I hope this is common knowledge, but just in case not: Authorized Fetch does not protect media attachments. Only post contents and (some) user profiles are authenticated.
Likewise, uploaded media is always public. Even if sent as a DM, anyone with the link can access the files without authentication. That includes blocked users / instances, so be careful what you upload!
lol
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.trufflesecurity.com
Campfire Stories 🔥
Commission for Kaiyoht from Jack-Jackal! :3 Higher res version, time lapse video, and drawing stage snapshots are up on my Patreon!: https://www.patreon.com/posts/campfire-stories-108754627
#Furry #FurryArt #FurryArtist #MastoArt #Commission #ArtCommission
Everytime I look up advice/details of how to do something on Linux and the project/guide doesn't explain what to do, but instead has a docker image, my resolve to never use docker increases a little bit more.
I get why docker exists and I'm not saying that it's not useful but wow I really do not want the question "How do I do x" to be answered with "Use this docker image"
Honestly if you like docker then that's great but here me out:
Docker on enterprise servers? ✅ Yep
Docker instead of VMs? ✅ Sure why not?
Docker because you want to? ✅ Of course!
Docker on a single board computer for one job? ❌ Nonononono please just tell me the steps involved so I can learn how the system works!
@garrwolfdog Sorry I didn't mean to come across as "never use docker at all" but that I dislike that answers have in some cases become "use this docker image"
For example I want a SBC to monitor the temperature of my hot water tank. The first guide I found said that I should use multiple docker images to provide Prometheus and Grafana, and other guides were similar.
In the end Darac pointed me to Munin and that's exactly what I want. :)
@garrwolfdog Like in your case if you're already au fait with docker and it fits into your network then it makes sense, but for me who's still running servers with multiple services for an internal home network I'd prefer to have the details of how to configure it myself :)
It wouldn't be an issue if it was "here's how to do it from scratch but also there's a docker image if you want" but I keep seeing guides that are "you must use docker"
@garrwolfdog Sorry let me clarify; I know nothing about docker and the first time I tried to follow one of these guides I ran into a problem with no way of being able to troubleshoot the fault. I couldn't find an easy answer of how to look at the logs or files within the docker so I had no idea what was going on.
That one did have all the code/scripts/etc not in a docker image and the first time I ran all that I found the fault straight away just by looking at the system logs.
@garrwolfdog That's how I've seen a lot of people using it for small projects, hence my aversion to it in small projects.
I've always seen it as one of those things that you have to know/be invested in learning before you use it in a production environment but some people are treating it like FlatPak/AppImage
@pippin part of the point of the containers is to avoid the very issue it sounds like you're worried they cause. There are potential Escape Routes (usually if run with too many permissions) but the idea is almost more "I don't trust this to _not_ get compromised so I'm isolating this with limited connections for networking/data out of it" with the added benefit of "I also don't have to worry about package collisions or it fucking with local packages".
Outside of official containers I tend not to trust ones where I can't see the Dockerfile, and can read to see how the container image was built and what it'll do inside itself. Useful sometimes for writing my own Dockerfile stuff like for the mastodon image I use.
But yeah the dual purpose is definitely "contain" first, hence the name, with the benefit of "isolate libraries" second meaning if your container ever goes sideways you can just tear it down, and not have to worry about "alright what files got fucked up by building or package management?" And kinda making the data a little more portable. Definitely makes migrating/moving stuff a lot less painful.
@Kay Ohtie @Epoxy / Renby 💜🏳️⚧️ I don't drive recklessly just because I'm wearing a seatbelt, though. 🤷♂️
I'm just very dubious about the benefits, haven't had the time and motivation to spend to learn this whole new thing, and haven't had any problems doing it the way I've always done it.
(I'm probably in the "anything invented after you turn 30 is newfangled trash" phase, too.)
"You! Explain what this world is about!"
Seems this sabre has been transported in time to the modern day, and is grumpy about it!
📸 @silverfoxwolf
🐯 @tungro as Seritus the Sabretooth Tiger
✂️ @madebymercury
📆 2024-07-20
🌍 LondonFurs, London, UK
"IT'S A SWORD, IT'S NOT MEANT TO BE SAFE." My favourite scene from The Hogfather. ___ See how this comic was made here.adi-fitri (Tumblr)
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”
Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.Ars Technica
“Imagine a house where the drywall, flooring, fireplace, and light fixtures are all made by companies that need continuous access and whose failures would cause the house to collapse. You’d never set foot in such a structure, yet that’s how software systems are built.
“It’s not that 100 percent of the system relies on each company all the time, but 100 percent of the system can fail if any one of them fails.” https://hachyderm.io/@wka/112849901858780783
brittleness is profitable only when everything is working — Barath Raghavan and Bruce Schneier, “The CrowdStrike Outage and Market-Driven Brittleness” https://www.schneier.Hachyderm.io
Shreddyfox at FWA24
🦊: shreddyfox
📌: FurryWeekend
#Furry #Furries #Fursuit #FursuitFriday #Photography #Anthro #FurryArt #FurryArtist #FWA #FWA24
These oversized american vehicles are getting out of control! How can someone justify buying something big enough to crack the pavement just to pick up groceries or go to their office job?!
I bet this thing has never even seen mud. It's useless for doing any actual work. Its practically designed just for killing pedestrians and I think that shows exactly how much the landlord class in America values the lives of you and me and anyone else they see as beneath them.
Griffin:
Vote .org just announced a nearly 700% increase in daily voter registrations — more than 38,500 new registrations — in the 48-hour period following President Biden's announcement.
This figure marks the single largest number of voter registrations over a 48-hour period during the 2024 cycle.
👉🏼👉🏼Younger voters between 18 and 34 accounted for 83% of new registrations.
Fantastic news for those of us who rely on breathing for our daily lives.
Change equivalent to removing 200,000 cars for a year, with capital’s air quality improving at faster rate than rest of EnglandGwyn Topham (The Guardian)
OpenBSD enthusiast cooks up guide for the technically timid
If you want a simple step-by-step, this is the best we've seen French BSD enthusiast Joel Carnat has written a how-to guide on setting up a laptop with OpenBSD for general use. It's worth a go for the Unix-curious.…
#theregister #IT
https://go.theregister.com/feed/www.theregister.com/2024/07/25/openbsd_for_the_people/
When Sunday made history as the worldwide hottest day on record, it held the top spot for just one day: Monday is now the warmest day of global average temperature
- and Tuesday is second.
Three global temperature records set in three days.
Climate crisis? What climate crisis?
https://apnews.com/article/climate-global-temperatures-10600ef3b2092dfc4d456f0d593ee0de
Global temperatures have dropped slightly after breaking the all-time heat record the two previous days. The European climate service Copernicus says Tuesday's global temperature was 17.15 Celsius, which is 62.87 Fahrenheit. That's just 0.SIBI ARASU (AP News)
Objective To evaluate the personal protective effects of wearing versus not wearing surgical face masks in public spaces on self-reported respiratory symptoms over a 14 day period. Design Pragmatic randomised superiority trial. Setting Norway.The BMJ
It's almost as if our glorious leaders really ought to, y'know, do something about it.
This is pure cartel behavior: Reddit and Google have cut a deal that will freeze out all other search engines from indexing Reddit, where volunteers do essentially all the work.
This should not be legal.
It is VITAL to replace Reddit, and it will take a global village to do it. If we don't, the cartel wins.
And Google should be broken up by Congress, if the antitrust people won't try.
https://www.404media.co/google-is-the-only-search-engine-that-works-on-reddit-now-thanks-to-ai-deal/
DuckDuckGo, Bing, Mojeek, and other search engines are not returning full Reddit results any more.Emanuel Maiberg (404 Media)
It's 2026, McDonald's has partnered with IBM again for verbal order placement in the drive through.
You left your wallet at home, but know tap to pay works with your phone.
You arrive at the takeout window, no one is there. Your food is behind a glass mechanical door. You tap your phone and a voice tells you:
"This payment method is not accepted, please use a trusted device."
You ask what a trust device even means, a voice responds devices without any modification to the Operating System. You don't care what an OS is, you want those chicken nuggets.
You press again and the voice gives an example "Your device may be jail broken." You ask why this gets in the way of paying with your card backed by your connection to BigPhoneOSCorp.
The voice says: "I cannot disclose that information"
You drive away.
The person behind you never gets their food, the voice thinks it is still in a conversation with you until they pay... for your food.
The window won't switch food until the next driver rolls in.
They can't get their food until they pay for the previous persons food.
They never scripted this edge case.
For the next three years this location continues to serve food offset by one customer.
Why are you doing things on my device that require that level of scrutiny?
"Apple/Google pay!"
Then just disable that feature and let me use the card you're storing deets of on your server.
No one cares if a rootkit manages to order 100 mcnuggets on my behalf. They can mcshove it.
If Tesla (the organisation) ceased to exist, how much functionality in a Tesla (the car) would cease to work?
Would it still be driveable, able to charge etc.?
Is the same true of other modern cars?
The exciting news about the R21 malaria vaccine makes me want to point out that malaria is endemic in parts of the world. And it kills about half a million people every year.
You know what's coming.
Say it with me.
All together now:
Endemic does not mean benign.
This one weird trick saved countless hours and stress
https://www.theregister.com/2024/07/25/crowdstrike_remediation_with_barcode_scanner/
This one weird trick saved countless hours and stress – no, reallySimon Sharwood (The Register)