hedgehog
@hedgehog@ttrpg.network
- Comment on Social nuke 1 week ago:
It was already known before the whistleblower that:
- Siri inputs (all STT at that time, really) were processed off device
- Siri had false activations
The “sinister” thing that we learned was that Apple was reviewing those activations to see if they were false, with the stated intent (as confirmed by the whistleblower) of using them to reduce false activations.
There are also black box methods to verify that data isn’t being sent and that particular hardware (like the microphone) isn’t being used, and there are people who look for vulnerabilities as a hobby. If the microphones on the most/second most popular phone brand (iPhone, Samsung) were secretly recording all the time, evidence of that would be easy to find and would be a huge scoop - why haven’t we heard about it yet?
Snowden and Wikileaks dumped a huge amount of info about governments spying, but nothing in there involved always on microphones in our cell phones.
To be fair, an individual phone is a single compromise away from actually listening to you, so it still makes sense to avoid having sensitive conversations within earshot of a wirelessly connected microphone. But generally that’s not the concern most people should have.
Advertising tracking is much more sinister and complicated and harder to wrap your head around than “my phone is listening to me” and as a result makes for a much less glamorous story, but there are dozens, if not hundreds or thousands, of stories out there about how invasive advertising companies’ methods are, about how they know too much, etc… Think about what LLMs do with text. The level of prediction that they can do. That’s what ML algorithms can do with your behavior.
If you’re misattributing what advertisers know about you to the phone listening and reporting back, then you’re not paying attention to what they’re actually doing.
So yes - be vigilant. Just be vigilant about the right thing.
- Comment on Social nuke 1 week ago:
proven by a whistleblower from apple
Assuming you have an iPhone. And even then, the whistleblower you’re referencing was part of a team who reviewed utterances by users with the “Hey Siri” wake word feature enabled. If you had Siri disabled entirely or had the wake word feature disabled, you weren’t impacted at all.
This may have been limited to impacting only users who also had some option like “Improve Siri and Dictation” enabled, but it’s not clear. Today, the Privacy Policy explicitly says that Apple can have employees review your interactions with Siri and Dictation (my understanding is the reason for the settlement is that they were not explicit that human review was occurring). I strongly recommend disabling that setting, particularly if you have a wake word enabled.
If you have wake words enabled on your phone or device, your phone has to listen to be able to react to them. At that point, of course the phone is listening. Whether it’s sending the info back somewhere is a different story, and there isn’t any evidence that I’m aware of that any major phone company does this.
- Comment on It's easier to inform language with language than with experience. 1 week ago:
Sure - Wikipedia says it better than I could hope to:
As English-linguist Larry Andrews describes it, descriptive grammar is the linguistic approach which studies what a language is like, as opposed to prescriptive, which declares what a language should be like.[11]: 25 In other words, descriptive grammarians focus analysis on how all kinds of people in all sorts of environments, usually in more casual, everyday settings, communicate, whereas prescriptive grammarians focus on the grammatical rules and structures predetermined by linguistic registers and figures of power. An example that Andrews uses in his book is fewer than vs less than.[11]: 26 A descriptive grammarian would state that both statements are equally valid, as long as the meaning behind the statement can be understood. A prescriptive grammarian would analyze the rules and conventions behind both statements to determine which statement is correct or otherwise preferable. Andrews also believes that, although most linguists would be descriptive grammarians, most public school teachers tend to be prescriptive.[11]: 26
- Comment on It's easier to inform language with language than with experience. 1 week ago:
You might be interested in reading up on the debate of “Prescriptive vs Descriptive” approaches in a linguistics context.
- Comment on What do I actually need? 2 weeks ago:
You can run a NAS with any Linux distro - your limiting factor is having enough drive storage. You might want to consider something that’s great at using virtual machines (e.g., Proxmox) if you don’t like Docker, but I have almost everything I want running in Docker and haven’t needed to spin up a single virtual machine.
- Comment on How do I securely host Jellyfin? (Part 2) 1 month ago:
Wow, there isn’t a single solution in here with the obvious answer?
You’ll need a domain name. It doesn’t need to be paid - you can use DuckDNS. Note that whoever hosts your DNS needs to support dynamic DNS. I use Cloudflare for this for free (not their other services) even though I bought my domains from Namecheap.
Then, you can either set up Let’s Encrypt on device and have it generate certs in a location Jellyfin knows about (not sure what this entails exactly, as I don’t use this approach) or you can do what I do:
- Set up a reverse proxy - I use Traefik but there are a few other solid options - and configure it to use Let’s Encrypt and your domain name.
- Your reverse proxy should have ports 443 and 80 exposed, but should upgrade http requests to https.
- Add Jellyfin as a service and route in your reverse proxy’s config.
On your router, forward port 443 to the outbound secure port from your PI (which for simplicity’s sake should also be port 443). You likely also need to forward port 80 in order to verify Let’s Encrypt.
If you want to use Jellyfin while on your network and your router doesn’t support NAT loopback requests, then you can use the server’s IP address and expose Jellyfin’s HTTP ports (e.g., 8080) - just make sure to not forward those ports from the router. You’ll have local unencrypted transfers if you do this, though.
Make sure you have secure passwords in Jellyfin. Note that you are vulnerable to a Jellyfin or Traefik vulnerability if one is found, so make sure to keep your software updated.
If you use Docker, I can share some config info with you on how to set this all up with Traefik, Jellyfin, and a dynamic dns services all up with docker-compose services.
- Comment on YSK famous youtuber "math sorcerer" is selling ai generated books 1 month ago:
Why should we know this?
Not watching that video for a number of reasons, namely that ten seconds in they hadn’t said anything of substance, their first claim was incorrect (Amazon does not prohibit use of gen ai in books, nor do they require its use be disclosed to the public, no matter how much you might wish it did), and there was nothing in the description of substance, which in instances like this generally means the video will largely be devoid of substance.
What books is the Math Sorcerer selling? Are they the ones on Amazon linked from their page? Are they selling all of those or just promoting most of them?
Why do we think they were generated with AI?
When you say “generated with AI,” what do you mean?
- Generated entirely with AI, without even editing? Then why do they have so many 5 star reviews?
- Generated with AI and then heavily edited?
- Written partly by hand with some pieces written by unedited GenAI?
- Written partly by hand with some pieces written by edited GenAI?
- AI was used for ideation?
- AI was used during editing? E.g., Grammarly?
- GenAI was used during editing?E.g., “ChatGPT, review this chapter and give me any feedback. If sections need rewritten go ahead and take a first pass.”
- AI might have been used, but we don’t know for sure, and the issue is that some passages just “read like AI?”
And what’s the result? Are the books misleading in some way? That’s the most legitimate actual concern I can think of (I’m sure the people screaming that AI isn’t fair use would disagree, but if that’s the concern, settle it in court).
- Comment on Consumer GPUs to run LLMs 2 months ago:
Look up “LLM quantization.” The idea is that each parameter is a number; by default they use 16 bits of precision, but if you scale them into smaller sizes, you use less space and have less precision, but you still have the same parameters. There’s not much quality loss going from 16 bits to 8, but it gets more noticeable as you get lower and lower. (That said, there’s are ternary bit models being trained from scratch that use 1.58 bits per parameter and are allegedly just as good as fp16 models of the same parameter count.)
If you’re using a 4-bit quantization, then you need about half that number in VRAM. Q4_K_M is better than Q4, but also a bit larger. Ollama generally defaults to Q4_K_M. If you can handle a higher quantization, Q6_K is generally best. If you can’t quite fit it, Q5_K_M is generally better than any other option, followed by Q5_K_S.
For example, Llama3.3 70B, which has 70.6 billion parameters, has the following sizes for some of its quantizations:
- q4_K_M (the default): 43 GB
- fp16: 141 GB
- q8: 75 GB
- q6_K: 58 GB
- q5_k_m: 50 GB
- q4: 40 GB
- q3_K_M: 34 GB
- q2_K: 26 GB
This is why I run a lot of Q4_K_M 70B models on two 3090s.
Generally speaking, there’s not a perceptible quality drop going to Q6_K from 8 bit quantization (though I have heard this is less true with MoE models). Below Q6, there’s a bit of a drop between it and 5 and then 4, but the model’s still decent. Below 4-bit quantizations you can generally get better results from a smaller parameter model at a higher quantization.
TheBloke on Huggingface has a lot of GGUF quantization repos, and most, if not all of them, have a blurb about the different quantization types and which are recommended. When Ollama.com doesn’t have a model I want, I’m generally able to find one there.
- Comment on It is deeply bad that a moderator can remove any post or reply. 2 months ago:
You said, and I quote “Find a better way.” I don’t agree with your premise - this is the better way - but I gave you a straightforward, reasonable way to achieve something important to you… and now you’re saying that “This is a discussion of principle.”
You’ve just proven that it doesn’t take a moderator to turn a conversation into a bad joke - you can do it on your own.
- Comment on It is deeply bad that a moderator can remove any post or reply. 2 months ago:
It’s a discussion of principle.
This is a foreign concept?
It appears to be a foreign concept for you.
I don’t believe that it’s a fundamentally bad thing to converse in moderated spaces; you do. You say “giving somebody the power to arbitrarily censor and modify our conversation is a fundamentally bad thing” like it’s a fact, indicating you believe this, but you’ve been given the tools to avoid giving others the power to moderate your conversation and you have chosen not to use them. This means that you are saying “I have chosen to do a thing that I believe is fundamentally bad.” Why would anyone trust such a person?
For that matter, is this even a discussion? People clearly don’t agree with you and you haven’t explained your reasoning. If a moderator’s actions are logged and visible to users, and users have the choice of engaging under the purview of a moderator or moving elsewhere, what’s the problem?
It is deeply bad that…
Why?
Yes, I know, trolls, etc…
In other words, “let me ignore valid arguments for why moderation is needed.”
But such action turns any conversation into a bad joke.
It doesn’t.
And anybody who trusts a moderator is a fool.
In places where moderator’s actions are unlogged and they’re not accountable to the community, sure - and that’s true on mainstream social media. Here, moderators are performing a service for the benefit of the community.
Have you never heard the phrase “Trust, but verify?”
Find a better way.
This is the better way.
- Comment on It is deeply bad that a moderator can remove any post or reply. 2 months ago:
Then why are you doing that, and why aren’t you at least hosting your own instance?
- Comment on It is deeply bad that a moderator can remove any post or reply. 2 months ago:
Yes, I know, trolls etc. But such action turns any conversation into a bad joke. And anybody who trusts a moderator is a fool.
Not just trolls - there’s much worse content out there, some of which can get you sent to jail in most (all?) jurisdictions.
And even ignoring that, many users like their communities to remain focused on a given topic. Moderation allows this to happen without requiring a vetting process prior to posting. Maybe you don’t want that, but most users do.
Find a better way.
Here’s an option: you can code a fork or client that automatically parses the modlog, finds comments and posts that have been removed, and makes them visible in your feed. You could even implement the ability to reply by hosting replies on a different instance or community.
For you and anyone who uses your fork, it’ll be as though they were never removed.
Do you have issues with the above approach?
- Comment on It is deeply bad that a moderator can remove any post or reply. 2 months ago:
As a user, you can:
- Review instance and community rules prior to participating
- Review the moderator logs to confirm that moderation activities have been in line with the rules
- If you notice a discrepancy, e.g., over-moderation, you can hold the mods accountable and draw attention to it or simply choose not to engage in that instance or community
- Host your own instance
- Create communities in an existing instance or your own instance
If you host your own instance and communities within that instance, then at that point, you have full control, right? Other instances can de-federate from yours.
- Comment on Consumer GPUs to run LLMs 2 months ago:
I recommend a used 3090, as that has 24 GB of VRAM and generally can be found for $800ish or less (at least when I last checked, in February). It’s much cheaper than a 4090 and while admittedly more expensive than the inexpensive 24GB Nvidia Tesla card (the P40?) it also has much better performance and CUDA support.
I have dual 3090s so my performance won’t translate directly to what a single GPU would get, but it’s pretty easy to find stats on 3090 performance.
- Comment on Trouble keeping a top-heavy TPE part on the bed 2 months ago:
To be clear, I’m measuring the relative humidity of the air in the drybox at room temp (72 degrees Fahrenheit / 22 degrees Celsius), not of the filament directly. You can use a hygrometer to do this. I mostly use the hygrometer that comes bundled with my dryboxes (I use the PolyDryer and have several extra PolyDryer Boxes, but there are much cheaper options available) but you can buy a hygrometer for a few bucks or get a bluetooth / wifi / connected one for $15-$20 or so.
If you put filament into a sealed box, it’ll generally - depending on the material - end up in equilibrium with the air. So the measurement you get right away will just show the humidity of the room, but if the filament and desiccant are both dry, it’ll drop; if the desiccant is dry and the filament is wet, it’ll still drop, but not as low.
Note also that what counts as “wet” varies by material. For example, from what I’ve read, PLA can absorb up to 1% or so of its mass as moisture, PETG up to 0.2%, Nylon up to 7-8%… silica gel desiccant beads up to 40%. So when I say they’ll be in equilibrium, I’m referring to the percentage of what that material is capable of absorbing. It isn’t a linear relationship as far as I know, but if it were, that would mean that: if the humidity of the air is 10% and the max moisture the material could retain is 1%, then the material is currently retaining 0.1% moisture by mass. If my room’s humidity is kept at 40%, it’ll absorb moisture until it’s at 0.4% moisture by mass.
That said, this doesn’t measure it perfectly, since while most filament materials absorb moisture from the air when the humidity is higher, they don’t release it as easily. Heating it both allows the air to hold more moisture and allows the filament (and desiccant) to release more moisture.
- Comment on Potpie : Open source prompt-to-agent for your codebase. 2 months ago:
The above post says it has support for Ollama, so I don’t think this is the case… but the instructions in the Readme do make it seem like it’s dependent on OpenAI.
- Comment on Trouble keeping a top-heavy TPE part on the bed 2 months ago:
What have you done to clean the bed? From the link to the textured sheet, you should be cleaning it between every print - after it cools - with 90% IPA, and if you still have adhesion issues, you should clean it with warm water and a couple drops of dish soap.
Has the TPU been dried? I don’t normally print with TPU but my understanding is that it needs to be lower humidity than PLA; I use dryboxes for PLA and target a humidity of 15% or lower and don’t use them if they raise above 20%. The recommendation I saw for TPU was to dry it for 7 hours at 70 degrees Celsius, to target 10% humidity (or at least under 20%) and to print directly from a drybox. Note that compared to other filaments, TPU can’t recover as well from having absorbed moisture - if the filament has gotten too wet, it’ll become too brittle if you dry it out as much as is needed. At that point you would need to start with a fresh roll, which would ideally go into a dryer and then drybox immediately.
You should be able to set different settings for the initial layer to avoid stringing, i.e., slower speeds and longer retraction distance. It’s a bit more complicated but you can also configure the speed for a specific range of layers to be slower - i.e., setting it to slow down again once you get to the top of the print. For an example of that, see …prusa3d.com/…/bed-flinger-slower-y-movement-as-f…
What’s the max speed you’re printing at? My understanding is that everything other than travel should all be the same speed at a given layer, and no higher than 25 mm/s. And with a bed slinger I wouldn’t recommend a much higher travel, either.
In addition to a brim, have you tried adding supports?
- Comment on Do I really need a firewall for my server? 2 months ago:
Are you saying that NAT isn’t effectively a firewall or that a NAT firewall isn’t effectively a firewall?
- Comment on Someone help me understand the sonarr to jellyfin workflow 2 months ago:
Is there a way to use symlinks instead? I’d think it would be possible, even with Docker - it would just require the torrent directory to be mounted read-only in the same location in every Docker container that had symlinks to files on it.
- Comment on Plex is locking remote streaming behind a subscription in April 2 months ago:
Depending on setup this can be true with Jellyfin, too. I have a domain registered, use dynamic DNS, and have Traefik direct a subdomain to my Jellyfin server. My mobile clients are configured using that. My local clients use the local static IP.
If my internet goes down, my mobile clients can’t connect, even on the LAN.
- Comment on Getting Nicole-ed feels way more awesome than how getting scammer spam usually feels. 2 months ago:
Apparently there’s a vulnerability with sending messages with images in them and “she” might be logging people’s IP addresses through that.
If the images are hosted on your instance, this wouldn’t be relevant. If they’re links to an image hosted somewhere, this is possible, but there’d be a lot of noise and not much value. To link accounts to IPs the URLs would themselves need to be different
I checked the urls to the images in my PMs and they’re all hosted on Lemmy.
- Comment on [deleted] 2 months ago:
Under notes, where you said my name, did you mean “Hedgedoc?”
- Comment on Docker Hub limiting unauthenticated users to 10 pulls per hour 3 months ago:
local docker hub proxy
Do you mean a Docker container registry? If so, here are a couple options:
- Use the official Docker registry: www.docker.com/…/how-to-use-your-own-registry-2/
- Self-host forgejo or gitea and use the included package registry, which is automatically enabled. Details: forgejo.org/docs/latest/user/packages/
- Comment on [deleted] 3 months ago:
You cannot encrypt email End to End.
Incorrect.
…mozilla.org/…/introduction-to-e2e-encryption
It has to be stored in plaintext somewhere.
- It doesn’t.
- Even if it did, that wouldn’t mean it wasn’t E2EE.
Yahoo does not offer encrypted email.
It doesn’t need to. support.mozilla.org/…/thunderbird-and-yahoo
- Comment on Microsoft Bing is trying to spoof Google UI when people search Google.com 4 months ago:
You can control that with a setting. In Settings - Privacy, turn on “Query in the page’s title.”
My instance has a magnifying glass as the favicon.
- Comment on In 2025, People Will Try Living in This Underwater Habitat 4 months ago:
Giant squids are the bears of the ocean
- Comment on [deleted] 4 months ago:
There’s no need to bond with your own child?
- Comment on Selfhosted alternative to Spotify 7 months ago:
Do you only experience the 5-10 second buffering issue on mobile? If not, then you might be able to fix the issue by tuning your NextCloud instance - upping the memory limit, disabling debug mode and dropping log level back to warn if you ever changed it, enabling memory caching, etc…
Check out docs.nextcloud.com/server/…/server_tuning.html and docs.nextcloud.com/…/php_configuration.html#ini-v… for docs on the above.
- Comment on Concerns Raised Over Bitwarden Moving Further Away From Open-Source 7 months ago:
Your Passkeys have to be stored in something, but you don’t have to store them all in the same thing.
If you store them with Microsoft’s Windows Hello, Apple Keychain, or Google Password Manager, all of which are closed source, then you have to trust MS/Apple/Google. However, Keychain is end to end encrypted (according to Apple) and Windows Hello is currently not synced to the cloud, so if you trust those claims, you don’t need to trust that they won’t misuse your data. I don’t know if Google’s offering is end to end encrypted, but I wouldn’t trust it either way.
You can also store Passkeys in a password manager. Bitwarden is open source (though they did recently introduce a proprietary, source available SDK), as is KeepassXC. 1Password isn’t open source but can store Passkeys as well.
And finally, you can store Passkeys in a compatible security key, like the YubiKey 5 series keys, which can each store 100 Passkeys. This makes them basically immune to being stolen. Note that if your primary interest in Passkeys is in the phishing resistance (basically nearly perfect immunity to MitM attacks) then you can get that same benefit by using WebAuthn as a second factor. However, my experience has been that Passkey support is broader.
Revoking keys involves logging into the particular service and revoking them, just like changing your password. There isn’t a centralized way to do it as far as I’m aware. Each Passkey is only used for a single service, after all. However, in the same way that some password managers will offer to automatically change your passwords, they might develop a similar for passkeys.
- Comment on Concerns Raised Over Bitwarden Moving Further Away From Open-Source 7 months ago:
Do any of the iOS or Android apps support passkeys? I looked into this a couple days ago and didn’t find any that did. (KeePassXC does.)