ShortN0te
@ShortN0te@lemmy.ml
- Comment on A sneaky demonstration of the dangers of curl bash 12 hours ago:
Yes, the secrets to submit to the distribution system got compromised and therefore the system got compromised.
- Comment on A sneaky demonstration of the dangers of curl bash 16 hours ago:
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
As i said, to compromise a signature checked update over the internet you need to compromise both, the distributing infrastructure AND the key. With just either one its not possible. (Ignoring flaws in the code ofc)
- Comment on A sneaky demonstration of the dangers of curl bash 18 hours ago:
After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials.
So as I said, the keys got compromised. Thats what i said in the second post.
- Comment on A sneaky demonstration of the dangers of curl bash 19 hours ago:
No you cannot, the pub key either needs to be present on the updater or uses infrastructure that is not owned by you. Usually how most software suppliers are doing it the public key is supplied within the updater.
- Comment on A sneaky demonstration of the dangers of curl bash 21 hours ago:
This is incorrect. If the update you download is compromised then the signature is invalid and the update fails.
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
- Comment on A sneaky demonstration of the dangers of curl bash 22 hours ago:
Not completely correct. A lot of updaters work with signatures to verify that what was downloaded is signed by the correct key.
With bash curl there is no such check in place.
So strictly speeking it is not the same.
- Comment on OpenClaw with Docker. Is it safe? 2 weeks ago:
Simple put, no. In order to be save with a LLM that can execute stuff on its own it needs to be completely sandboxed.
A very nice talk about flaws in agentic AI can be found here: …ccc.de/…/39c3-agentic-probllms-exploiting-ai-com…
- Comment on Non-US cloud storage for backup? 2 weeks ago:
I can also recommend the object storage from hetzner for backups. Quite price competitive.
- Comment on what is good remote desktop software? 3 weeks ago:
It actually does both. Not really tested the multimonitor features but its there and it works, not sure if to the same degree as in rdp.
- Comment on Server ROI Calculator 3 weeks ago:
There is a box for manually added monthly savings. But yes, hard to classify what you would actually subscribe to if you would not have a server already.
But same for video. I would never buy 3 streaking service at a time.
- Comment on How do I avoid becoming one with the botnet? 4 weeks ago:
The other answer is already good but I answer more general.
Rate limiting. Do not allow as many requests as your CPU can handle but limit authentication requests. Like a couple requests per second already goes a long way.
- Comment on How do I avoid becoming one with the botnet? 4 weeks ago:
The ‘immediate attacks’ ppl mention is just static background noise. Server / scripts that run trying to find misconfigured, highly out to date or exploitable endpoints/servers/software.
Once you update your software, set up basic brute force protection and maybe regional blocking, you do not have to worry about this kind of attack.
Much more scary are so called 0-Day attacks.
- No one will waste an expensive exploit on you
- It sometimes can happen that 0-Days that get public get widly exploited and take long time to get closed like for example log4shell was. Here is work necessary to inform yourself and disable things accorsing to what is patched and what not.
As i already said, no one will waste time on you, there are so much easier targets out there that do not follow those basic rules or actually valuable targets.
There is obviously more that you can do, like hiding everything behind a VPN or advanced thread detections. Also choosing the kind of software you want to run is relevant.
- Comment on A dummy's request for Nepenthes 2 months ago:
Yeah I’m not saying its perfect and LLMs are non-deterministic so it could give you some crap. You’re not wrong and it’s good to be aware of that. How do you verify some random stranger from the internet wasn’t an asshole and gave you malicious config? 🤷
There is no guarantee either, but on a public forum at least a couple of eyes look at it too. Not saying that this makes it trust worthy. But a LLM usually words it output very direct and saying “this is the absolut truth” which can lead to a much higher trust relation then a stranger on a forum that writes “maybe try this”.
I generelly would not recommend using the llm for potential security related questions (or important or professionally questions) were your own knowledge is not big enough to quickly vet the output.
- Comment on A dummy's request for Nepenthes 2 months ago:
You are still talking about someone that is not able to create the config themself, but that someone should be able to test everything?
- Comment on A dummy's request for Nepenthes 2 months ago:
But still, how would verify if the config is good or not? For example if it exposes root?
- Comment on New Community Rule: "No low-effort posts. This is subjective and will largely be determined by the community member reports." 2 months ago:
The discussion is about low effort Link only Video and or others Posts. If you are not reffering to them then you missed the point.
- Comment on New Community Rule: "No low-effort posts. This is subjective and will largely be determined by the community member reports." 2 months ago:
It seems, the majority does not want it.
If ppl do not like it they can use another selfhosted from another instance. Thats what lemmy or the fediverse is build for.
- Comment on New Community Rule: "No low-effort posts. This is subjective and will largely be determined by the community member reports." 2 months ago:
Most ppl seem to agree with me.
- Comment on New Community Rule: "No low-effort posts. This is subjective and will largely be determined by the community member reports." 2 months ago:
But how would you know before watching?
“Based on the upvotes and comments” Oh then others doing the work to watch it and rate it on lemmy for you.
Imo, when a link to a video or forum or whatever is posted, then at least a summery or a discussion should be included.
- Comment on Plex’s crackdown on free remote streaming access starts this week - Ars Technica 2 months ago:
No, you have not understood anything. Assuming Jellyfin would go closed source, (ignoring the GPL license and so on) you would not notice anything. Your server and service would be unchanged by this.
Emby is the best example, the community will fork it and you server lives on. Even if not, then the server and software is still yours.
- Comment on Plex’s crackdown on free remote streaming access starts this week - Ars Technica 2 months ago:
If it becomes an issue, then you’re in the exact same position you’d be in today if you decided to move away from Plex now.
I disagree. Right now you got time to do the research, plan the move and test it out with a demo setup. You do not know if you got the time if Plex decides to screw their lifetime users.
Yes this is hypothetical.
- Comment on Why do so many services require email configuration? 3 months ago:
Brother we have the opposite problem. You are not putting yourself in my shoes, or other people like me.
Bold claim. But no i am putting myself in your shoes and yes there was also a time were i tried to work around to host mail myself. But its easy and no headache to set up.
- Comment on Why do so many services require email configuration? 3 months ago:
None of those things are necessary. Like I don’t even have email configured on my server because I don’t need it at all except when the developer unnecessarily integrates it to the extent that it breaks it.
Depending on the view, a functioning service something like password reset is necessary. To design the software that it can ship without functioning password can or cannot make sense, depening on the design choices. Depending on what else got send via e-mail designing the software around that can be challenging and burdening for the future of developing.
If the setup required you to setup e-mail, the software and then also the developer can always assume there is a communication path to the individual user.
As i said, it can and cannot make sense, but saying
That makes no sense.
and not even trying to put yourself into other shoes just does not make sense.
- Comment on Why do so many services require email configuration? 3 months ago:
Why wouldn’t you give users the option to not use it?
Since then you would need to have another way to achive the goals e-mail does. Like password resets, user invitations etc. Thats all software burden for that one user that does not want it.
Setting up email is a pain in the ass, costs money, is dependent on 3rd parties, violates privacy, and is just completely unnecessary.
None of these i would actually say. To work around it you can just simply set up local reachable postfix. Done. You can setup a complete local mail server, with a few clicks.
Choose the software you want to use wisely and dont jump to the first solution you find when you are that licky about your requirements. If you are ao reluctant about e-mail and the service requires it, then maybe the design goals of the software do not fit your goals.
- Comment on How often do you update software on your servers? 3 months ago:
And for containers auto updates once every day.
- Comment on How often do you update software on your servers? 3 months ago:
Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.
- Comment on Have you tried self-hosting your own email recently? 5 months ago:
I host my mail with mailcow and it is almost set and forget. I only had a couple issues with some mail providers, but a small email exchange with the admins cleared that up.
Have a handful of users, that have not complained about anything not working or spam or whatever 🤷♂️
- Comment on Important Notice of Security Incident 5 months ago:
Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
- Comment on The Future is NOT Self-Hosted 6 months ago:
End-to-end encryption means the service provider can’t see your data even if they wanted to
Not necessarily. All it means is that intermediaries can’t see the data in transit. You need to trust that the data is handled properly at either end, and most service providers also make the apps that you run at either end.
This is incorrect. End-to-End is defined as from “User to User” and not “User to Service provider”. That would be just transport encryption.
- Comment on set up local DNS using Pi-hole + nginx + audiobookshelf 6 months ago:
I switched to adguard, yes. But you can just give pi-hole a dnsmasq config file. The underlying dns server Pi-Hole uses does support those.
Just mount the file via a docker volume. I will have to look up the exact paths. Config would look like
address=/domain.tld/192.168.0.1