/koth

There is also overthewire warzone, a private network simulating the entire ipv4 internet, where any device is fair game for hacking.

Xplore file browser

It’s trivial to replace the independent pieces of xplore, but it has so many features in one app that I just can’t let it go. It’s got dual pane file browsing, disk usage chart, smb, ftp, and many other cloud storage connections. It also handles many types of compression.

It’s become my main offline music player as well, because it has the simple ability to shuffle a folder of music, which is all I really need.

It can also view installed apps, export them to apk, and view and modify appdata (as non root!).

However, freshtomato is another router firmware, that isn’t as feature rich or well supported as opwnwrt, but is focused on supporting broadcom chipsets.

https://www.freshtomato.org/

https://wiki.freshtomato.org/doku.php/hardware_compatibility

I flashed it to my netgear router with a broadcom chipset, it works wonderfully!

What was it? I’m planning to do a nextcloud deployment via helm soon.

sn1per is not open source, according to the OSI’s definition

The license for sn1per can be found here: https://github.com/1N3/Sn1per/blob/master/LICENSE.md

It’s more a EULA than an actual license. It prohibits a lot of stuff, and is basically source-available.

You agree not to create any product or service from any par of the Code from this Project, paid or free

There is also:

Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.

So yeah. I decided to test it out anyways… but what I see… is not promising.

FROM docker.io/blackarchlinux/blackarch:latest

# Upgrade system
RUN pacman -Syu --noconfirm

# Install sn1per from official repository
RUN pacman -Sy sn1per --noconfirm

CMD ["sn1per"]

The two pacman commands are redundant. You only need to run pacman -Syu sn1per --noconfirm once. This also goes against docker best practice, as it creates two layers where only one would be necessary. In addition to that, best practice also includes deleting cache files, which isn’t done here. The final docker image is probably significantly larger than it needs to be.

Their kali image has similar issues:

RUN set -x \
        && apt -yqq update \
        && apt -yqq full-upgrade \
        && apt clean
RUN apt install --yes metasploit-framework

https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/

It’s still building right now. I might edit this post with more info if it’s worth it. I really just want a command-line vulnerability scanner, and sn1per seems to offer that with greenbone/openvas as a backend.

I could modify the dockerfiles with something better, but I don’t know if I’m legally allowed to do so outside of their repo, and I don’t feel comfortable contributing to a repo that’s not FOSS.

When syncthing is configured to go both ways (the default), it also syncs any deletions. You can somewhat get around this by something like one way sync, but it’s not really a proper “backup” software.

Personally, I like to treat data synced by syncthing, even between multiple machines, as one copy of the data when I am following the 3-2-1 backup rule*, because syncthing won’t save me from a buggy program deleting all my files or user error, or anything like that.

*See wikipedia for info about the 3-2-1 backup rule.

Discord is adding ads soon. Currently, they don’t enforce the TOS violation of custom clients, but maybe after they add ads, they will begin to do so. I would be very careful with any of this.