I’ve been using tuta.io ever since I created an account with them so the change to tuta isn’t entirely new to me. Having said that, it is indeed infuriating that they do not give you the tuta.com email for free automatically, because then anyone who signs up with [email protected] essentially has a more legit email address than yours. Protonmail gave out the proton.me domain to all users for free, even to free tier users. Hopefully this generates enough noise for them to change this.
Tokelau, a necklace of three isolated atolls strung out across the Pacific, is so remote that it was the last place on Earth to be connected to the telephone—only in 1997....
Because .tk addresses were offered for free, unlike most others, Tokelau quickly became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users.
But Tokelau, with just 1,400 inhabitants, had a problem: it simply didn’t have the money or know-how to run its own domain, explains Tealofi Enosa, who was the head of Teletok for a decade before stepping down in July 2023.
After problems first arose, Zuurbier invited ministers and advisors from Tokelau to the Netherlands, paid for their flights, and explained the business’s nuts and bolts in an effort to reassure them.
What started as techies complaining to Vitale about spamming, malware, and phishing on .tk domains soon turned into more worrisome complaints from the New Zealand administrator tasked with overseeing Tokelau, asking him whether he was aware of who .tk’s users were.
In December 2022, courts in the Netherlands found in favor of an investor suing Freenom, the company that managed .tk and four other domains—those of Gabon, Equatorial Guinea, the Central African Republic, and Mali—that were subsequently added to the model it pioneered.
And in March of this year, Meta, which owns Facebook, Instagram, and WhatsApp, also sued Freenom for damages, claiming that sites hosted on .tk and the four African domains were engaging in cybersquatting, phishing, and trademark infringement.
The original article contains 3,711 words, the summary contains 226 words. Saved 94%. I’m a bot and I’m open source!
cloudflare dns mapping my domain to an oracle cloud vm. 2)oracle always free tier, 1 core amd vm, with apache reverse proxy. I also have tailscale running on this machine. You have to setup the networking rules in the oci networking area, and setup ufw/iptables as well. So then jellyfin.whatever gets mapped to tailscale_ip:jellyfin_port at home.
My server at home with tailscale as well so it has its own ip, but you can expose routes and use the same internal ip. Jellyfin server runs here. There is a dedicated user with appropriate access to my nas aswell.
This server has a vm on it that runs prowlarr/sonarr/radarr/lidarr and qbittorrent. I have an airvpn account running here with a killswitch, and also qbittorent is only allowed to use the eddie interface. I port forwarded a dedicated port on the airvpn site and told qbittorrent to use that.
So me, my partner, parnets, and friends when outside my network can go to jellyfin.domain.whatever and login to my jellyfin. No ports open to the internet except 80/443 on the reverse proxy, and no ips to remember. That will give you some things to google to get started to replicate a similar setup for your needs.
You always will. Welcome to the Internet. The difference is whether or not you’ve taken steps to secure your stuff. You need to understand what this malware is looking for. It’s explicitly looking for unsecured services. Such as WordPress, SQL, etc. There are inexperienced users out there that inadvertently expose themselves. I see this type of probing at work and at home. Don’t overly stress it. My home server has been running for a decade without issues. Just keep it updated and read before you make any changes if you don’t fully understand the implications.
My home based server is behind a pfsense firewall. Runs Arch. Everything is in a non-root docker container. SELinux is enforced. All domains are routed through Cloudflare. Some use Cloudflare Zero Trust.
Size limits aren’t arbitrary. Email format translates attachments to ASCII which makes them larger and harder to process. Mail servers need to scan and handle messages which means they will need to impose limits to be able to work well. Back in the day when Gmail didn’t it quickly started being abused by people using it as online storage.
Encryption is difficult to implement with a system that performs multi-point handoff, and works against some use cases like corporate use where you want virus scanning.
Try to design an alternative email system and you’ll see how quickly you start losing features that make it interesting and useful. For example, for all its faults email is very user-centric and portable, you can easily take your domain and move your addresses to a different provider. How many other communication services can you say that about?
I’ve been using mastodon for a month or two now. I never used twitter but thought I’d try it out for fun since I love this new fediverse experiment....
I think it can be helped by having sorta community tools. Like subscribing to blocklists. Users could even publish their user blocklist and someone can subscribe to it as well or just instead of subscribing to them. and we alread have tools to block domains, urls, users, magazines so we don't have to block accounts individually. I have curated my feed quite a bit just by over time taking out stuff here and there. Heck I will block at a group level much easier than a user level. That is I put more scrutiny before deciding to block a user.
EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted...
The only mitm that can be done is at the server itself or in a website pretending to be the requested server. But for this to work, you need to have the private and public keys of the server you want to act like.
Maybe I misunderstand what you’re saying, but since the wide majority of EU citizens use their ISP’s DNS, it’s trivial for them to mandate a domain redirection to another server which would act as a proxy of the original (and thus only need the original server’s public key).
So far, the only protection we have against that are:
Changing DNS (WAY too complicated for the average user, also brings the DNS’ own contry’s censorship)
The fact that they wouldn’t have a valid certificate for it because any sensible CA would see it for what it is: a MITM.
That’s why, to my understanding, this is such a big deal. At any point, ANY EU gov (and I want to emphasis that part because ot’s important in the context of tjhs law) can request a change of DNS from their ISP’s DNS (many already do right now) and emit a fully trusted certificate for the domain they want to MITM.
The problem is that you can issue two certificates for one domain from two different CAs. Which one is valid?
If you only have one of the certificates, you also can’t know that another exists to warn the user that they might be connecting to a government-operated middleman.
The problem with a government issued CA being trusted is that the government can now issue whatever certificates they want for any website, and then all they need to do is force your traffic to pass through their servers first.
And no they don’t even need to make fake website clones, they have you connect to their proxy server which has a valid cert, then they have everything plaintext to save off to look at, and they forward the connection to the original website. Reverse proxy servers to accomplish this take minutes to set up.
Removal of trust happened many times in the past. And like I said, it’s not changing anything other than making things easier. You can still add certificates to the browser trusted list if you have access to the person’s computer, which when you install any software you do. Perhaps the best middle ground would be to add certificates but make them conditional that is to say ask the user what they want to do and offer multiple options. Trust for this domain only, trust always, just this time, don’t trust.
Hey, Lemmy user in this thread: you’re likely in the top 0.1% expertise of all computer users worldwide.
This prompt is aimed at my boomer dad, who wouldn’t know what that funny icon is but read somewhere to close his apps for better speed. If his OneDrive docs disappear, I’ll get a call about it. At the same time, Microsoft probably can’t sell anything to my dad ever again, except his Office 365 subscription, so that makes him the product.
Microsoft is usually pretty good at letting tech users disable this kind of stuff with powershell commands or registry keys, which you already know how to do. And of course businesses join windows PCs to domains and disable this stuff centrally too.
I made the choice of hosting some Fediverse software on a domain name I own, however that piece of software (Akkoma, upgraded from Pleroma) has since become unacceptably unstable, and I’d like to switch to something else. I read that if I’m already federating with other servers, I shouldn’t switch software on the same...
The same threat actor has leaked larger amounts of data from LinkedIn dated 2023. They claim this new data contains 35M lines and is 12 GB uncompressed....
I have a set it up so that any email sent to unknown users on my domain gets redirected to email. If you send an email to [email protected] and my real email is [email protected], I will still receive the email.
Now this is great because I will just use [email protected] and still get the email. If the email is leaked, I will know where it came from.
If you where to try and explain the Fediverse to someone, how would you explain it with it's different instances? As well as explain why it is better in some ways for the future of the Internet?
The biggest difference: nothing sensitive is stored on the server. No passwords, no password hashes, just a public key. No amount of brute forcing, dictionary attacks or rainbow tables can help an attacker log in with a public key.
“But what about phising? If the attacker has the public key, they can pretend to be the actual site and trick the user into logging in.” Only if they also manage to use the same domain name. Like a password manager, passkeys are stored for a specific domain name. If the domain doesn’t match, the passkey won’t be found.
No need to worry about password encoding, like this emoji debacle for example. Actually there’s no need to worry about passwords in general anymore, no more worries about lenghts, encoding, character space, remembering them etc.
It eliminates that scam where attackers set up a site on a domain that looks like the correct one, because the domain is part of the protocol.
It eliminates phishing for 2FA because login only works on your device anyway and there’s nothing you can be tricked into giving away to an attacker.
If attackers break into a site and steal the public keys they can’t use them for anything.
Since the whole process is automated between servers and browsers and also standardized, it can be upgraded seamlessly and continously, you can upgrade the protocol, the key lengths, the encryption cyphers etc. with zero impact for the user. New upgraded versions can be distributed to both servers and browsers and they’ll just use the highest version they both have.
2FA is a core part of the protocol, but again in a way that eliminates phishing: it’s basically a way to unlock access temporarily to one specific key in your key vault. You can use a master password, or an USB key, or TOTP codes, or biometrics (fingerprint or face) etc., but NOT cellular texts (SMS) anymore because the vault stays on your devices, no need for another party to send you anything.
Syncing your vault online and over multiple devices, as well as backup, are also a core part of the approach and will eliminate the worry that you drop your phone and you’re screwed forever.
The downside is that there’s been a whole bunch of tools and apps and services built around passwords for decades and converting all that mass to passkey tools will take a bit.
There are some other tradeoffs like, right now for example I can reasonably print all my passwords and TOTP codes on a few sheets of paper and achieve an “offline” backup in case of untimely death and so on, it’s going to be a bit more cumbersome with passkeys. But I expect there will be ways to optimize that as the technology evolves.
Beyond that, sites impersonating real business FQDN’s are becoming increasingly common in top search results.
These include sites including illicit clone sites through to malware-laden shit holes trying to trick users into downloading some virus intereste infested imposter.
Often enough, they’re registered via GoDaddy and use CloudFlare to obfuscate their true origin.
Many of them prey on typo-swatting, not necessarily in the domain name but rather on SEO-indexed terms that will get them into the top results, for example microsoft.com might still be the top result for people searching up that particular company, but “micro soft” or “Microsift” among many others may lead to malicious sites in the top results.
I’ve identified a ton of these and frankly, neither GoDaddy, CloudFlare, or Google seem to give two fucks as the process for getting them scrubbed is laborious, slow, and often ineffective.
@fediverse Let's face it. When talking about the Fediverse, it is very hard to sell interoperability between different types of instances as a major advantage.
Not being able to sync'd has to do with the hosting and how the admin set up their instance configuration.
Depending on the software, there is usually a feature for “polling”. This is the part of the #fediverse software where an admin can set how frequent the software will push and pull content and check profiles.
They also check how active an account is, be it local or otherwise, because believe it or not, polling an less or inactive account is also taxing on the server host.
These backend features or settings allows an instance to run. Imagine having 100 users who follow 100 users each. And the server is polling those 100 local users and the 100 users each.
Different fediverse software have done a different way to manage this. Some moved to other database instead of using mySQL. Some are using a different programming language instead of Ruby.
And a lot of other things we will never know about unless we look into their respective source codes.
I'm going to use the overused email analogy here, believe it or not, you don't actually receive every email sent to you. We're talking about legit emails here, they're just lost.
No technology can be perfect. Polling, sync'ing, there will always be something that will not reach you. However, developers and engineers are doing their best to minimise this (like in email land).
The way I see it, people were spoiled by silo or closed-network or closed-garden #SNS. Of course, within your own, it is easier to ensure everything is received. Like, again, in email, sending to the same domain there's a 100% guarantee it will be received. So, people expect it will be the same.
And if you explain the technical side of things, most people will run away and say, “just fix it” or “not ready for primetime”. But they never did that for the web (HTTP/S) and email (SMTP). When Chromium / Google Chrome was very buggy, everyone continued to migrate to it anyway. When developers were calling to kill IE6, corporations still use IE6 and were only forced when Microsoft seriously killed it.
Most people accept the flaws of software and services they recognise and already using but will not accept the flaws of the fediverse. I think that's what we should understand so we can change people's minds and have a better approach.
Hmm… There is a misconception on what the #Fediverse is and what is the goal, which unfortunately is what the press are telling people.
The Fediverse is about bringing down the walls (silos / walled-garden).
It never had the goal or objective or vision to replace Twitter, Facebook, Tumblr, Instagram, Flickr, Blogspot.
The Fediverse software available today are the materialised ideas of developers who believe in a federated SocialWeb, which by the way, is the original #Web3 (not crypto). It goes all the way back to 2005 (probably earlier, I don't have my notes).
The goal was to get existing silos to open up and federate.
It just that, there are more developers who are excited about it, so we started to see serious projects related to the Fediverse. If I remember correctly, Misskey was not a Fediverse project when it first started. So, one would say Misskey was the first non-federation project that joined the fediverse network.
If these silos don't federate, it's fine too, because there are existing software and instances available.
And it has always been about choice.
If users want to stay with silo #SNS by all means. The fediverse is not here to replace them, the fediverse is here as an option and as a solution to the issues plaguing silo networks (like ads, privacy, content license, to mention a few).
That's what the fediverse is about and always have been to this day. It is never about replacing this and that, or recruiting people to switch over and encourage them to delete their silo SNS accounts. These other things were simply the passion and convictions of the users who migrated and some of the developers who developed fediverse software, it's not part of the fediverse itself.
It's just a protocol. Again, I'll use email here. If you have a server, you can choose to install your own email software. The protocol is there. Various email software are there. OR, you can just use Yandex or Gmail or Zoho and use the custom domain feature (or use their email hosting services).
If Twitter and Facebook implement the protocol, hooray! Mission accomplished. If they don't, that's fine either.
So, yeah, people are hating that Instagram will implement the #ActivityPub protocol and join the #Fediverse network. They have valid reasons and it is understandable. However, the fediverse started to be a #WebStandard protocol to allow federation and bring back the #SocialWeb as it was intended to be.
For us who were there in 2005 already, and when the first Fediverse software and instance came online in 2008, that is still our vision and goal, to bring down the walls of silo SNS.
I want to make my own website, like a blog where I talk about tech and tutorials and such. Something like kerkour.com and lukesmith.xyz. Any ideas for simple but modern design?
I wish this were the case. I have to manage multiple Wordpress sites and its backend is a sticky mess of outdated PHP conventions and plugins with very little standardization and even less thorough verification. If you’ve ever had to migrate sites or move new content from one site to another, if you’ve ever had to shift domains or deal with multi-site configurations, you will realize that Wordpress makes things easy for the end-user but there’s a reason there are so many managed Wordpress offerings out there.
Linuxserver.io images don’t come directly from Docker Hub any more, and I don’t know if anyone noticed or cared. They use their own domain lscr.io that redirects to the Docker repository they’re using (currently Github) which makes it easy for them to move the repository without breaking things for users. www.linuxserver.io/…/wrap-up-warm-for-the-winter
That approach is a good idea in general. If you’re running a medium to large size project, never directly rely on domain names you don’t control because it makes it painful to migrate to something else in the future. Even if your own domain just has a bunch of redirects (both URL redirects and email forwarding), it’s better than nothing.
Instead of a half-dozen platforms competing to own your entire life, apps like Mastodon, Bluesky, Pixelfed, Lemmy, and others are building a more interconnected social ecosystem.
(tldr: 19 sentences skipped)
In the last year or so, though, particularly after Elon Musk’s Twitter acquisition alerted users to how quickly their platforms can change or die, POSSE has gotten some traction again alongside ActivityPub and other more open ideas.
(tldr: 24 sentences skipped)
POSSE’s problems start at the very beginning: it requires owning your own website, which means buying a domain and worrying about DNS records and figuring out web hosts, and by now, you’ve already lost the vast majority of people who would rather just type a username and password into some free Meta platform.
(tldr: 15 sentences skipped)
Reece says he’s interested in building tools to aggregate and make sense of replies, likes, comments, and the rest, but it’s a much harder prospect.
(tldr: 1 sentences skipped)
Reece mentions a tool called Bridgy, which both allows cross-posting and aggregates social media reactions and attaches them to posts on your site.
(tldr: 11 sentences skipped)
Modern social networks are not a single product but a giant bundle of features, and the next generation of tools might be all about unbundling.
(tldr: 4 sentences skipped)
The original article contains 1,805 words, the summary contains 217 words. Saved 88%. I’m a bot and I’m open source!
Tbf, these days you don’t even need to do the entire weight lifting of maintain your own website for the most part. I mean, we do are users at SDF, right?
POSSE’s problems start at the very beginning: it requires owning your own website, which means buying a domain and worrying about DNS records and figuring out web hosts, and by now
You don’t need your own domain to have your own site. Sure, it’s ideal to have, but not necessary; all you need is a “community name provider” that you trust to remain trustable for as long as you care to maintain your webpage. For me, that could have been Geocities back in its time; now, well, it’s SDF. Neocities is tempting me tho
Buying your own domain I feel like it’s oversold and overblown. Domains these days barely mean shit when it comes to security, authenticity or longevity (as we’ve seen with eg.: the entire .ml fiasco, or the fact that you can very perfectly get malware from domains like Steam’s or Microsoft’s).
Tuta(nota) users, what do you think about their new setup? (tuta.com)
Have a look at their blog post but then please also look at this. What do you think?...
How a tiny Pacific Island became the global capital of cybercrime (www.technologyreview.com)
Tokelau, a necklace of three isolated atolls strung out across the Pacific, is so remote that it was the last place on Earth to be connected to the telephone—only in 1997....
deleted_by_author
Microsoft lays hands on login data: Beware of the new Outlook (www.heise.de)
Nostr vs Mastodon
I’ve been using mastodon for a month or two now. I never used twitter but thought I’d try it out for fun since I love this new fediverse experiment....
EU Article 45 requires that browsers trust certificate authorities appointed by governments (www.eff.org)
EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted...
Microsoft won’t let you close OneDrive on Windows until you explain yourself (www.theverge.com)
This is Microsoft’s latest annoying addition to Windows.
How long does it take for the fediverse to "forget" an instance?
I made the choice of hosting some Fediverse software on a domain name I own, however that piece of software (Akkoma, upgraded from Pleroma) has since become unacceptably unstable, and I’d like to switch to something else. I read that if I’m already federating with other servers, I shouldn’t switch software on the same...
LinkedIn user data leaked: Database shows emails, profile data, phones, full names, and more confidential info. (lemmy.world)
The same threat actor has leaked larger amounts of data from LinkedIn dated 2023. They claim this new data contains 35M lines and is 12 GB uncompressed....
I finally figured out how to virtualize my OPNsense firewall. Suck it, Roku. (lemmy.one)
Blocked that hard-coded google dns garbage.
How can you explain the Fediverse to someone? (kbin.run)
If you where to try and explain the Fediverse to someone, how would you explain it with it's different instances? As well as explain why it is better in some ways for the future of the Internet?
Domain Renewals (media.mas.to)
What the !#@% is a Passkey? (www.eff.org)
Security expert reveals surprising way to make your password stronger: use emojis (nypost.com)
New Google Trial Docs May Explain Why Search Sucks So Bad Now (gizmodo.com)
Simple but modern website
I want to make my own website, like a blog where I talk about tech and tutorials and such. Something like kerkour.com and lukesmith.xyz. Any ideas for simple but modern design?
The Verge Takes on Self-Hosting for the Masses (www.theverge.com)
If this ActivityPub-fueled change takes off, it will break every social network into a thousand pieces (www.theverge.com)