moonpiedumplings
@moonpiedumplings@programming.dev
- Comment on How much do you secure a home server that's only accessible with VPN? 1 day ago:
Yes, I do lock it down. It’s still worth securing it because internal servers" can still get exposed and touched, even though there are less paths to them, and it’s not as punishing to slip up vs a public server. For example, One of the wireguard client devices downloads a virus, and now you have a cyberattacker with access.
Another problem is supply chain issues. If the distributor of a docker container is hacked, it’s not that bad… as long as your kernel is up to date and is protected against some of the recent vulns, that would enable someone to break out of a docker container
Blajah.zone’s lemmy instance was hacked partially becuase internal servers
pen.blahaj.zone/supakaity/weve-been-hacked
I had not patched these internal servers that nobody should have access to against this. Rebooting DB servers causes downtime, and in my hubris – I thought nobody should (nay COULD) be on my servers except me, right?
I have a comment on that post with some potential solutions, that would have cut off attack paths.
Though, I guess, it still does depend. Like if it’s just gonna you wireguarding in and no one else, then the data on your devices is probably worth more than the data on the server, so no, it wouldn’t be worth spending too much effort to secure less valuable data.
But if you are handing out internal access to people, including to some relative who keeps falling for scammers, then yeah, I’d take some time to harden the systems.
- Comment on NutriTrace v1.0.0-rc.53 released: statistics reorder + hide, bulk delete on Foods/Meals/Recipes, OFF serving sizes 1 day ago:
programming.dev/comment/24515044
Same problem is present here. Uses JWT’s for auth.
- Comment on Example Flux Kubernetes Setups 4 days ago:
I don’t use a UI.
I don’t use flux’s kustomize (there is also kustomize by kubernetes.
I use flux for installing helm charts, mostly.
Repo: github.com/moonpiedumplings/flux-config
It’s not up right now though. I am currently revamping it, which will also involve reorganizing the repo. I really dislike that I didn’t use (flux’s) kustomize, which is one of the things I would like to fix.
I’m on my phone rn, if I get to this post again from my computer later I will add longer/further thoughts.
- Comment on Setting up local Caddy with Porkbun 6 days ago:
Second comment, but if you need/want Caddy we can help that too. It looks like the documentation link in the github page you linked is dead, and the correct one is: caddyserver.com/docs/json/apps/tls/…/acme/
I found that from this page: caddy.community/t/…/8148
- Comment on Setting up local Caddy with Porkbun 6 days ago:
Setup legit Let’s Encrypt as wildcard locally to test services at *example.domain.com, then put them into production on mainsite wildcard *.domain.com on VPS or similar.
Just to be clear, why wouldn’t simply provisioning a certificate for each subdomain under the wildcard work?
Like, if you have a test site test.example.domain.com, you could have nginx (using acme) create a certificate for that. And then when you move to test.domain.com, nginx would do the same thing.
Now, technically letsencrypt does have a rate limit, but it’s a fairly generous rate limit:
Up to 50 certificates can be issued per registered domain (or IPv4 address, or IPv6 /64 range) every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to issue new certificates for the same registered domain refills at a rate of 1 certificate every 202 minutes.
I would do my testing this way, and I didn’t hit any limits, although I was careful to keep certificates and reuse them, and to not spam.
If you need more domains with SSL than that rate limit would provide, then it would make sense to investigate Caddy with porkbun, since DNS-01 challenges are the only way to get wildcard certificates, which apply to a whole wildcard.
- Comment on ArchiveBox or similar for shared archiving of research project 1 week ago:
One downside is that the cached file is not independently archived so it could be tampered with. Thanks for the idea.
You could have multiple researchers archive it and store copies independently. Then tampering would show up accross copies.
Unfortunately, central hosting doesn’t guarantee that it is tamper free. The host could be hacked, or could be malicious. Archive.is was caught tampering with their archived pages:
- Comment on ArchiveBox or similar for shared archiving of research project 1 week ago:
Check out Zotero: www.zotero.org
Zotero is an open source bibliography manager. It’s my main go to tool for generating works cited pages, like during essays.
But, it also has a browser extension, which can then download, and archive sites or academic articles you are adding to the sources. I would then use the fulltext search that zotero provides for easy searching of sources.
Unfortunately, it’s not hosted, which would make it difficult to share.
- Comment on DepthSight - a self-hosted, federated algorithmic trading platform with a visual strategy builder (AGPL) 1 week ago:
Calling an enterprise-grade platform
Except you use JWT’s for auth, which is idiotic and a security nightmare. No enterprise that cares about security would ever accept this.
More info: gist.github.com/…/0d1f3d3b4745d778f78b230cf606145…
There are other problems, some of which I can see… and some of which I can’t. The problem is that I am not a comprehensive expert, I can only spot a few things here and there. Even if I was an expert, why would I audit your software for free lmao? Pay me for that shit.
What I do know, is that vibecoded apps are bad at security. Many, many vibecoded apps have been hit by horrific security bugs like remote code execution, xss, or authentication bypasses. That shit is simply unacceptable and should be extremely rare in modern apps. The fact that I’m not skilled enough to find them reliably makes me even more cautious and concerned around apps like yours.
It’s not just about the app architecture, but also about you. When a known community figure creates an app, I have confidence that they will have a good security posture and architecture. With vibecoding… not so much.
If you have an actual architectural critique
Nice bait, but the problem is this: Just because you get people to
audit“critique” your software, doesn’t fix the root cause of those problems — you. Just because you manage to re-vibecode the app to not use JWT’s or to fix any other number of issues someone would point out, doesn’t actually mean more issues exist that that person missed. Like if someone specialized in python, then they might miss database issues, and so on. The second problem is that inevitably, you will expand this software, adding more features… and vulnerabilities. That is to say, even if you manage to fix the architecture and security now, you have not demonstrated the requisite skill needed in order to keep it fixed. - Comment on [META] Are paid for closer source advertising appropriate? 2 weeks ago:
What if the new account user, who is working on a product that integrates with what the vast majority of selfhosters run, just found Lemmy?
This happens on Reddit, and basically my problem is that these users often don’t have enough experience to be able to actually give solutions. Reddit is full of people who think they have a good solution, dealing with comments of people explaining that what they are struggling with is actually a solved problem (or a skill issue). No one cares about your vibecoded slop that implements 1% of the features of an existing open source solution (they used to not be vibecoded but we still didn’t care). It being paid and proprietary is just even more annoying.
My idea of requirement to engage with the community is also about being able to ensure that the users are technically competent. If they are experienced, it will show up in the discussions we can see in the review. If they lurk, then they can take a look at what is being used, and what problems actually exist, instead of making assumptions.
If they really believe their product is so good, they can spend a few weeks helping people with Linux questions and sharing their (non product related) insightful thoughts on Lemmy so I don’t dismiss them instantly when they finally advertise it.
- Comment on [META] Are paid for closer source advertising appropriate? 2 weeks ago:
It is possible to detect and moderate them, as long as your mods haven’t been disappeared and replaced by people who’s job is to accept bribes. And also when we can actually see people’s history, since reddit now has an option to hide your history from others because of course.
My usual method is to focus on content, rather than writing style. The AI bots can write a lot, or be brief, or whatever, but they don’t actually contribute to the discussion. They just kinda paraphrase and restate what has been said, or when trying to sell a product they disagree and go “Are you sure this isn’t an problem?” to everybody in the thread telling them that it’s actually a skill issue.
Sometimes they’ll be a little better, but it’s often surface level stuff that can be found at the top of a google search of keywords.
This also makes it possible to tell the difference between ESL speakers who are using AI to clean up their writing style, and true bots. Since the ESL speakers will actually have something to say, but bots won’t.
And then: xkcd.com/810/
- Comment on [META] Are paid for closer source advertising appropriate? 2 weeks ago:
Unraid is an example, that I consider fairly reasonable. Sure, it is a subscription.
But all of the services are docker containers. What unraid brings to the table is a nice management UI, and the ability to mix and match drive of different sizes in a single raid pool. It makes having a fairly resilient self hosting setup easier than trying to do all of this stuff from scratch.
Nice features sure, that many people find worth paying for, even if I don’t. But they are just nice to haves. If the company ever dies, it’s absolutely possible to export the data and move to say, portainer, or docker via the cli, or podman, or anything that can run containers.
- Comment on [META] Are paid for closer source advertising appropriate? 2 weeks ago:
On reddit, there is a community called r/progressionfantasy, which is about a specific type of fantasy fiction. They have a rule that self promotional posts (for paid books) must be preceeded by 10 comments, and actual engagement with the community.
This is a reasonable compromise, in my opinion. Known community member who has been answering questions and contributiting to discussions?
I would be okay if they dropped a paid product of good quality and with a reasonable business model (please no vibecoded slop).
But drive by ProductNameAccount users who have never posted on lemmy before a bunch of self promotional posts? Yeah ban that shit.
- Comment on What apps do you use to listen music at work/on phone? 2 weeks ago:
I use Vanilla music. It was the only music player I found that would keep my place in my long running playlist that I have on shuffle all the time. It gets through all the songs, shuffles, and then queues through all the songs again. Other players I tested would forget the place, or that music was playing in the first place, and that was frustrating.
I stream it to my computer by connecting my phone to my computer via Bluetooth. I think it’s was a new KDE feature, but now my Linux laptop will pretend to be a headset/speakers, and the Android phone will just play to it. It’s so amazing. Because then I can listen to audio from both my phone and my computer at once pretty easily, and keep my spot in that one playlist I keep running. Unfortunately, it has an annoying issue where it drops out (but doesn’t pause the audio) when the CPU is used too much. Lemmy post: programming.dev/post/45725312
When I want a more reliable setup, like when I am compiling things, I usually plug my phone into my computer and use srcpy which can stream the android screen to the computer over ADB, but I just stream the audio, since that’s all I care about.
- Comment on Remote Tech Support services? 2 weeks ago:
Unfortunately, there isn’t really a good solution for remote controlling android or ios devices. Meshcentral can view, but not act.
I was investigating this (for android tablets), and the solution I came too was to enable android debug tools (adb) over wireless (but in this case, remotely), vpn the phone into a remote server to connect them. Then, you should be able to run adb commands remotely (which lets you uninstall apps). And then over adb, you should be able to stream the screen and control it via genscrcpy.
Actually, the first solution I was going to use was device farmer: github.com/orgs/DeviceFarmer/repositories , but the above is basically how device farmer works.
I eventually gave up on remote controllung android devices because it wasn’t needed and it would have been a complex deployment.
A simpler solution for your usecase is probably to spend a night cleaning up her phone, and then enable kiddie mode on it. That would disable app installs unless she calls you to approve it. In addition to that, (idk about ios), but you can actually install apps on android devices remotely via the google play website.
- Comment on Remote Tech Support services? 2 weeks ago:
It has installed suspicious certificates.
I dug into this, and it looks like it has been fixed: github.com/rustdesk/rustdesk/discussions/6444)#discussioncomment-12039260 , and no longer does that.
So Rustdesk can be used entirely open source (since the proprietary management web UI is not critical), and it no longer installs certs.
So maybe it had problems a while ago, but it looks clean in these regards now.
- Comment on Remote Tech Support services? 2 weeks ago:
Lmao stop spreading more FUD. They have a paid, proprietary web UI to make management and administration easy. But you can get all the critical components needed to actually run the software from the source.
- Comment on Remote Tech Support services? 2 weeks ago:
I was just wondering about the Chinese connection bit.
I actually can’t find any evidence of this. The company appears to be headquartered in Singapore, CEO’d by an American dude.
- Comment on Remote Tech Support services? 2 weeks ago:
For your usecase, I would recommend Rustdesk.
But I would also like to mention Meshcentral. Meshcentral is a hosted application that lets you remotely manage multiple devices. It’s different from meshcentral in that it maintains a constant connection, and you can do things like view files
It’s more designed for managing a small enterprise environment, than individual support. Although I wouldn’t recommend it for OP, I’m leaving this up for anyone in the future who might be searching for “remote tech support” and maybe they will find Meshcentral more appropriate.
- Comment on Remote Tech Support services? 2 weeks ago:
oh no, rustdesk does have a lot of problems. I could give you a nice list. It’s just that nobody cares, they don’t matter, and we don’t have a good alternative.
This user’s main account is Hotznplotzn@lemmy.sdf.org (probably). You can take a look through their post history to get an idea of why they might make this comment…
- Comment on Remote Tech Support services? 2 weeks ago:
It’s open source, and the relay’s are e2ee (and audited), but they can also be self hosted.
-
Do you have actual technical issues with rustdesk?
-
Do you have an alternative software you would recommend? I hate when people spread FUD or say “don’t use/do this” without actually preventing an alternative. Drives me nuts. Because if you don’t present an alternative to a software that someone needs, your complains are kinda meaningless and a waste of everybody’s time because they’re gonna end up ignoring the complains and using the tool they need.
-
- Comment on Wireguard easy and third party von service. 3 weeks ago:
randomise your web interface port
Randomized interface ports change nothing except for stopping automated scanners. They don’t really help. Just lock it behind ssh, physical access or similar, and then never worry about it again.
Yeah only if you enable their cloud api
No, all of the local web interfaces have had problems too. Literally every router or network appliance has had similar issues.
ts not an isp or consumer router
ISP, consumer, and enterprise routers have all the same issues due to the same architecture. All of them.
have also pen tested my router remotley.
Me too. But it’s just not about my router being secure today, it’s about it being secure tomorrow. I want to be able to rest easy knowing that if a new vulnerability appears in xyz component then I don’t have to worry about it.
- Comment on Wireguard easy and third party von service. 3 weeks ago:
Every issue with tp link has been. You need to have acces to the router physically to implement.
Come on, this is not true and you know it. Finding a counterexample was easy:
anavem.com/…/tp-link-patches-critical-router-flaw…
Auth bypass + auth rce flaw. Literal remote code execution, instant own.
The problem with network appliances/routers is that they all have web ui’s, and management api’s or something of the sort. Web UI’s are extremely complex services, with lots of difficult to secure attack surface. In a router, that attack surface is now running as root (because it has to be, to manage linux (or freebsd, routers are usually based on one of the two) kernel routing and networking.
So literally every single network appliance and router has had it’s own critical vulnerabilities, even open source ones like openwrt.
The real solution here is to recognize that web interfaces are a security nightmare, and to either disable them or lock them behind ssh.
(Open)ssh, is known for having extremely few vulnerabilities, only 2.5 critical ones over it’s 25+ years of existence. That’s a big difference compared to some of these network appliances/routers with have 2+ critical vulns every quarter.
- Comment on Access to the LanguageTool browser extension will become paid in 2 weeks, unless you are using a local model or selfhost it 5 weeks ago:
Unfortunately, the browser extension is proprietary. They used to have an open source one but they stopped maintaining it.
Proprietary was a dealbreaker for me. There is no way to verify that it isn’t selling everything I type even if I do have it configured to point at a local server.
I’m also concerned that the extension may eventually no longer work against local servers as well.
github.com/languagetool-org/…/247
As an alternative, there is harper by wordpress: github.com/Automattic/harper
It is webassembly and runs entirely in your browser.
EDIT:
I will add that the rest of the languagetool ecosystem continues to work fine. Libreoffice now has a built in client, which you can point at your own hosted server. VSCode [1] also has their own languagetool extension. I use those and those work great. But in the browser I use
harpernothing. I should probably install harper.[1] Well, technically I use [code-oss]wiki.archlinux.org/title/Visual_Studio_Code), which gets the extension from open-vsx.org