riskable

riskable , 10 months ago

He couldn’t get a job doing anything else!

nypost.com/…/jerome-adams-say-he-couldnt-find-job…

Precisely because he said Trump was healthy and proved to anyone with a single brain cell that his medical opinion could not be trusted.

riskable , 10 months ago

I’ve had my account stalked! Right in the middle of it I switched from Kbin to Lemmy (so I could try out the apps) and had to inform my stalker about the new account.

Frustrated and annoyed at having to look for my posts in many different places, they seem to have given up 🤷

This is a clear win for the Fediverse! I was able to switch instances and get subscribed to all my previous communities in no time at all while this doubled up stalking efforts 👍

riskable , 11 months ago

Oh don’t be so hard on the idea… I think we should encourage Musk to launch himself and other billionaires to Mars 💪

riskable , 11 months ago

No, it’ll just be shortened to, “Twit” and the bird logo will be replaced with his face.

Well, that’d be the most appropriate new branding anyway.

riskable , 11 months ago

The confusion comes from so much mass media that equates socialism with communism. They’re orthogonal concepts! Saying socialism is the same as communism is like saying beer-making is exactly the same as cheese-making. Anyone who understands what beer and cheese are would be like, “I’m sorry, what‽”

The best way to think of socialism is that’s it’s a governance strategy that can be used wherever you want. Want everyone to pay taxes in order to fund and deliver government-run firefighting services? That’s socialism. Want to do the same with the military? Socialism. Whenever the government is delivering some good or service by way of taxpayer dollars that’s socialism.

Capitalism and communism are economic systems. You can have socialist government constructs under either capitalism or communism. It’s just that communism doesn’t really have the flexibility to provide goods or services in any other way than via the government.

Then there’s countries like China that claim to be communist (and the Right loves to call them that) but really, they’re more capitalist than communist. What they do have that most communists and fascist governments have is authoritarianism.

That authoritarianism is what fascists and “tankies” have in common: Fascists support an authoritarian, pseudo-capitalist government while “tankies” support an authoritarian, pseudo-communist government.

riskable , 11 months ago

I also want to know the statistics in regards to people in makeup. With a bit of makeup I bet you could get this system to think you’re whoever’s photo is on your ID.

Camera-based systems are usually quite easy to fool so it could result in a seriously false sense of security.

riskable , 11 months ago

rerouted to a human border official for handling.

No, the person who was misidentified will be routed to a human TSA agent for harassment. Every single time they fly.

riskable , 11 months ago

Casinos have completely different goals in regards to facial recognition technology. They’re looking for specific people that do things like count cards, pick pockets, fraudsters, etc. If someone matches they’ll have a security person go and do a real-world double-check that only requires knowing the person’s profile (which will include height and estimated weight, tattoos, typical behaviors, and other unique features).

The TSA is looking for anything suspicious. And “suspicious” has an extremely broad meaning when it comes to a poorly-paid person who would be over the moon if they actually caught a real criminal/terrorist instead of just spending day after day being a professional annoyer of completely normal people.

If the facial recognition system thinks a person doesn’t match their picture ID that doesn’t mean they’re a criminal, a terrorist, or any problem whatsoever. It just means that the system disagrees with their appearance. Is that enough to warrant harassing someone? Making them miss their flight? Invading their privacy and permanently recording all sorts of information about them in the TSA’s databases?

riskable , 11 months ago

In China, you can get a VW ID.3 manufactured by a state-owned and subsidized company in China. The same is true for the Tesla Model 3.

Basically, the Chinese government is subsidizing electric car (and battery) production (and enforcing domestic protectionist policies) so of course the same version of the car is cheaper in China. The US goes with a different approach, by providing tax write-offs to people who purchase electric cars which is vastly less efficient (and more expensive to US taxpayers).

riskable , 11 months ago

Something about Miyazaki is giving us the bird

riskable , 11 months ago

Arguably, a much more important thing for the students to learn is the limits of humans. The limits of the computer will never be a problem for 99% of these students or they’ll just learn on the job the types of problems they’re good at solving and the ones that aren’t.

riskable , 11 months ago

How does one convert a No Fear Article into a Definitely Fear Article?

riskable , 11 months ago

The “limits of humans” I was referring to were things like:

• How long can you push a deadline before someone starts to get really mad
• How many dark patterns you can cram into an app before the users stop using it
• The extremes of human stupidity

👍

riskable , 11 months ago

it’s easy when you login to your browser and you’re partially already authenticated automatically sending your personal, private information everywhere else.

FTFY

riskable , 11 months ago (edited 11 months ago)

Firstly: Firefox can import your Chrome passwords and if you enable/sign up for Firefox Sync (which is better–privacy wise–than your Google account) you’ll be able to use them with Firefox mobile (it’ll sync your settings and bookmarks too, obviously).

Secondly: You can export your logins from Chrome to a .csv file (hamburger menu in the settings… somewhere; I forget, sorry) which can also be imported into Firefox (support.mozilla.org/…/import-login-data-file) and other password managers. I literally just tested importing both Chrome’s and Firefox’s saved logins into a KeePassXC database and it worked fine (it didn’t automatically figure out which field was what though so I had to manually tell it which column was the password, URL, etc but no big).

Firefox also has the same .csv password export feature BTW.

riskable , 11 months ago

Firefox Sync works to keep your logins/passwords in sync on both Android and iOS (and the desktop version too, obviously).

riskable , 11 months ago (edited 11 months ago)

the best browser is the one which suits the best your needs and use

This is objectively false. The best browser is the one that gets the job done and doesn’t have endless absolutely terrible security vulnerabilities (e.g. IE before they switched to Edge which is just Chrome) or intentionally leaks your private information (e.g. Edge leaking every site you visit to Bing and Chrome doing the same but with Google).

Also, from a performance perspective “the best” is obviously objectively measurable and Firefox just took the crown which is what the post is all about. Realistically though both Chrome and Firefox have had completely acceptable levels of performance (imperceptible differences to normal humans) for like a decade. So it’s probably not that big a deal.

A bigger deal for normies using their browser IMHO is memory utilization which is a much bigger factor than, “how fast does the browser load and run HTML, CSS, and JavaScript?” Just ask Google how much more memory efficient Firefox is! LOL

www.google.com/search?channel=fs&client=ubuntu&q=…

Google search result showing Chrome uses up to 1.77x more memory than Firefox

riskable , 11 months ago

When you’re 77 your eyes (and hearing and brain) don’t work as well as they use to. There’s a reason why old people are targeted for these kinds of scams.

riskable , 11 months ago

WhatsApp video calls are end-to-end encrypted. A secure protocol means nothing in this context.

riskable , 11 months ago

With the tape over the LEDs you can look back though. You won’t be blinded. It’ll be OK.

riskable , 11 months ago

Alternative title: Guaranteed Universal Basic Income works fantastically fucking well for Seminole Native Americans

riskable , 11 months ago

Actually my point wasn’t so political, haha. I was just making a joke 👍

I would like to point something out though: You said, “without capitalism this doesn’t work.” Capitalism is an orthogonal concept to socialism. It sounds like you’re confusing socialism with communism which actually is (sort of) the opposite of capitalism.

Socialism isn’t as absolute as capitalism or communism. You can have socialist policies inside of capitalism. For example, infrastructure, a military, firefighting services, medical services (e.g. the VA), etc are all socialist services that exist in the US right now.

Some things work better when they’re socialist (shared resources/common goods) and some things work better when they’re capitalist (well-regulated competition between private interests). There’s an infinite number of ways to decide whether something or how much of any given thing should be socialist VS capitalism but it mostly boils down to two things: Economics (math) and/or fairness (human nature).

You use capitalism (e.g. private ownership/sales) for goods or services that are non-essential but scarce. Most of the time this means, “stuff”: Food, consumer goods, cars, etc. but it also works for a lot of services like design work, restaurants, cleaning, repair, etc.

You use socialism (e.g. state-run organizations) for goods or services that are essential or non-scarce: A military, infrastructure, policing, firefighting, environmental monitoring/pollution controls, etc.

Examples of where capitalism has failed over and over again, often catastrophically:

• Firefighting
• Infrastructure
• Military (private militaries are always bad news!)
• Medical care (See: Current state of healthcare in the US!)

Examples of where socialism has failed over and over again, often catastrophically:

• Housing
• Food
• Consumer and industrial goods

I could actually go on on and on about what’s best managed by government and all the ways in which capitalism needs to be regulated but I don’t have that kind of time right now (hehe). If there’s one takeaway I want you to have after reading all this it’s this: Always remember that just by having a military you’re living in a socialist state. Everyone is pooling their resources (tax dollars) to maintain that military. It’s socialism. You’re a socialist!

riskable , 11 months ago

Windows, currently, cannot handle everything Linux can. Linux also has a massive software support advantage, running on vastly more hardware and architectures than Windows does.

Linux has already been given to the masses. People use it every day in super user friendly ways; they just don’t realize they’re using Linux.

The only reason people use Windows is because they don’t choose it. Imagine if every PC sold had a Linux option and a Windows option that cost an extra $100. What do you think people would buy?

The same hardware running Linux will easily outperform Windows (especially at the most common end user tasks like web browsing) by a long shot. In a few days NTFS turns 30 years old FFS (LOL).

Any given hardware accessory will “just work” when plugged in to a Linux PC but Windows will require a special driver that you have to go out and find on your own at the vendor’s website that will be bloated AF. It’ll also reinstall it if you change the USB port LOL.

riskable , 11 months ago

I can’t speak for anyone but myself but I recently built a new PC for myself with an AMD Ryzen 7950X. When I was doing research I looked at loads of benchmarks and prices of both AMD and Intel chips and ultimately chose AMD because it offered the best value. Especially when you factor in the power costs over time (eco mode is very impressive and yes, I do run with eco mode enabled).

I’d imagine most folks who build their own PCs go through the same sort of obsessive process, haha.

There’s no major issues with either AMD or Intel CPUs on Linux these days so that’s not really a factor. I did go the extra mile though to double check that the 2.5GB Ethernet and Wifi chips in the motherboard I chose had excellent Linux support. I also made sure that updating the motherboard BIOS didn’t require Windows-only software (turned down one motherboard because of reports of Linux users having bad experiences there).

riskable , 11 months ago

The “I just went to check the mail” shower in Florida in the summer.

riskable , 11 months ago

It must be amazing if it’s taken you all the way down to 9%!

With your phone’s last dying breath an inescapable urge came over you to say something nice about wefwef. Then you stood up and finally flushed the toilet.

riskable , 11 months ago

Your legend well be carved into the pages of history as the first person to complete the catalog!

riskable , 11 months ago

Yes but burning mansions to the ground is also an American tradition.

riskable , 11 months ago

Yeah but you do that every day.

riskable , 11 months ago

No, it was the kickballs type. Not fun at all!

riskable , 11 months ago

I bet his brain works a bit better now though! 👍

riskable , 11 months ago

Yeah we need a FloridaMan instance! I’ll help set it up if someone else pays for it. I’m a card-carrying bearded Unix/Linux admin who knows how to exit vim 👍

riskable , 11 months ago

Home schoolers/child abusers are everywhere.

Note: Not talking about legitimate, regular curriculum, “online school” for kids that can’t attend normal school for whatever reason, (e.g. bullying, immunocompromised, etc). I’m referring to religious/cult garbage home schooling stuff that doesn’t teach kids much of anything. Parents that put girls through these programs often end them at the fifth or sixth grade (because that’s all they need to be “good wives”).

riskable , 11 months ago

Probably due to the version of Lemmy on the server. I think it’s because Memmy works with 0.17 but Liftoff doesn’t (fully).

The Lemmy devs made some fundamental changes in how just about everything works in 0.18. Since a lot of apps started development right around 0.18 came out they might not support “the new way” just yet.

It’s another one of those things where you just have to “give it time”. The Lemmy server operators need to upgrade (many were holding off because of missing CAPTCHA support in 0.18) and the app developers still have a lot of kinks to work out. Liftoff has only been out for what? A week now? LOL

riskable , 11 months ago

There are risks with server security and threat of being hacked

[Citation Needed]. I’m a security professional (my day job involves auditing code). I had a look through the Lemmy source (I’m also a Rust developer) and didn’t see anything there that would indicate any security issues. They made good architecture decisions (from a security perspective).

NOTES ABOUT LEMMY SECURITY:

User passwords are hashed with bcrypt which isn’t quite as good a choice as argon2 but it’s plenty good enough (waaaaay better than most server side stuff where developers who don’t know any better end up using completely inappropriate algorithms like SHA-256 or worse stuff like MD5). They hard-coded the use of DEFAULT_COST which I think is a mistake but it’s not a big deal (maybe I’ll open a ticket to get that changed to a configurable parameter after typing this).

I have some minor nitpicks with the variable naming which can lead to confusion when auditing the code (from a security perspective). For example: form_with_encrypted_password.password_encrypted = password_hash; A hashed password is not the same thing as an “encrypted password”. An “encrypted password” can be reversed if you have the key used to encrypt it. A hashed password cannot be reversed without spending enormous amounts of computing resources (and possibly thousands of years in the case of bcrypt at DEFAULT_COST). A trivial variable name refactoring could do wonders here (maybe I should submit a PR).

From an OWASP common vulnerabilities standpoint Lemmy is protected via the frameworks it was built upon. For example, Lemmy uses Diesel for Object Relational Mapping (ORM, aka “the database framework”) which necessitates the use of its own syntax instead of making raw SQL calls. This makes it so that Lemmy can (in theory) work with many different database back-ends (whatever Diesel supports) but it also completely negates SQL injection attacks.

Lemmy doesn’t allow (executable) JavaScript in posts/comments (via various means not the least of which is passing everything through a Markdown compiler) so cross-site scripting vulnerabilities are taken care of as well as Cross Site Request Forgery (CSRF).

Cookie security is handled via the jsonwebtoken crate which uses a randomly-generated secret to sign all the fields in the cookie. So if you tried to change something in the cookie Lemmy would detect that and throw it out the whole cookie (you’d have to re-login after messing with it). This takes care of the most common session/authentication management vulnerabilities and plays a role in protecting against CSRF as well.

Lemmy’s code also validates every single API request very robustly. It not only verifies that any given incoming request is in the absolute correct format it also validates the timestamp in the user’s cookie (it’s a JWT thing).

Finally, Lemmy is built using a programming language that was engineered from the ground up to be secure (well, free from bugs related to memory management, race conditions, and unchecked bounds): Rust. The likelihood that there’s a memory-related vulnerability in the code is exceptionally low and Lemmy has tests built into its own code that validate most functions (clone the repo and run cargo test to verify). It even has a built-in test to validate that tampered cookies/credentials will fail to authenticate (which is fantastic–good job devs!).

REFERENCES:

• Use of DEFAULT_COST: github.com/LemmyNet/lemmy/blob/…/local_user.rs#L1…
• How actix-web stores cookies: docs.rs/actix-web/latest/…/struct.Cookie.html
• jsonwebtoken EncodingKey: docs.rs/jsonwebtoken/…/struct.EncodingKey.html

riskable , 11 months ago

I think you’re vastly overgeneralizing the world of software here. Before I make my point here’s two facts:

• There’s vastly more FOSS software than there is commercial software.
• Nearly all commercial software is made for a specific use case or customer.

Just about everyone reading this comment is using FOSS software to do so (Firefox, Chrome/Chromium, or even Edge which is really just customized Chromium). Lemmy itself is FOSS and the majority of websites you visit every day are using FOSS on the back end. Do you feel all this software is “not-user-friendly”?

Let me take a step back from that though and assume you’re not really talking about software in general but are actually referring to software with a GUI that runs on a desktop computer. Someone elsewhere in this thread compared to GIMP to Photoshop so let’s look at that…

Photoshop is not an easy, just-use-it application. To get started most people recommend watching a YouTube tutorial and, having watched a few they definitely start from a place where, “you should know all this already”. For example, if you don’t understand the difference between a JPEG and a PNG file you’re going to have a bad time.

GIMP is also not an easy, just-use-it application. To get started most people recommend watching a YouTube tutorial and, having watched a few they definitely start from a similar, “you should know all this already” place. Except there’s one great big difference: You don’t have to pay anything to obtain or use the GIMP. That’s the biggest difference!

They’re both image editing tools but they were designed with different use cases in mind. Photoshop was made for professional photographers and digital artists working for business. This is why Adobe put great efforts into making sure that certain “workflows” go very smoothly… Because they’re the most common in business.

If you try to use Photoshop with a different workflow than what it was designed for you’re going to have a bad time! For example, let’s say you wanted to perform a series of manipulations and add some text to tens of thousands of photos; a great big directory of .jpeg files. You might search up how to do this in Photoshop (using macros) and you’ll quickly come to realize that it was definitely not made for this task!

However, if you searched for how to do the same thing in GIMP well, it actually was made to support that! It’s another one of those things where you’ll have to learn a new skill but it’s doable. It’s a use case the GIMP developers had in mind when they made it.

From the perspective of batch editing Photoshop is basically useless. Anyone who tries would find it, “very not-user-friendly” because it was made for a specific purpose and that’s not it.

The GIMP was made as a much more general-purpose graphics editing tool. So much so that it can be completely re-skinned to make it look like Photoshop or even operated entirely from the command line. You can even automate very sophisticated workflows with GIMP using Python!

This same sort of argument can be made for nearly every open source tool that is commonly bitched about, LOL! They generalize that FOSS isn’t user friendly, completely forgetting or ignoring 7zip, Firefox, VLC, LibreOffice, Notepad++, OBS, Keepass, Greenshot, Ditto, Audacity, etc or any of the many thousands of very popular/common FOSS packages that get used on people’s desktops every day.

riskable , 11 months ago (edited 11 months ago)

When I said, “it validates the timestamp” I wasn’t talking about the JWT exp claim (which you’re correct in pointing out that Lemmy doesn’t use). I was talking about how JWT works: The signature is generated from the concatenation of the content of the message which includes the iat (Issued-at) timestamp. The fact that the timestamp is never updated after the user logs in is neither here nor there… You can’t modify the JWT message (including the iat timestamp) in Lemmy’s cookie without having it fail validation. So what I said is true.

The JWTs don’t have an expiration time but the cookie does… It’s set to one year which I believe is the default for actix-web. I’m surprised that’s not configurable.

You actually can invalidate a user’s session by forcibly setting their validator_time in the database to some date before their last password reset but that’s not really ideal. Lemmy is still new so I can’t really hold it against the devs for not adding a GUI feature to forcibly invalidate a user’s sessions (e.g. in the event their cookie was stolen).

I also don’t like this statement of yours:

If you are using a JWT cookie validation does not matter, you need to have robust JWT validation. Meaning JWTs should have short expiration times (~1hr), should be refreshed regularly, and should be sent in the header.

Cookie validation does matter. It matters a lot! Real-world example: You’re using middleware (or an application firewall, load balancer, or similar) that inserts extra stuff into the cookie that has nothing at all to do with your JWT payload. Stuff like that may require that your application verify (or completely ignore) all sorts of things outside of the JWT that exist within the cookie.

Also, using a short expiration time in an app like Lemmy doesn’t make sense; it would be super user-unfriendly. The user would be asked to re-login basically every time they tried to visit a Lemmy instance if they hadn’t used it in <some time shorter than an hour like you suggested>. Remember: This isn’t for message passing it’s for end user session tracking. It’s an entirely different use case than your typical JWT stuff where one service is talking with another.

In this case Lemmy can definitely do better:

• Give end users the ability to invalidate all logged in sessions without forcing a password reset.
• Make the cookie expiration time configurable.

When using JWT inside of a cookie (which was not what JWT was meant for if we’re being honest) there’s really no point to using the exp claim since the cookie itself has its own expiration time. So I agree with the Lemmy dev’s decision here; it’d just be pointless redundant data being sent with every single request.

Now let me rant about a JWT pet peeve of mine: It should not require Base64 encoding! OMFG talk about pointless wastes of resources! There’s only one reason why JWT was defined to require Base64 encoding: So it could be passed through the Authorization header in an HTTP request (because JSON allows characters that HTTP headers do not). Yet JWT’s use case goes far beyond being used in HTTP headers. For example, if you’re passing JWTs over a WebSocket why the fuck would you bother with Base64 encoding? It’s just a pointless extra step (and adds unnecessary bytes)! Anyway…

riskable , 1 year ago

FACEIT is yet another completely useless, doesn’t-actually-work, trust-the-client anti-cheating tool. Basically, it makes it so that cheaters (and the game publisher) can claim cheating isn’t happening because, “there’s an anti-cheat tool” but in reality it doesn’t stop actual cheaters.

The entire purpose of anti-cheat tools appears to be to stop casual Linux gamers from being able to play the game. Microsoft has a big part in it as well because the very same intentional vulnerabilities in Windows that hackers use to install undetectable rootkits are what get used by anti-cheat software.

If Microsoft wanted they could close those vulnerabilities by making all privilege levels above administrator (of which Windows has two which is insane) inaccessible to anyone but Microsoft. Instead they just collect money from 3rd party vendors to sign their driver encryption keys, inherently trusting those vendors not to make software with vulnerabilities. It’s a recipe for insecurity and Microsoft likes it that way. It acts as a form of vendor lock-in.

Anti-cheat tools pretty much all work with the same basic assumption: Trust the client. What’s the first rule of network programming? Never trust the client!

riskable , 1 year ago

You might want to rename it considering that a company named Liftoff Software exists and has a trademark on the the term, “liftoff” pertaining to software.

riskable , 1 year ago

The trademark category is for “software”. There’s no distinction between SaaS and an app. They’re the same thing from a trademark standing.