r00ty Admin

r00ty Admin , 1 year ago

You don't need to use nat on ipv6. Most routers are based on Linux and there you have conntrack.

With that you can configure by default outgoing only connections just like nat and poke holes in the firewall for the ports you want specifically.

Also windows and I think Linux use ipv6 privacy extensions by default. That means that while you can assign a fixed address and run services, it will assign random ip addresses within your (usually) /64 allocation for outgoing connections. So people can't identify you and try to connect back to your ip with a port scanner etc.

All the benefits of nat with none of the drawbacks.

r00ty Admin , 1 year ago

Linux FT. From a magazine cover disk in around 1996. I was a teenage oik working at a company where I suggested setting up the Internet for email and support use. The manager at the time subscribed to bill Gates' belief that the Internet was a fad. I was granted an old 486 desktop pc, and modem and a basic modem account.

I setup a squid proxy and email server with dial on demand. It was slow but it worked.

I moved onto redhat 5 after (before it became the enterprise thing), we went to isdn and leased line and I even had a stack of usr courier modems under my desk by the end with dial in for both Internet and collecting mail (for sales mostly).

It only got replaced when the company actually paid for a full time IT manager (I was primarily a software developer, doing IT on the side) and they switched everything to windows.

r00ty Admin , 1 year ago

I think you just need to use the right tool for the job.

Personally bash scripts are fine for any basic comparison operations or just running stuff together like a windows batch file. Maybe checking result codes, searching for processes, selectively killing etc.

Beyond that, but where I expect it to be still a convenience/automation script I use perl (which is where probably most people would now use python, but I'm old). It can still be run from command line, it can access databases, can be OO if you want it to (but generally if I am going that far I move to a faster language) and in general for moderately complex automation I use perl.

If it gets complicated (250+ lines as a general rule) or needs speed, then I'd move onto a proper programming language because now it has become a project.

But, that's just me.

r00ty Admin , 1 year ago

Yep, immediately what I thought of when I saw this.

r00ty Admin , 1 year ago

It's true, but there's some pretty reasonably priced S3 compatible containers now. To the extent I'd only start getting concerned at the 1TB mark.

Of course I also am not going to complain if people use hosting sites and prolong how long it takes to get to 1tb :p

r00ty Admin , 1 year ago

Same as every other technological innovation though. Productivity goes up. Revenue goes up. Pay goes.. No wait, I must have got something wrong here.

r00ty Admin , 1 year ago

It kinda does. But the problem is the microblogs people post to the groups on kbin drown it out.

I followed elonjet on my instance. If I click on the main kbin page then microblog (NOT from a group, since it will filter only microblogs to the group) and scroll I will find the elonjet updates along with all the other stuff people probably mistakenly posted by clicking + and then add post instead of add thread (probably because reddit called them posts).

So it does work correctly. If you filter out all the microblogs that were probably posted by mistake.

Oh and you can get directly to only the specific content by clicking your name in top right, profile, followed and choosing the followed user. You'll see all their posts there.

r00ty Admin , 1 year ago

You could make a report here suggesting an enhancement.

But what comes into the feed is anything posted on kbin as a microblog (potentially by mistake) or, from mastadon where they tagged a community subscribed to.

It isn't normal threads to groups that end up there.

Just looking at the current feed on my instance (you can see yourself, you don't need to login https://kbin.life/microblog) the first item is from a mastadon user that tagged the [email protected] group. Hence why it shows up there since the instance takes content from there.

The next 2 items are clearly people on kbin.social that mistakenly (well maybe deliberately, but I suspect not) create a post, not a thread in the [email protected] group.

You can tell which is which, the mastadon users are deliberately using hashtags and tagging groups with @. The others are making a very reddit style post that is turning up in the wrong place because they chose post, not thread.

But I think it'd be a nice option to just show followed people and not groups. Maybe a three way toggle. People, Groups, All.

r00ty Admin , 1 year ago

OK then I can see what's happening and there needs to be filtering added (and not just by magazine as it allows now).

I think it's putting into random microblog posts by anyone that any user followed. In fact, you can confirm it easily by scrolling down on my one while not logged in. I mentioned I only followed elonjet. And sure enough there's some posts by elonjet a bit further down, but otherwise it's just mastadon users tagging groups or kbin users making a mistake.

r00ty Admin , 1 year ago

I'm finding it hard to see how it would be more secure. If I understand what the other comment meant, they would have something like:

password123 = ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

We'll assume they pick 4 random pairs

3rd + 5th (sw) = 7865b7e6b9d241d744d330eec3b3a0fe4f9d36af75d96291638504680f805bfd
9th + 11th (13) = 3fdba35f04dc8c462986c992bcf875546257113072a909c162f7e470e581e278
2nd + 5th (aw) = f5fe88ee08735ae259265495a93c8de2b0eacfecf0cd90b5821479be3199fa8c
6th + 8th (od) = 32f30ea0e83c41a331c4330213005568675f7542c25f354ebb634db78cc30d12

Assuming all 128 7bit character options are used and ignoring dictionary or optimized attacks the complexity of the full password is 7x11 or 77 bits (or 151,115,727,451,828,646,838,272 combinations). So with just the password hash that's how many tries you need to exhaust every possible option, again without optimizing the process.

But for each of the pairs the complexity is 14 bits or 16,384 combinations. So it would take microseconds to crack all 4 of the pairs. With that information you'd get a password of ?as?wo?d1?3?????? (because we don't know the length) and if they have used a common word or series of words you might have enough information to guess the rest, but even when brute forcing you've removed a decent amount of complexity.

Note: This is SHA256. We're going to ignore salt for this. Salt only increases complexity because you need to crack each user's password and not able to really use rainbow tables etc.

Unless I misunderstood the idea. In which case, sorry about that.

In all likelihood it is encrypted in a database and the interface to the phone operator only allows them to enter what is said and confirm (although I wouldn't be surprised of some showing the whole password).

r00ty Admin , 1 year ago

I wrote a comment about this in this thread. Just to add that a salt doesn't add complexity to the brute forcing of a password, it just makes it so you need to brute-force each one separately.

Hashing pairs of characters would be extremely insecure.

r00ty Admin , 1 year ago

Yes, I did a reply about this above because this idea has been suggested a few times and it's truly a bad security move. I'd prefer they just encrypted it and made sure the key was stored separate from the database. That's more secure than this idea.

r00ty Admin , 1 year ago

The issue with salt is that it is stored with the password hash. So you'd pretty much get that information with the password. It's only designed to make sure the hash won't be the same for the same password on other users, not to make breaking the hash any harder on its own.

You could store it (and/or pepper) wherever the password is actually checked and splitting it would help. But I cannot imagine they're doing that. It's far more likely they're encrypting the password and keeping the key off the database server. Meaning they need to get both, to get passwords.

r00ty Admin , 1 year ago

But, you'd have the key which fits onto the standard wheel brace. Else the RAC had all the possible keys on them?

Nice to at least have the option though, these days a spare is an option you have to pay extra for.

r00ty Admin , 1 year ago

Yes, and I think I noticed a fair few that have no data on camel³ but I know I've seen the item before. So, you can't see the history.

I don't buy anything on these sales unless I can see the history and it's a real cut.

r00ty Admin , 1 year ago

To be fair, documentation is very often a much longer route to understanding your specific use case. At the same time, SO is responsible for far too much cargo cult programming and I fear ChatGPT will be the same for this.

r00ty Admin , 1 year ago

Well actually if the popular communities weren't concentrated on the larger instances, and rather spread out it would be less of a problem I think. But, yes at the peak of things I was averaging around 5 hits a second from lemmy.world alone on incoming federation messages.

I think making a separate run relay isn't the answer. I think perhaps the larger instances running a separate server for federation outgoing messages, and perhaps redirecting incoming federation messages too. So as to separate federation and UI. If they don't already of course. That could go a long way to making it take longer to overwhelm.

r00ty Admin , 1 year ago

Please feel free to perform a full security audit.

r00ty Admin , 1 year ago

The ansible method of setting up a lemmy instance generally "just works". I set one up for federation tests with kbin recently.

r00ty Admin , 1 year ago

How ironic, killed by the very thing that created it.

r00ty Admin , 1 year ago

Not wanting to talk to you, because your text bubbles are the wrong colour? Sounds a bit cultlike in behaviour. I daresay I don't know anyone like that. But, I also don't know too many people with iphones any more. Also I don't really use text messages. For text I'm using whatsapp or signal (or for techie types maybe matrix).

r00ty Admin , 1 year ago

I think the only SMS messages I get are from the Doctor.

r00ty Admin , 1 year ago

Damn, the fact I remember mobile phones before they could even send text messages makes me feel ancient now.

r00ty Admin , 1 year ago

Not sure how it is on lemmy. But looking at the structure on kbin. I reckon you could (with a little sql magic) convert the existing one to a local magazine without cloning, and then people could subscribe to the new version or existing subs could also hack their sql to change the id to match the new instance and toggle the subscriptions.

On Lemmy though I think images are not cached locally. So you might lose those. Kbin by default will also download images/media locally too.

Not sure this would happen enough to add formal functionality for it though.

r00ty Admin , 1 year ago

Not quite. Other instances subscribed to remote instances are sent the information about new posts, comments etc and they store them locally on that instance. So, while there's not be new content (since the main instance is the controller for all incoming content and distributes it back out, it would break the connection for new stuff.

There are manual steps an instance admin could take, to take it over. Probably it would need some agreement as to who takes it on.

r00ty Admin , 1 year ago

Instructions unclear, changing bed twice a year.

r00ty Admin , 1 year ago

I thought the best/top/hot were governed by upvotes/downvotes on that specific post. Not the user's Karma.

r00ty Admin , 1 year ago

And just to make things weirder. On kbin we have up and downvotes. But it seems only upvotes come in from other platforms. I never see a post or comment with a downvote here.

r00ty Admin , 1 year ago

I think the best we can do here is ensure this is outlined in the privacy policy on each instance. I've tried to outline how it works, and why it works that way in my privacy policy. But it's still a bit work in progress.

I think the most important thing to stress here is that only data required for federation is shared. We don't build profiles, we don't send any other data to any third parties and all the data sent to federated servers is available via a web link to anyone publicly too.

The best we can do for users that want to be forgotten is send the delete request. We cannot force other instances to delete content.

I would argue that's the case for "big social media" too. Say for example I say to facebook "Hey under GDPR provisions I would like you to delete all data you have from my account". They are obliged to do this. Sure. But what about all the third party advertisers that already have my data through the sharing agreements? Do you think facebook even tries to remove it from them? Do you think they will do it if they ask?

So, I think that's kinda synonymous with the federation situation. So long as you make clear how it works, and as long as you make good faith attempts to delete a user's data on request. I'm not sure there's more we can be expected to do (and it's already more than the big companies will do for you).

r00ty Admin , 1 year ago

Well, more specifically it is protecting against a specific form of data loss, which is hardware failure. A good practice if you're able is to have RAID and an offsite/cloud backup solution.

But if you don't, don't feel terrible. When the OVH datacentre had a fire, I lost my server there. But so did a lot of businesses. You'd be amazed at how many had no backup and were demanding that OVH somehow pry their smouldering drives from what remained of the datacentre wing and salvage all the data.

If you care about your data, you want a backup that is off-site. Cloud backup is quite inexpensive these days.

r00ty Admin , 1 year ago

Yeah, but you will get the most basic machine made up of a screen, touchpad, keyboard, basic ARM CPU, wifi and framebuffer. Those will be sold as Windows 365 terminals for a low price. Probably even subsidised and sent free if you subscribe for a year ahead.

I've used what used to be the shadow PC (before OVH got hold of it). That was surprisingly good. Latency often so low I could play FPS, yes not as good as playing local. But still not dying every single round because of it. But it DID need a fair amount of bandwidth to look good (30Mb/s was the point I think quality started to drop).

But in the end I don't want it to succeed, because if it does proper PC hardware will become hobbyist and niche. And we all know hobbyist niche items are expensive!

r00ty Admin , 1 year ago

On kbin I don't see it go below zero. :(

r00ty Admin , 1 year ago

I think this is probably the only way to do it. But they need to be curated by someone. The reason it can't happen automatically is based on how federation works on lemmy and kbin.

That is that an instance doesn't know about the communities another instance has available (it doesn't even know about any other instances). When a user specifically searches for a remote instance, then it contacts the instance and then knows about it.

But this change could work in that someone on the instance can search out the various communities and create the merged group.

Of course when you reply you'd only reply to the community that post was from but actually that's fine because anyone in the combined group would still see it.

r00ty Admin , 1 year ago

I actually like the level of activity there is now. When I take a look there's always new posts and usually something I want to reply to.

More would be fine. But yes 5 random people would get stale pretty quickly.

r00ty Admin , 1 year ago

Well damn, that web server has a good union.

r00ty Admin , 1 year ago

A brand new instance on the fediverse doesn't initially know about any other instances. Only when someone searches for a community@instance does it then go talk to that instance and subscribe to get posts/comments etc.

r00ty Admin , 1 year ago

Same, a phone triggered lucidity for me too. But in this case it was an office desk phone, and the text was just wrong on the screen.

r00ty Admin , 1 year ago

That one will move to twitter.

r00ty Admin , 1 year ago

@elonjet we can, I just followed.

r00ty Admin , 1 year ago

Pffft spez. He just flies commercial.

r00ty Admin , 1 year ago

I'm on kbin. Not sure if it works on lemmy. I just went to the main search and typed in @[email protected] (not sure if that will show right, it turned into a link for me when I pasted last. For me there's a follow option, in my profile it shows as followed and the last post is there.

You can see what I see here https://kbin.life/u/@[email protected]

r00ty Admin , 1 year ago

Any more and he'll be in coach. No, not coach class, an actual coach on the road.

r00ty Admin , 1 year ago

spez can't afford it because apollo and rif took all his ad money!

r00ty Admin , 1 year ago

Hi,

I think this is one of the things we need in a primer that is prominent wherever people talk about lemmy/kbin/meta verse in general.

You only need to sign up to one instance. It helps if they have the communities you want already there but if they don't, you can still access them.

I cannot comment for lemmy but on kbin there's a search icon and you can just type community@instance. For example this community on a remote instance is [email protected]. I'm reading your comment and typing this from my own kbin instance. It's how this was designed to spread the load.

So pick one to stick to and add all the communities there.

If you have more questions, ask away.

r00ty Admin , 1 year ago

Well, you don't need to use them. I had accounts on a couple of other instances before making my own.

r00ty Admin , 1 year ago

This is my experience with Manjaro. Really good OS, with gaming that tends to work out of the box, nice choices in UI environment. It's great right up until it breaks.

Now admittedly I've generally not used much Linux on desktop I have been using Linux on servers since the 1990s (the original redhat 5). But it took me a weekend to get the thing properly working again.

That's my manjaro experience.

r00ty Admin , 1 year ago

Yes, and no. You can access lemmy and kbin instances from mastadon. But the format doesn't work so well I think. I'm not sure how far it goes and how viable it is though. I'm not on mastadon.

But once you have an account on one of the threadiverse instances, defederation aside the same content should be available.

r00ty Admin , 1 year ago

Hah. I remember working with accounting software in the early 90s. Legacy stuff even then. Programs and data needed to fit in 64k.

Need to make a simple customisation? Well now you need to split one program into two. Have fun.