I like to split the roles into separate VMs. I have a few VMs joined to the domain and I can house all the configs and user profiles on the DC. If I need to blow away a machine for whatever reason I do not need to recreate work. I just create a new VM and then join the domain. All the group policy tweaks apply and I don’t need to manually change settings.
Group policy lets you basically configure anything on any machine in the active directory domain; Installed programs, installed updates, basically any settings, schedules, services, automatically adding (and limiting by users if you want) network devices like printers and storage… It’s pretty powerful, and does way more than just filesystem permissions.
Artists have finally had enough with Meta’s predatory AI policies, but Meta’s loss is Cara’s gain. An artist-run, anti-AI social platform, Cara has grown from 40,000 to 650,000 users within the last week, catapulting it to the top of the App Store charts....
ActivityPub supports alsoKnownAs and movedTo so that users can migrate their social graphs to a different server or software.
The annoying thing with ActivityPub is that your username/handle is tightly coupled to a particular server, and moving server requires you to change your handle. Everywhere you’ve mentioned/documented your old handle is now out of date.
Bluesky handles this a lot better. If you own a domain, you can use it with any Bluesky server by creating a TXT record for validation. Your username is the domain name - if you own example.com, you can be @example.com on Bluesky, without having to self-host it. If you move server, you don’t have to change your username. Currently there’s just one main Bluesky server but they plan to introduce federation at some point, and their protocol is already mostly designed for it.
Chat På Svenska, developed by OpenAI, is a powerful language model based on the GPT-4 architecture. It has been designed to understand and generate human-like text, making it an invaluable tool across various domains. This comprehensive guide will delve into the capabilities, applications, limitations, and future potential of...
ChatGPT Svenska Online, developed by OpenAI, is a powerful language model based on the GPT-4 architecture. It has been designed to understand and generate human-like text, making it an invaluable tool across various domains. This comprehensive guide will delve into the capabilities, applications, limitations, and future...
Hi all, the private school I work at has a tonne of old windows 7/8 era desktops in a student library. The place really needs upgrades but they never seem to prioritise replacing these machines. Ive installed Linux on some older laptops of mine and was wondering if you all think it would be worth throwing a light Linux distro on...
As long as you can secure them it should be fine, and as long as you can deal with the user account issues. You’ll either need to join them to your Windows domain or explain to people why they can’t use their normal username and password. You’ll probably find the kids understand it better than the teachers.
I feel like we need to talk about Lemmy’s massive tankie censorship problem. A lot of popular lemmy communities are hosted on lemmy.ml. It’s been well known for a while that the admins/mods of that instance have, let’s say, rather extremist and onesided political views. In short, they’re what’s colloquially referred to...
There’s no need to defederate from Lemmy.ml. I rarely see their content on the front page of Lemmy.world. The other day someone complained that Lemmy.ml users were brigading a different thread. I counted three users with a ml domain…
We have different admins and mods, everything is working as intended. The issue is people bringing up tankies, communists, and China every three posts. Yes, we get it, the benevolent people who wrote us this software are communists. They allow us to have different mods and admins, there is no problem here.
Honestly, I wouldn’t post to /c/[email protected] even though I’m happy with how pro-Palestine those people are. The only community I look at Lemmy.ml is /c/[email protected]. It’s not their fault no one posts to the Lemmy.world instance.
I think it’s time to start banning users who troll other instances and cross pollinate the fediverse with drama.
[OT; tl/dr: the issues with forums and user accounts being under hegemony of server instances is by design but it’s not actually the way one would design a truely de-centralised network]
It’s a feature but not the best practice if the idea would be forums (and users) being free of domains (and the dangers of domains being taken down, and host admins’ whims). The design approach of Lemmy however, speaks “hegemony” all over. It says a lot about the mindset of its creators.
An alternative would be indeed distributed directory systems, employing concepts like DHT … well proven de-centralized resiliency for quite a while. Would it have been done in such a way, there would be no difficulty with migrating forums and users across instances, and even a domain getting lost would not necessarily lead to all forums/accounts there-on to be lost. Also the issues with link creation across instances were due to forums being bound to domain names instead of them having Universal IDs thus being agnostic of which node they are actually hosted on.
ActivityPub, AFAIK only defines a protocol for communicating datasets between instances, not the structures in which federation should be done.
It’s a feature but not the best practice if the idea would be forums (and users) being free of domains
I don’t think the idea is for users to be free of domains. One of the key benefits of tying users to their instance is that you defederate from the users of an instance when you defederate from an instance. If users were not bound to instances, it would be hard to defederate from certain groups without manually defederating a million users. Users being tied to domains makes moderation via defederation much, much simpler.
The design approach of Lemmy however, speaks “hegemony” all over. It says a lot about the mindset of its creators.
[…]
ActivityPub, AFAIK only defines a protocol for communicating datasets between instances, not the structures in which federation should be done.
I’m not an expert on ActivityPub but I think you’re wrong about this being Lemmy’s design decision. I think ActivityPub is designed in this way and it is intentional. I mean, all other ActivityPub apps do the same thing (e.g. Mastodon users are also tied to their instance).
forums being bound to domain names instead of them having Universal IDs thus being agnostic of which node they are actually hosted on.
Just want to point out that domain names are also perfectly capable of being agnostic about nodes - i.e. you can host multiple websites on a single computer or distribute the hosting of a website across many computers. I’m not really sure what you’re saying here but I don’t know if it’s important.
Umm… I was not so very clear perhaps. The idea would still be that user accounts as well as forums all contain their domain name, as their site of origin rather than a location identifier. Just that the host could change to any other domain (after negociation with the new host, that is). So it’s not about domains being tied to specific hosts/IPs but entities being tied to domains. It would be up for design discussion if that identifier should change or not, iin the case of a migration. The idea would be to give entities the ability to roam or be resurrected from any federated copy in case they are dissatisfied with the policies of their hosts, or in the event a domain gets taken down by authoritrian actors. (That’s why this actually is off-topic here)
From my glance into the ActivityPub doc, I concluded that it’s really only about the data exchange protocol, yet I might have overlooked something as I never had an in-depth talk with people who implement the thing. Yet, just because many do it in a certain way does not mean to me that this is written in stone somewhere. :-)
Using Ublock picker (not zapper) you can block/allow elements per domain and save/revert your choices. But overall, like I already said, I agree with you that umatrix offered a more granular and easy approach. It would be nice to see that implemented in Ublock. I nonetheless understand why it’s not the case since it would benefit only few users and may scared most of the others.
Hopefully umatrix will work for you for a long time. For me it was not and that’s how I discovered Ublock and adapt to its “limitations”. On a daily basis it helps me browse the internet like umatrix did. It’s just sad that umatrix was not forked.
I have to use Windows at work. Fortunately I’m a domain admin. I’ll be disabling this shit with conventional methods, and also write a scheduled task script to whack the SQLite DB…or whatever it takes to nuke it from orbit.
For home users, there are tools like NTLite that let you create custom installation images for Windows. Hopefully those will be able to remove it completely.
W11 even enterprise users are all tied into autopilot, Intune MDM, and/or a microsoft account
The “win 11 business editions 23h2” iso that I got from visualstudio.com yesterday, did no more than the usual amount of crap to make it difficult to find the “join a domain instead”, allowing me to make a local user.
I’ve seen many instances of some software having DRM that significantly degrades the performance of the software, or worse, the performance of the entire OS due to heavy background tasks. Prime examples include Denuvo and all those Adobe background processes. Why can’t they just simply use the TPM or the other 5 security...
Perhaps this is a matter of nomenclature, but I wouldn’t have thought that enforcing a ban is part of what anti-cheat software is meant to do. Sure, the anti-cheat is what alerts the game server, and then the server bans either the account or the actual machine. But the OP’s question was about anti-cheat and DRM software that impacts system performance. Someone that’s been banned from a game will not have in-game performance issues, because they’re not able to play the game at all.
I don’t think my omission of a TPM-based ban makes my answer “not entirely true”. I stand by my statement that TPMs are not suitable for the anti-cheat or DRM functionality when a game is running, and would not solve any performance issues if they were.
With that out of the way, yes you’re right that the TPM can be used for other, ancillary purposes. The typical use is to securely store certificates uniquely issued to a machine, such that the bearer of the certificate must be the certificate’s rightful owner. This is sometimes used to authenticate to corporate VPNs or Windows AD domains. But these certificates can be replaced, which makes them useless for enforcing a ban on a particular machine.
But TPMs also have a built-in, static certificate from when they were manufactured, which can only be challenged/responded using tokens from that manufacturer. If a game maker wants to coordinate with various TPM or mobo manufacturers to achieve that level of security, they’re certainly welcome to do so. But it also alienates users who don’t have or refuse to own such hardware, exactly as you’ve described. It’s a business decision, what they choose to do. Expedited manual review for broken TPM users is still fraught with issues, since there’s now an incentive to brick your own TPM and get a second chance at cheating.
There’s no free lunch in building secure systems, and that’s why anti-cheat makers will always face the uphill battle.
domain based blocking systems are nice for a base level of ad removal, they do nothing if the ads are coming from the same domain. sponsorblock is nice, but it’s the work of volunteers to remove those ads - if youtubes userbase were splintered over thousands of apps it wouldn’t be feasable.
i don’t know when i have seen just text-based ads in the last 10 years. those are an non-issue, even for me. the issues are scripts, user profiling and tracking.
the big difference is: the browser gives webpages/apps a standardized environment where the user has the last word regarding what runs on it or not (if you are not using chromium anyway). in apps, the user doesn’t have that luxury, especially regarding tracking and profiling.
So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s...
reasons why restricting users to MS Authenticator would be preferable
As a security professional:
Under most situations, it is equally as good as any other 2FA app.
Within the Microsoft ecosystem, it provides additional security features above and beyond simple 2FA.
If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.
For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.
I moved off a Synology NAS to a self-managed machine and one thing I still struggle to replace is something like a synology drive. Here are my requirements:...
I don’t have a full answer to snapshots right now, but I can confirm Nextcloud has VFS support on Windows. I’ve been working on a project to move myself over to it from Syno drive. Client wise, the two have fairly similar features with one exception - Nextcloud generates one Explorer sidebar object per connection, which I think Synology handles as shortcuts in the one directory. If prefer if NC did the later or allowed me to choose, but I’m happier with what I got for now.
As for the snapshotting, you should be able to snapshot the underlying FS/DB at the same time, but I haven’t poked deeply at that. Files I believe are plain (I will disassemble my nextcloud server to confirm this tonight and update my comment), but some do preserve version history so I want to be sure before I give you final confirmation. The Nextcloud root data directory is broken up by internal user ID, which is an immutable field (you cannot change your username even in LDAP), probably because of this filesystem.
One thing that may interest you is the external storage feature, which I’ve been working on migrating a large data set I have to:
can be configured per-user or system-wide
password can be per-user, system-wide, or re-use the login password on the fly
data is stored raw on an external file server - supports a bunch of protocols, off hand SMB, S3, WebDAV, FTP
shows up as a normal-ish folder in the base user folder
can template names, such as including your username as part of the share name
Nextcloud does not independently contribute versioning data to the backend file server, so the only version control is what your backing server natively implements
I use LDAP user auth to my nextcloud, with two external shares to my NAS using a pass-through session password (the NAS is AD joined to the same domain as Nextcloud uses for LDAPS). I don’t know if/how the “store password in database” option is encrypted, but if anyone knows I would be curious, because using session passwords prevents the user from sharing the folder to at least a federated destination (I tried with my friend’s NC server, haven’t tried with a local user yet but I assume the same limitations apply). If that’s your vibe, then this is a feature XD.
One of my two external storage mounts is a “common” share with multiple users accessing the same directory, and the second share is \nas.example.com\home\nextcloud. Internally, these I believe is handled by PHP spawning smbclient subprocesses, so if you have lots of remote files and don’t want to nuke your Nextcloud, you will probably need to increase the PHP child limits (that too me too long to solve lol)
That funny sub-mount name above handles an edge case where Nextcloud/DAV can’t handle directories with certain characters - notably the # that Synology uses to expose their #recycle and #snapshot structures. This means that remote mount to SMB has a limitation at the moment where you can’t mount the base share of a Synology NAS that has this feature enabled. I tried a server-side Nextcloud plugin to try to filter this out before it exposed to DAV, but it was glitchy. Unsure if this was because I just had too many files for it to handle thanks to the way Synology snapshots are exposed or if it actually was something else - either way I worked around the problem for now by not ever mounting a base share of my Synology NAS. Other snapshot exposure methods may be affected - I have a ZFS TrueNAS Core, so maybe I’ll throw that at it and see if I can break Nextcloud again :P
Edit addon: OP just so I answer your real question when I get to this again this evening - when you said that Nextcloud might not meet your needs, was your concern specifically the server-side data format? I assume from the rest of your questions that you’re concerned with data resilience and the ability to get your data back without any vendor tools - that it will just be there when you need it.
Without knowing how, not really. If it’s a massive multi-device botnet, like Mirai, for example, that’s millions of indvidual devices across millions of addresses, so it isn’t so simple as just blocking a domain. Trying to block all of them might well just block legitimate users.
Request limits also wouldn’t work if it’s millions of devices making a few requests at once, and an overall limit would have a similar locking-out effect as blocking everything. Especially if the DDoS is taking up most/all of that limit.
I often read suggestions to use something like Tailscale (…) safer than opening a port for WireGuard (WG)
I guess someone is trying really hard to upsell Tailscale there. But anyways it all comes down to how you configure things, Tailscale might come with more sensible defaults and/or help inexperienced user to get things working in a safe way. It also makes it easier to deal with the dynamic address at home, reconnects and whatnot.
Specifically about Wireguard, don’t be afraid to expose its port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won’t even know there’s something listening on that port / it will be invisible to typical IP scans / will ignore any piece of traffic that isn’t properly encrypted with your keys.
f my VPS is compromised, wouldn’t the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?
The extra layer does a couple of things, the most important might be hiding your home network IP address because your domains will resolve the VPS public IP and then the VPS will tunnel the traffic to your network. Since your home IP isn’t public nobody can DDoS your home network directly nor track your approximate location from the IP. Most VPS providers have some security checks on incoming traffic, like DDoS detection, automatically rate limit requests from some geographies and other security measures that your ISP doesn’t care about.
Besides that, it depends on how you setup things.
You should NOT have a WG tunnel from the home network to the VPS with fully unrestricted access to everything. There should be firewall rules in place, at your home router / local server side, to restrict what the VPS can access. First configure the router / local VPN peer to drop all incoming traffic from the VPN interface, then add exceptions as needed. Imagine you’re hosting a website on the local machine 10.0.0.50, incoming traffic from the VPN interface should only be allowed to reach 10.0.0.50 port 80 and nothing else. This makes it all much more secure then just blunt access to your network and if the VPN gets compromised you’ll still be mostly protected.
I was confused as these two person are on different sub-domains of bsky.social (url after the @ symbol). Does this mean they are on different instance? AFAIK most mastodon server I see have different domain (specifically, different combination of top level domain and second level domian).
EDIT: I see, theur user name is the subdomain, and things before @ is their display name. Not the most conventional system, but it makes sense.
Windows just changed my desktop wallpaper and re-added the search bar without my permission after an update (lemmy.world)
In my view, this is unacceptable…...
A social app for creatives, Cara grew from 40k to 650k users in a week because artists are fed up with Meta’s AI policies | TechCrunch (techcrunch.com)
Artists have finally had enough with Meta’s predatory AI policies, but Meta’s loss is Cara’s gain. An artist-run, anti-AI social platform, Cara has grown from 40,000 to 650,000 users within the last week, catapulting it to the top of the App Store charts....
Hosting a public wishlist
I’m involved with an org that needs to set up a public wishlist for supplies for a project. The rough requirements are as follows:...
Exploring the Capabilities of ChatGPT: A Comprehensive Guide (chatgptsvenska.org)
Chat På Svenska, developed by OpenAI, is a powerful language model based on the GPT-4 architecture. It has been designed to understand and generate human-like text, making it an invaluable tool across various domains. This comprehensive guide will delve into the capabilities, applications, limitations, and future potential of...
Exploring the Capabilities of ChatGPT: A Comprehensive Guide (chatgptsvenska.org)
ChatGPT Svenska Online, developed by OpenAI, is a powerful language model based on the GPT-4 architecture. It has been designed to understand and generate human-like text, making it an invaluable tool across various domains. This comprehensive guide will delve into the capabilities, applications, limitations, and future...
Linux on old School Machines?
Hi all, the private school I work at has a tonne of old windows 7/8 era desktops in a student library. The place really needs upgrades but they never seem to prioritise replacing these machines. Ive installed Linux on some older laptops of mine and was wondering if you all think it would be worth throwing a light Linux distro on...
Lemmy.ml tankie censorship problem
I feel like we need to talk about Lemmy’s massive tankie censorship problem. A lot of popular lemmy communities are hosted on lemmy.ml. It’s been well known for a while that the admins/mods of that instance have, let’s say, rather extremist and onesided political views. In short, they’re what’s colloquially referred to...
What’s the best ad blocker for you? - Firefox Add-ons Blog (addons.mozilla.org)
Windows Recall demands an extraordinary level of trust that Microsoft hasn’t earned | Op-ed: The risks to Recall are way too high for security to be secondary (arstechnica.com)
Microsoft has blocked the bypass that allowed you to create a local account during Windows 11 setup by typing in a blocked email address (www.tomshardware.com)
Why does DRM consume vast system resources even though we have TPM, Pluton, etc.
I’ve seen many instances of some software having DRM that significantly degrades the performance of the software, or worse, the performance of the entire OS due to heavy background tasks. Prime examples include Denuvo and all those Adobe background processes. Why can’t they just simply use the TPM or the other 5 security...
Phanpy: probably the best mastodon minimal webclient (phanpy.social)
Readme of the project:...
Manifest V2 phase-out begins (blog.chromium.org)
Can I refuse MS Authenticator?
So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s...
Self-hosted alternative to synology drive?
I moved off a Synology NAS to a self-managed machine and one thing I still struggle to replace is something like a synology drive. Here are my requirements:...
Internet Archive is continuing to face DDoS attacks after several days, says “this attack has been sustained, impactful, targeted, adaptive, and importantly, mean” (www.neowin.net)
deleted_by_author
Why VPN tunnels are safer than opening a port on my router?
Hi!...
Mushroom ID (mander.xyz)
2024: The Year Linux Dethrones Windows on the Desktop – Are You Ready? (lemmy.ca)
NTSync coming in Kernel 6.11 for better Wine/Proton game performance and porting....