hedgehog
@hedgehog@ttrpg.network
- Comment on Problems with creating my own instance 2 days ago:
If you use that docker compose file, I recommend you comment out the build section and uncomment the image section in the
lemmy
service.I also recommend you use a reverse proxy and Docker networks rather than exposing the postgres instance on port 5433, but if you aren’t familiar with Docker networks you can leave it as is for now. If you’re running locally and don’t open that port in your router’s firewall, it’s a non-issue unless there’s an attacker on your LAN, but given that you’re not gaining anything from exposing it (unless you need to connect to the DB directly regularly - as a one off you could temporarily add the port mapping), it doesn’t make sense to increase your attack surface for no benefit.
- Comment on When did the show "Suits" suddenly get popular? 6 days ago:
It first showed up on Netflix in mid-2023, in the middle of the writer’s guild strike (meaning there was a dearth of new content). So basically the Netflix effect. It had been on other streaming platforms before - Prime Video and Hulu - but Netflix is still a juggernaut compared to them - it has 5 times as many subscribers as Hulu, for example, and many of the subscribers to Prime Video are incidental and don’t stream as much on average as Netflix users.
I assume Netflix funded off-platform advertising, but the on-platform advertising has a big effect, too. And given that Suits broke a record in the first week it was on Netflix and they have a spinoff coming, it makes sense that they would keep advertising.
- Comment on I used an original iPod in 2024, and it was pretty fun 1 week ago:
They don’t call them “mp3 players” anymore - that may be why you can’t find what you need. Look for a “DAP” instead - digital audio player - and you’ll probably have more luck.
For example, the Fiio M7 is $200 and is pretty full-featured. I have the M6 and I think I paid around $100, but I don’t think it’s being sold anymore.
- Comment on Kagi silently removed all references to Google's index from their website 1 week ago:
there is not a ‘Searx Index’ which is what this is about.
There’s YaCy, which includes a search index (which can be independent or can join a P2P network of indexes), web crawler, and web ui for searching. It can also be added as a SearXNG engine.
- Comment on Kagi silently removed all references to Google's index from their website 1 week ago:
You can use YaCy, which can be run as an independent self-hosted index (in “Local” mode), where it will index sites visited as part of web crawls that you initiate, or you can run it as part of a decentralized peer-to-peer network of indexes.
YaCy has its own search UI but you can also set up SearXNG to use it.
- Comment on How do passkeys work across devices? 1 week ago:
I can’t speak to Android as a whole, but here’s how often Samsung Face Unlock will require you to re-auth with your phone’s passcode:
- after 4 hours of not using the phone
- after restarting
- at least once every 24 hours
iPhones do something similar, but it’s after 48 hours of non-use (instead of 4) and at least weekly instead of daily. Having to enter your password daily should help most people keep it memorized pretty well, but weekly - maybe not. So you definitely have a good point there.
One thing that can make it easier to remember - and just as secure - is to use a longer pass phrase instead of random characters.
If you using the diceware approach (“correct horse battery staple”), then 5 words has 32 times / 5 bits more entropy than a 10 character mixed-case alphanumeric password (64 vs 59 bits of entropy) (4 word passphrases aren’t random enough to be recommended - they have fewer bits of entropy (51) than even 9 character mixed-case alphanumeric passwords (53), though notably 10 same-case alphanumeric characters also have only 51 bits of entropy).
The EFF has a word list that’s been improved for usability. They also have a short list, comprised of words with at most 5 characters each, where you roll 4 dice instead of 5. With 6 words from that list you get 62 bits of entropy, which is good enough to be able to recommend.
- Comment on How do passkeys work across devices? 1 week ago:
Unless you’re using a random 10+ alphanumeric passcode and are fine entering it every time you log into your phone, with a short auto-lock period, you’re much better off enabling biometrics (assuming it’s implemented competently) in combination with a longer passcode and understanding how to disable it when appropriate.
I recently replied with this comment to a Gizmodo article recommending the same thing you did for similar reasons, if you’d like to better understand my rationale: ttrpg.network/comment/6620188
- Comment on No, you don't need a 'very bespoke AOSP' to turn your phone into a Rabbit R1 — here's proof 1 week ago:
I haven’t used it and only heard about it while writing this post, but Open WebUI looks really promising. I’m going to check it out the next time I mess with my home server’s AI apps. If you want more options, read on.
Disclaimer: I’ve looked into most of the options below enough to feel comfortable recommending them, but I’ve only personally self hosted the Automatic 1111 webui, the Oobabooga webui, and Kobold.cpp.
If you want just an LLM and an image generator, then:
For the image generator, something that leverages Stable Diffusion models:
And then find models that you like at Civitai.
For the LLM, the best option depends on your hardware. Not knowing anything about your hardware, I recommend a llama.cpp based solution. Check out one of these:
Alternatively, VLLM is allegedly the fastest for multi-user CPU-based inference, though as far as I can tell it doesn’t have its own webui (but it does expose OpenAI compatible API endpoints).
And then find a model you like at Huggingface. I recommend finding a model quantized by TheBloke.
There are a couple communities not on Lemmy that discuss local LLMs - r/LocalLLaMA and r/LocalLLM for example - so if you’re trying to figure out which model to try, that’s a good place to check.
If you want a multimodal AI, you can use llama.cpp with a model like LLAVA. The options below also have multimodal support.
If you want an AI assistant with expanded capabilities - like searching your documents or the web (RAG), etc. - then I don’t have a ton of experience there, but these seem to do that job:
- H2OGPT
- Open WebUI, formerly Ollama Webui
If you want to use your local model as more than just a chat bot - integrating it into your IDE or a browser extension - then there are options there, and as far as I know every LLM above can be configured to expose an API allowing it to be used by your other tools. Some, like Open WebUI, expose OpenAI compatible APIs and so can be used with tools built to be used with OpenAI. I don’t know of many tools like this, though - I was surprisingly not able to find a browser extension that could use your own API, for example. Here are a couple examples:
- Continue for VS Code / JetBrains IDEs
- "ChatGPT Utilities" for A1111 WebUI - this doesn’t let you set the URL by default, but since it’s open source you could modify it pretty easily
Also, I found this Medium article listed some of the things I described above as well as several others that I’d never heard of.
- Comment on No, you don't need a 'very bespoke AOSP' to turn your phone into a Rabbit R1 — here's proof 1 week ago:
Last I checked (around the time that LLAMA v3 was released), the performance of local models on CPU also was pretty bad for most consumer hardware (Apple Silicon excepted) compared to GPU performance, and the consumer GPU RAM situation is even worse. At least, when talking about the models that have performance anywhere near that of ChatGPT, which was mostly 70B models with a few exceptional 30B models.
My home server has a 3090, so I can use a self-hosted 4-bit (or 5-bit with reduced context) quantized 30B model. If I added another 3090 I’d be able to use a 4-bit quantized 70B model.
There’s some research that suggests that 1.58 bit (ternary) quantization has a lot of potential, and I think it’ll be critical to getting performant models on phones and laptops. At 1.58 bit per parameter, a 30B model could fit into 6 gigs of RAM, and the quality hit is allegedly negligible.
- Comment on Because of smartphones, pocket TVs were never a thing. 1 week ago:
I had a pocket TV back in 2007 or so. It had an antenna and everything. It was a bit bulky and not at all power efficient, though. IIRC it went through 8 AA batteries in about 3 hours.
I’m not sure why you’d want that over a smartphone or even just a small tablet, though.
Also, we have flying skateboards, they’re just prohibitively expensive or not yet being sold. Look up the ArcaBoard (was $20k back in 2015, doesn’t seem to be sold anymore), the Lexus Hoverboard, and the Flyboard Air. Unfortunately if you try to buy a “hoverboard” you’re just gonna end up with an electric scooter
- Comment on What should I run and why? 1 week ago:
I haven’t personally used any of these, but looking them over, Tipi looks the most encouraging to me, followed by Yunohost, based largely on the variety of apps available but also because it looks like Tipi lets you customize the configuration much more. Freedom Box doesn’t seem to list the apps in their catalog at all and their site seems basically useless, so I ruled it out on that basis alone.
- Comment on What should I run and why? 1 week ago:
I am trying to avoid having to having an open port 22
If you’re working locally you don’t need an open port.
If you’re on a different machine but on the same network, you don’t need to expose port 22 via your router’s firewall. If you use key-based auth and disable password-based auth then this is even safer.
If you want access remotely, then you still don’t have to expose port 22 as long as you have a vpn set up.
That said, you don’t need to use a terminal to manage your docker containers. I use Portainer to manage all but my core containers - Traefik, Authelia, and Portainer itself - which are all part of a single docker compose file. Portainer stacks accept docker compose files so adding and configuring applications is straightforward.
I’ve configured around 50 apps on my server using Docker Compose with Portainer but have only needed to modify the Dockerfile itself once, and that was because I was trying to do something that the original maintainer didn’t support.
Now, if you’re satisfied with what’s available and with how much you can configure it without using Docker, then it’s fine to avoid it. I’m just trying to say that it’s pretty straightforward if you focus on just understanding the important parts, mainly:
- docker compose
- docker networks
- docker volumes
If you decide to go that route, I recommend TechnoTim’s tutorials on Youtube. I personally found them helpful, at least.
- Comment on Dating app Bumble will no longer require women to make the first move | CNN Business 1 week ago:
It’s not changing the default behavior, so it still has it.
Per the article, they’re introducing a new opt-in feature that a woman, enbie, or person looking for same-gender matches can set up - basically a prompt that their matches can reply to.
I think Bumble also used to prevent you from sending multiple messages before getting a reply, but maybe that was a different app… If they still do that in combination with this feature, then I could see this feature continuing to accomplish their mission of empowering women in online dating.
- Comment on Bitwarden has launched a new authenticator app 2 weeks ago:
Considering a password manager that also stores your second factor to be 2FA, assuming that it requires two factors to authenticate with on its own, is basically the same thing as considering logging into a site via SSO that itself requires two factors to be 2FA.
It’s also the same as considering a hardware security key with a PIN-protected Passkey to be 2FA.
- Comment on Stop Using Your Face or Thumb to Unlock Your Phone 2 weeks ago:
As I said in my first comment, I’m more familiar with iOS, where 6 digit passcodes are the default.
That said, do you genuinely think the average person would use a random 10+ alphanumeric character passcode to unlock their phone after taking the advice of this article and disabling biometric auth?
- Comment on Stop Using Your Face or Thumb to Unlock Your Phone 2 weeks ago:
100%.
If you’re always concerned about sophisticated attackers, then you should also:
- Disable biometrics unlock whenever your device is about to leave your possession or you’re going to sleep
- Protect against shoulder-surfing / surveillance attacks that can capture you entering your password, e.g., by being aware of your surroundings and only entering your password or viewing sensitive information when you‘re certain your screen (and thumb locations) can’t be observed or by obscuring a view of your phone with your shirt or a blanket (like Snowden)
- Take the time to learn more about security in general and in relation to the specific threats that concern you
- Comment on Stop Using Your Face or Thumb to Unlock Your Phone 2 weeks ago:
It calls them “passwords,” but personally I don’t consider a 6 digit number to be a password. And according to this article on GrayKey, 6 digit “passcodes” became the norm back in 2015. I haven’t seen any stats showing that people on average use more secure passcodes now, and making the passcode required more frequently isn’t going to encourage anyone to use one that’s more secure.
The article just says “disable biometrics” which is bad advice for the average person, as it will result in them using a 6 digit passcode. This is a knee-jerk reaction at best, and the resulting advice is devoid of nuance, made by someone who clearly doesn’t understand the threat discussed in the article, and would benefit literally nobody who might feasibly take it.
My advice is echoed by the article above, but it’s based off having an understanding of the problem area and suggesting a solution that doesn’t just address one thing. Anyone giving advice on the topic should consider:
- known threats and reasonably likely unknown threats
- the mitigations to those threats
- how the technology works for both the threats and the mitigations
- the legal landscape in your jurisdiction - for us, the US - both in practice and in theory
- people’s attitudes toward security, namely their willingness to suffer inconveniences for its sake
- how all of the above interact, and how likely someone is to take the advice given in a way that improves their security overall
The author of this article considered none of the above.
- Comment on Stop Using Your Face or Thumb to Unlock Your Phone 2 weeks ago:
Copying an iPhone isn’t as straightforward as you seem to think. Copying data from a locked iPhone requires either an exploit or direct access to the SSD / memory chips on the device (basically, chip-off forensics, which likely requires bypassing the storage controllers), and I assume the same is true for Android devices.
I’m not saying such exploits don’t exist, but local police departments don’t have access to them. And they certainly don’t have the capability to directly access your device’s storage and then reassemble it without your knowledge.
Now, if your device is confiscated for long enough that it could be mailed off to a forensics lab for analysis? Sure, then it’s a possibility. But most likely if they want your data that badly they’ll either hold onto your device, compel you into sharing the info with them, or try to trick you into giving it to them. Hanging onto your data without a warrant for over a decade is a high risk, low reward activity.
Your data’s more vulnerable to this sort of attack in transit.
- Comment on Stop Using Your Face or Thumb to Unlock Your Phone 2 weeks ago:
Terrible article. Even worse advice.
On iOS at least, if you’re concerned about police breaking into your phone, you should be using a high entropy password, not a numeric PIN, and biometric auth is the best way to keep your convenience (and sanity) intact without compromising your security. This is because there is software that can break into a locked phone (even one that has biometrics disabled) by brute forcing the PIN, bypassing the 10 attempts limit if set, as well as not triggering iOS’s brute force protections, like forcing delays between attempts. If your password is sufficiently complex, then you’re more likely to be safe against such an attack.
I suspect the same is true on Android.
Such a search is supposed to require a warrant, but the tool itself doesn’t check for it, so you have to trust the individual LEOs in question to follow the law. And given that any 6 digit PIN can be brute forced in under 11 hours (40 ms per entry), this means that if you were arrested (even for a spurious charge) and held overnight, they could search your phone without you knowing.
With a password that has the same entropy as 10 random digits, assuming no further vulnerabilities allowing them to speed up the process, it could take up to 12 and a half years to brute force it. Make it alphanumeric (and still random) and it’s millions of years - infeasible within our lifetime - it’s basically a question of whether another vulnerability is already known or is discovered that enables bypassing the password entirely / much faster rates of entry.
If you’re in a situation where you expect to interact with law enforcement, then disable biometrics. Practice ahead of time to make sure you know how to do it on your phone.
- Comment on Forgejo v7.0 is now available 3 weeks ago:
I’m not addressing anything Gitea has specifically done here (I’m not informed enough on the topic to have an educated opinion yet), but just this specific part of your comment:
And they also demand a CLA from contributors now, which is directly against the idea of FOSS.
Proprietary software is antithetical to FOSS, but CLAs themselves are not, and were endorsed by RMS as far back as 2002:
In contrast, I think it is acceptable to … release under the GPL, but sell alternative licenses permitting proprietary extensions to their code. My understanding is that all the code they release is available as free software, which means they do not develop any proprietary softwre; that’s why their practice is acceptable. The FSF will never do that–we believe our terms should be the same for everyone, and we want to use the GPL to give others an incentive to develop additional free software. But what they do is much better than developing proprietary software.
If contributors allow an entity to relicense their contributions, that enables the entity to write proprietary software that includes those contributions. One way to ensure they have that freedom is to require contributors to sign a CLA that allows relicensing, so clearly CLAs can enable behavior antithetical to FOSS… but they can also enable FOSS development by generating another revenue stream. And many CLAs don’t allow relicensing (e.g., Apache’s).
Many FOSS companies require contributors to sign CLAs. For example, the FSF has required them since 2005 at least, and its CLA allows relicensing. They explain why, but that explanation doesn’t touch on why license reassignment is necessary.
Even if a repo requires contributors sign a CLA, nobody’s four freedoms are violated, and nobody who modifies such software is forced to sign a CLA when they share their changes with the community - they can share their changes on their own repo, or submit them to a fork that doesn’t require a CLA, or only share the code with users who purchase the software from them. All they have to do is adhere to the license that the project was under.
The big issue with CLAs is that they’re asymmetrical (as opposed to DCOs, which serve a similar purpose). That’s understandably controversial, but it’s not inherently a FOSS issue.
Some of the same arguments against the SSPL (which is not considered FOSS because it is so copyleft that it’s impractical) being considered FOSS could be similarly made in favor of CLAs. Not in favor of signing them as a developer, mind you, but in favor of considering projects that use them to be aligned FOSS principles.
- Comment on why did the eclipse not darken proportionally? 5 weeks ago:
I don’t believe that we perceive luminance in a linear fashion, but the systems of measurement aren’t straightforward coming at it as a layperson.
With sound, a 10 dB increase is 10 times more intense, but it doesn’t sound 10 times louder to the human ear - it sounds (roughly) twice as loud. So if something was 6 dB quieter (1/4th as energetic), it would sound maybe 2/3rds as loud.
The next things to ask are:
- does an obstruction of 80% of the sun result in reducing the light we receive to 20% of what we’d otherwise receive?
- how does a change in light energy affect our perception of brightness?
- Comment on Bullying in Open Source Software Is a Massive Security Vulnerability 5 weeks ago:
What additional capabilities does that give the app beyond using Firefox or Chrome to install it as a PWA?
- Comment on We should name the moon. Most people don't call their pets "dog" or "cat". 1 month ago:
When I meet a dog whose name I don’t know, I often address him or her as “Dog.” Similarly, if I meet a cat whose name I don’t know, I often address him or her as “Cat.” It’s only polite. It’s a generic but polite form of address, like “Ma’am” or “Sir.”
The same goes with a moon. I call it “Moon” because we aren’t yet on a first name basis.
Tell me, OP - what makes you think that you should be on a first name basis with the moon?
- Comment on New Discord TOS binds you to forced arbitration - Opt-Out Now 1 month ago:
For anyone who didn’t click into the original post and whose client didn’t include its text, here are the instructions for opting out:
Opt-out. You can decline this agreement to arbitrate by emailing an opt-out notice to arbitration-opt-out@discord.com within 30 days of April 15, 2024 or when you first register your Discord account, whichever is later; otherwise, you shall be bound to arbitrate disputes in accordance with the terms of these paragraphs. If you opt out of these arbitration provisions, Discord also will not be bound by them.
Note that the forced arbitration clause applies only to Discord users in the US. The class action waiver appears to apply regardless.
This is also not a new addition to their TOS, but it does appear to require opting out again even if you already did, and to grant an additional opt out opportunity if you didn’t.
- Comment on Using AI to spot edible mushrooms could kill you | AI tools are good for some things, but don’t trust your health to apps that make frequent mistakes 1 month ago:
This comment reads like it was written by someone who has never designed a mushroom identification app.
- Comment on Using AI to spot edible mushrooms could kill you | AI tools are good for some things, but don’t trust your health to apps that make frequent mistakes 1 month ago:
Many edible mushrooms have poisonous look-alikes, so your approach would be likely to misidentify those poisonous look-alikes - a potentially deadly mistake.
For example - from gardeningknowhow.com/…/types-of-edible-mushrooms-…
Poisonous Morel Mushroom Look-alikes:
- A common fungus, the false morel is almost the spitting image of its edible cousin except it is not hollow inside and contains cottony material.
- Big red is similar except it has reddish tones and the cap is more brain-like.
- Wrinkled thimble cap truly looks like a morel except its wrinkled cap hangs over the stem.
- Bell morel is smaller and the cap, although similar, is much less textured and it has a cottony interior.
It would be easy to train an ML model to confidently identify any of those as morels if you only trained on morels.
The idea is to train on both so it’s less likely to mistake a poisonous mushroom for an edible one, and to then “hedge” your bet anyway, by always presenting the poisonous look-alikes first.
The most dangerous scenario with this app is also the most useful - a user who has some training in mushroom identification uses the app as a quick way to look up a mushroom they think is a particular edible mushroom, notes that the mushroom they think it is is within the list, then reviews the list of poisonous look-alikes, and then applies their training to rule out those look-alikes. Finally they confirm that they cannot rule out the edible mushroom.
The risks here are that
- the user’s training is lacking and that they ruled out a poisonous mushroom that the app suggested, or
- the app didn’t include the particular poisonous mushroom in the first place and the user was thus unable to consider it.
- Comment on Using AI to spot edible mushrooms could kill you | AI tools are good for some things, but don’t trust your health to apps that make frequent mistakes 1 month ago:
Identifying mushrooms with an ML-based algorithm is a fine idea if you properly design the application to leverage that. As a hedgehog, this is what I would do:
- Train my model on a variety of mushrooms, particularly poisonous ones.
- When testing the model, test as many mushrooms as possible and take note of what’s frequently mis-identified.
- When testing the model, make sure to get a variety of different kinds of lighting.
- In addition to the mis-identifications noted while testing the app, maintain a list of commonly misidentified mushrooms - like the hedgehog mushroom and its counterparts - particularly the ones a forager should be most concerned with (meaning the most poisonous ones).
- When identifying a mushroom to the user, err on the side of calling it a poisonous mushroom. Consider providing a list of possible matches, with the worst case scenario ones up top.
- Include pictures and other information about the mushrooms, as well as regional mushroom lookups for mushrooms that weren’t included.
- Don’t include text like “99% confident that this is a hedgehog mushroom” when the 99% figure is an output from your ML model. I know we said earlier to make sure to do a ton of testing and I’m sure you think you did, but you didn’t do enough to be able to say that. At best, reduce your certainty by 25%, then divide that number between the identified mushroom and the lookalikes, making sure to give extra weight to the most poisonous ones. So that 99% certainty becomes at most a more realistic 38% chance that it’s the poisonous lookalike and 37% chance that it’s whatever was identified in the first place.
You might say that this app would be useless for determining if a mushroom is safe to eat, and I agree, but it’s also a better approach than any of the existing apps out there. If you need to use an app to determine if a wild mushroom is safe to eat then the answer is simple: it isn’t. C’mon, I’m a hedgehog and even I know that.
- Comment on USB hubs, printers, Java, and more seemingly broken by macOS 14.4 update 1 month ago:
100%. I got the Brother HL-2370DW and it served me well, but it’s a black-and-white laser printer and sometimes I needed to print in color. I got fed up dealing with inkjet printers so I got the Brother HL-3270CDW. It’s great at printing off props and visual aids for my weekly tabletop game and so on.
It’s not technically “perfect” - sometimes a Mac will fail to print to them wirelessly and say they printed fine (and that seems to be an issue on the Mac side) and I think we average maybe one paper jam per year - but it’s as close to perfect as I’ve ever gotten with a printer.
- Comment on The DMA already having an impact. Brave Browser installs surge after introduction of browser choice splash screen on iOS. 1 month ago:
Are you saying you don’t like Firefox because they don’t like propaganda?
- Comment on The Terrible Costs of a Phone-Based Childhood 1 month ago:
We don’t just consider things as true just in case they might be true
That’s literally what you did in your previous comment when you said that ADHD isn’t environmental. You made a statement of fact about something unproven. By your own logic, your approach is unscientific.
You could say “We haven’t proven that ADHD is influenced by environmental factors,” that research is ongoing to determine the effect of environmental factors, or point out that much of the evidence suggesting environmental factors could simply be correlation - or in some cases that the causal factor is reversed, i.e., that the cause of the environmental factor is the parent/child having ADHD rather than the other way around. But simply saying that ADHD is only genetic is, to be succinct, wrong.