There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Snowplow8861

@[email protected]

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Snowplow8861 ,

Almost like that xkcd joke…

Snowplow8861 ,

Yes. How can you sit and turn 180 on only your waist. This is just a joke.

Snowplow8861 ,

Who needs 20! Lol. Says more about me than you.

Snowplow8861 ,

First of all it clearly says counter clockwise so like first of all don’t rotate it clockwise like I did. Then secondly google image search rick roll. Thirdly consider the methods and time people go to to land a joke. Like I wonder if it was assisted by AI to just obfuscate it just enough to not be obvious.

Anyway I had to go to the comments too but mostly because I didn’t read the instructions.

Snowplow8861 ,

Plex was how last pass got hacked. howtogeek.com/…/lastpass-data-breach-shows-why-pl…

You still need to do stuff even if it is plex.

Snowplow8861 ,

Sure was! You need to be on top of paid and free and open source software from a security stand point. There’s no shortcut no matter what you think you’re paying for. Your threat model might be better when the service automates a Web proxy for you, but that’s only one facet. You trade problems but should never feel like you can “set and forget”. Sometimes it’s better for you to do it yourself because there’s no lying about responsibilities that way.

Snowplow8861 ,

April first.

Snowplow8861 ,

To back off your post, does anyone have one for Australia?

Snowplow8861 ,

I don’t think that works on my Samsung TV, or my partners iPad though. :)

Although not especially effective on the YouTube front, it actually increases network security just by blocking api access to ad networks on those kinds of IoT and walled garden devices. Ironically my partner loves it not for YouTube but apparently all her Chinese drama streaming websites. So when we go travel and she’s subjected to those ads she’s much more frustrated than when she’s at home lol.

So the little joke while not strictly true, is pretty true just if you just say ‘streaming content provider’.

Snowplow8861 ,

Go watch “the cost of concordia” by the same guy :)

If you haven’t already that is.

Snowplow8861 ,

Five words into the article says

Apple’s internal presentation from 2013

Literally at the top under TL;DR

Weird error copying MKV file

I have some locally stored media i was copying between drives and one mkv file gave this error error reading ‘video1.mkv’: Input/output error and only copied 176/256 MiB; the copied file plays the video only up to a certain point before abruptly closing; I can play the original file fine albeit there is a noticeable hitch at...

Snowplow8861 ,

Is the copied file going to a usb? Is the usb fake? Otherwise I’m pretty sure your source is bad. Probably the disk sector if you’re sure the file was at some point complete.

Something like btrfs probably does block cloning or similar so a copy to the same disk probably just points at the same disk blocks as the original.

ffmpeg -v error -i file.avi -f null - 2>error.log

Check the source probably

Snowplow8861 ,

This article was hard to read, based on zero facts they’ve determined experience factors like battery life and performance which all depends on more than just hardware.

Then setting the conversation again argumentatively like valve doesn’t win no matter who makes a clone, is just ignorant. Valve wins by making a store that sells. They could even sell for a loss.

I went to that article to get information and read hype and antagonism. I came away frustrated.

Snowplow8861 ,

Many of those types while having great brightness and reduced image burn in actually have terrible quality images. Eg no hdr, some may only be 30hz, some may have the contrast ratio which is so low you’ll just be sad to watch a movie on it looking at a black grey mush.

Though like all things, there’s a gradient. Some of the conference room monitor panels can be better but often >3x more expensive than the consumer model due to much better warranty (eg same day parts).

So I don’t have any advice here, just a bit of warning with experience with being around zoom, teams, and display walls from an IT solutions perspective,though generally I use AV partners for model selection and installation on any meaningfully sized conference/boardroom room or special application eg stages.

Prowlarr VPN/proxy advice

Been having a frustrating but rewarding time setting up my first server with some advice from you all. Learned a lot and feel like I’m almost there with a lot of it. One thing I’ve really been struggling with is public indexers on Prowlarr. In the UK I can only access them behind a VPN but Prowlarr can’t access the rest of...

Snowplow8861 ,

There have been a few cases where ports are blocked. For example on many residential port 25 is blocked. If you pay and get a static ip this often gets unblocked. Same with port 10443 on a few residential services. There’s probably more but these are issues I’ve seen.

If you think about how trivial these are to bypass, but also that often aligns to fixing the problem for why they’re blocked. Iirc port 10443 was abused by malicious actors when home routers accepted Nat- pnp from say an unpatched qnap. Automatically forwarding inbound traffic on 10443 to the nas which has terrible security flaws and was part of a wide spread botnet. If you changed the Web port, you probably also are maintaining the qnap maybe. Also port 25 can be bypassed by using start-tls authenticated mail on 587 or 465 and therefore aren’t relaying outbound mail spam from infected local computers.

Overall fair enough.

Snowplow8861 , (edited )

It’s paraphrasing Torvalds himself though. It’s a cheeky title.

“… and I have absolutely no excuses to delay the v6.6 release any more, so here it is,”

Windows deployment

I’m new to Windows deployments, and I need some help. I’ve gotten as far as setting up a new system from a Windows 11 image downloaded from MS, configuring it/installing software, and then running sysprep. I made a WinPE boot thumbdrive, but I’m stuck at capturing the Windows image part. Part of my problem is that I’m...

Snowplow8861 ,

Just to add more confusion, we are removing MDT from all customers and replacing with intune using the already created json templates we have plus then also deploying chocolatey with intune then calling powershell from intune to install other software. I’d say only 20% of our customers have on-premise AD the other 80% are all Microsoft Business Premium licensed unless over 300 staff, and that’s why we have been transitioning customers to only that for the last few years.

MDT is the right tool for AD on premises though so don’t be dissuaded from that, just more, you should know.

Snowplow8861 ,

Oh because if an application doesn’t exist natively in azure, ie not a MS Store app, then you can only deploy by uploading the msi which of course is one version. At an MSP with thousands of devices in dozens if not a hundred tenancies, and new software versions being released daily, you need something that will update all that.

Chocolatey is just for the poorer customers, a best effort, immybot for soe management though if the customer is full. Whenever Microsoft finishes getting their own repository fixed though, using winget could be the new chocolatey. Right now it doesn’t do patching or at least it didn’t 12 months ago. It could install and report but not update.

So thinking of solution life cycle you want something that doesn’t need tons of manual innervation, and you can use PDQ or chocolatey or immybot or whatever. Microsoft can handle its first party software suites and rmm deployment but 3rd party at this stage is just not good enough.

Hope that helps

Snowplow8861 ,

Does it connect to the same arcgis BIM servers so I can work with my coworkers, in real architecture projects?

Snowplow8861 ,

Mm, not quite, when say having 60+staff work in a single building model you need something that allows object locking so stag can work on part of a building and check it in and out.

I’m not the architect, I’m the sysadmin that designs and builds the server/network infrastructure for a half dozen architecture firms, some which have over 300 architects spread around Australia, Europe, and south East Asia. That mostly means running up servers to host BIM and BIM cache servers, as well as maintaining PIM servers.

To be honest I quizzed you because I honestly never heard of it and my life revolves around both revit and bim360, revit and revit self hosted bim servers, or archicad. Not that I do anything much in them, BIM managers generally administrate their own BIM instances and their teams. But some of the projects are in the billions of dollars that you’ll find on featured on the b1m YouTube channel.

Id argue that while the architects themselves are by and far the largest cost, the largest IT cost is the modelling software. I’ve even had some people using unreal engine to do parts of their work now especially for customer facing flythrough demonstrations and city view with time of day and all that.

So I’m pretty open minded to keeping my ears open to new software since I’m never sure what to expect. It would be interesting to see if it could ever be possible to do one of these megaprojects in open source. But my gut says it’s unlikely.

Snowplow8861 ,

They’ll be in a hardware security module, just like the computer should be storing encryption keys with the tpm. Tbh I don’t know what’s actively implemented but definitely on the devices I manage in MDM they’re non-compliant without that. I’m sure you probably can get cheap devices without though. Just like you can get home level laptops without tpm.

Snowplow8861 ,

Bring free on cloudflare makes it widely adopted quickly likely.

It’s also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn’t need to block these things, but users can’t be trusted and not everyone is happy seeing porn and gore on their co-workers screens!

The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.

Anyway all that’s likely to not work now! I guess all that’s left is to break encryption by adding true mitm with installing certificates on everyone’s machines and making it a proxy. Something I was loathe to do.

Snowplow8861 ,

Didn’t understand that by willing you meant wanting.

Snowplow8861 ,

You should be using machine wide installers not user appdata installers. Are you not?

Snowplow8861 ,

So aside from using machine wide installers and ensuring that users are licensed for those products, you also need to setup enterprise roaming.

By the way, intune policies if they aren’t changing don’t take 8 hours to propogate to the machine, they take hours to propogate world wide like group policy takes hours to propogate in international sized ad forests.

So if you’ve got your intune policy set to auto sign in one drive and teams and whatever apps, assuming all your devices are intune registered, that setting doesn’t take hours to get to the machine. It’s immediate on first login. If you change that setting, it’s some hours to get it across every single machine. By the way in my experience, generally 80% of the time with a forced sync from the company portal app you should deploy with intune, it’s practically as fast as gpupdate. There’s a few times where you need to patiently wait 15 minutes but you can see that if you name your configuration profile like (v12) and you’ll see it’s either still (v11) or immediately (v12) and you stuffed a setting and it’s still not working.

CGNAT blocking external access to NAS. Looking to address this plus more.

For my first goal, I want to get around my ISP’s CGNAT so I can access my NAS outside my network. Tailscale doesn’t work. Attempting to access my NAS always goes through their relays. From what I’ve gathered, a VPS is a good way to get around this so I got the basic $1/mo Racknerd KVM VPS. I’d like a performant way to...

Snowplow8861 ,

Are you sure? Did you want to troubleshoot this or did you just want to give up?

I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.

Snowplow8861 ,

After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.

From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.

If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.

Who here uses a less popular Linux distribution? What made you choose it?

Hey fellow Linux enthusiasts! I’m curious to know if any of you use a less popular, obscure or exotic Linux distribution. What motivated you to choose that distribution over the more mainstream ones? I’d love to hear about your experiences and any unique features or benefits that drew you to your chosen distribution.

Snowplow8861 ,

I use Ubuntu, it’s the default for ROS. I tried debian but the instructions didn’t work instantly so I just as quickly gave up and went back to Ubuntu since I was busy. Lol.

Snowplow8861 ,

It’s impossible to tell, because they fired all the people who were counting.

Snowplow8861 ,

Yes, but first go check which list you want to use since they’re a good starting point to understand a kind of level of tolerance and expectations around your experience.

There’s lots of lists around here’s a small sample:
arstech.net/pi-hole-blocking-lists-2023/

Be prepared for a bump in time outs as you work through things you might need (I blocked by accident a bunch of needed Microsoft services that I need to use during my job).

I haven’t edited my white list in months, maybe over a year. It’s going very well. I’ve been running pihole on ubuntu for more than 5 years as two virtual machines. I’m happy.

Snowplow8861 ,

Because you can pay for extended security updates, yes. Looking at defence and governnent globally, this is true of systems including xp.

"Fair" coin flips appear to not be all that fair (arxiv.org)

The paper shows some significant evidence that human coin flips are not as fair as I would have expected (plus probably a bunch of people would agree with me). There’s always some probability that this happened by chance, but this is pretty low....

Snowplow8861 ,

I think the question is, where can you bet on a single coin flip? Maybe because I’m Australian, there’s only one day a year you can bet on a (two) coin flip legally here. Everyone else seems to generally understand that coin flips aren’t fair for gambling and therefore is illegal.

If this paper was like ‘this is how corruption in sports…’ rather than ‘this is like that magician cup and balls trick’ then I’d understand your concern.

But like you said, you don’t even have a coin in the house, so the practical side is day to day, perhaps not even once a year, not only are you not deciding on a coin flip, even if you were, you’d (or whomever was flipping it for you) have to learn a technique to see it affect you.

Snowplow8861 ,

To be honest I think we have different cultural values here. The way I read this and the way you read it is clearly different. I’m disappointed by how little I had my expectations changed, while you had them moved more.

Snowplow8861 ,

When the horses have all bolted, BBC is the one to close the barn door.

Snowplow8861 ,

I’m not in America but the organisation for NIST recommends it in guidance now and its getting backing by the nsa

nsa.gov/…/nsa-releases-guidance-on-how-to-protect…

zdnet.com/…/nsa-to-developers-think-about-switchi…malwarebytes.com/…/nsa-guidance-on-how-to-avoid-s…

I see this becoming required in the future for new projects and solutions when working for new governnent solutions. The drum is certainly beating louder in the media about it.

Are we the only shop with constant login bullshit on Office 365 desktop apps?

We are facing constant problems with the desktop apps in O365, wheter it’s RDS servers that somehow are Azure joined by a user from login 1001 errors to modern authentication Windows that automatically disappear or other generic error 1001 logon bullshit. We have a tome of registry bullshit with shit like EnableADAL to...

Snowplow8861 ,

Hey, sorry to say but not seeing this at all. About 60 customers, each between 30-200 staff, in Australia region. Almost all of them have reasonable conditional access policies managing maximum login times per app, requirements for device compliance for data sync and geo-restrictions and longer login times for known sites, as well as standard mfa requirements.

Id say there’s something else in your stack. We monitor many of our customers with 3rd party tools too, including Arctic Wolf for seim /SOC alerts and triage and isolation if AAD accounts are breached. Sentinel one with integration in aad too. Though personally I feel like most medium and small businesses would be better served with the already included defender for business. A topic for a different day.

But no unusual requirement for cleaning cache and such to ensure the policies we configure act as we expect.

I’ve seen different tenants act differently of course in the past. But nothing right now I can suggest. I’d personally start doing a/b testing and reviewing all logs relative and see what impact before and after has on logs.

Anyway sounds frustrating so good luck.

Snowplow8861 ,

I’ve seen something similar to this before in remote desktop servers where user redirected printers end up bloating registries to the point login times exceed processing limits and so not all the configuration in the registry or group policy gets processed. Each redirected printer gets created and never pegged, and it’s unique to that rdp session so they are duplicated to infinity over time. Glad you found it out, the only point with the complexity is I was trying to explain that it being complex doesn’t mean it won’t be robust if it’s still implemented without conflicts so you can rule that out (if you’ve ruled out conflicts) . Sounds like you found the culprit in the end! Good work.

Snowplow8861 ,

It’s possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP

Then using certbot let’s encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.

Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.

There’s more than one way though, but that’s how I’d do it. If you don’t own a domain then you’ll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.

If your family can click the “advanced >continue anyway” button then you don’t need to do anything but use a locally generated cert.

Snowplow8861 ,

Not possible without a domain, even just “something.xyz”.

The way it works is this:

  • Your operating system has some trusted certificate root authorities root certificates installed from installation of the OS. All OS have this, Linux, Windows, iOS, macos, Android, BSD.
  • when your browser goes to a Web url and it is a https encrypted site it reads the certificate.
  • the certificate has a certificate subject name on it. It also may optionally have some alternative names.
  • the browser then checks if the subject name matches the Web url address. If it does, that’s check one.
  • next it checks the certificate validity: it looks at the certificate chain of trust to see if it was signed by a intermediary and then the intermediary was signed by a root certificate authority. Then it can check if any certificate has been revoked along the way.
  • if that’s all good, then you’ll open without a single warning, and you browse Web sites all day long without any issue.

Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that’s presented. So you have a few ways as I previously described.

Note there’s no reverse proxy here. But it’s also not a toggle on a Web server.

So you don’t need a reverse proxy. Reverse proxies allow some cool things but here’s two things they solve that you may need solving:

  • when you only own one public IP but you have two Web servers (both listening to 443/80), you need something that looks at incoming requests and identifies based on the http request from the client connecting in ‘oh you’re after website a’ and 'you’re after website b".
  • when you have two Web servers running on a single server, you have to have each Web server listening on different ports so you might choose 444/81 for the second Web server. You don’t want to offer those non standard ports to public so instead you route traffic via a reverse proxy inbound and it listens for both Web servers on 80/443 and translates it back to the server.

But in this case you don’t really need to if you have lots of ips since you’re not offering publicly you’re offering over tailscale and both Web servers can be accessed directly.

Snowplow8861 ,

I’m a vegan.

Snowplow8861 ,

Just fyi, as a sysadmin, I never want logs tampered with. I import them filter them and the important parts will be analysed no matter how much filller debugging and info level stuff is there.

Same with network captures. Modified pcaps are worse than garbage.

Just include everything.

Sorry you had a bad experience. The customer service side is kind of unrelated to the technical practice side though.

Snowplow8861 ,

It’s totally fine to bulk replace some sensitive things like specifically sensitive information with “replace all” as long as it doesn’t break parsing which happens with inconsistency. Like if you have a server named "Lewis-Hamiltons-Dns-sequence“ maybe bulk rename that so is still clear “customer-1112221-appdata”.

But try to differentiate ‘am I ashamed’ or ‘this is sensitive and leaking it would cause either a PII exfiltration risk or security risk’ since only one of these is legitimate.

Note, if I can find that information with dns lookup, and dns scraping, that’s not sensitive. If you’re my customer and you’re hiding your name, that I already invoice, that’s probably only making me suspicious if those logs are even yours.

Snowplow8861 ,

I love the hand gesture at the end!

Ask Lemmy: Traditional vs natural mouse scrolling; which do you use?

Despite being a heavy cell phone user for more than 25 years, it only recently occurred to me that vertical navigation on most phones is inverted when compared to traditional computers. You swipe down to navigate upward, and up to navigate downward. I recently spent time using a MacBook, which apparently defaults to this...

Snowplow8861 ,

Start realising that the way you’re used to scrolling with your mouse wheel, is a cog between you and the service it’s moving. Actually you were using natural all along. It was the early touch pads that were wrong and nonsense.

Asking advice for home storage configuration

Hi all. I’m trying to choose a configuration for my home storage. Speed is not a priority, I want a balance of stability and performance. I was thinking of making a raid 6 array with an ext4 file system for 4 disks of 2 TB each. Asking for advice, will this configuration be optimal?...

Snowplow8861 ,

zfs is excellent. It’s enterprise and designed to suit the whole “I’ve got 60 disks filling up a 4ru top loaded SAN. If we expand we have to buy another 60 disk expansion.” and because of that it works perfectly for expansion. You don’t make a single raidz holding 60 disks. You’d make them in groups of say 6 or 8 or 10. Whatever suits your needs for speeds and storage and resilience. When you expand you drop another while raidz into the pool. Maybe it’s another 6 disks into the new storage shelf.

But since your article in 2016, the openZFS project has promised us individual raidz expanding: In 2021 the announcement: arstechnica.com/…/raidz-expansion-code-lands-in-o…

In 2022 an update for feature design complete but no code: freebsdfoundation.org/…/raid-z-expansion-feature-…

The actual request is here: github.com/openzfs/zfs/pull/15022

And the last announcement update was in June 2033 in the leadership meeting recorded here: m.youtube.com/watch?time_continue=1&v=2p32m-7…

You might think this is slow and yeah it’s snails pace. But it’s not from lack of work it’s really truely because it’s part of the entire strategy of making sure zfs and every update and every feature is just as robust.

I’m a fan even having hardware fail and disks fail both in enterprise, and at home. Zfs import being so agnostic just pull in the pool doesn’t matter if it was BSD or Linux.

Snowplow8861 ,

They could have gone BSD and then done whatever they wanted.

Snowplow8861 ,

Luckily on your own network you have control over these decisions! Especially with source and destination firewall rules.

Snowplow8861 ,

Traceroute.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • lifeLocal
  • goranko
  • All magazines
    •