Neptr
@Neptr@lemmy.blahaj.zone
- Comment on How "heavy" is self-hosting matrix really? 2 weeks ago:
Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im
- Comment on Virtual Machines vs LXC vs Docker: What’s the Real Difference? 2 weeks ago:
Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.
GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.
I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s
Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.
- Comment on Virtual Machines vs LXC vs Docker: What’s the Real Difference? 2 weeks ago:
I dont really understand what you mean in your last sentence.
My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.
Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.
- Comment on Virtual Machines vs LXC vs Docker: What’s the Real Difference? 2 weeks ago:
In order of most to least secure
VM > Docker+GVisor > Docker/LXC
Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.
- Comment on we're all a little gay inside 3 weeks ago:
There are gaps in between the rain drops which means we see other parts of the cone.
- Comment on big list of selfhosted chat apps to meet all your friends on a real "server" 4 weeks ago:
The other problem with Matrix for me is that Element call (the protocol) is not present in most public instances and isn’t very straightforward to selfhost. The default is jitsi which is not E2EE. Pretty major IMO because if Matrix is supposed to be a Discord alternative and supposedly E2EE but VC isnt encrypted, pretty yikes.
- Comment on big list of selfhosted chat apps to meet all your friends on a real "server" 4 weeks ago:
Where did you read that Signal uses MLS? I could not find any claims of using MLS on Signal’s specs page or their GitHub repo. Also MLS doesn’t mean anything on its own, see Soatok’s blog on MLS.
Soatok is currently in the process of writing a blog post about another vulneribilty they found in Matrix’s encryption, and with Matrix’s history of numerous vulnerabilities, I would stay away from that shit. No matter how “good” the algorithm is in theory, it is all about implementation. Matrix also has very brittle encryption, often times many messages will become unrecoverable, which is terrible UX.
You’d be better off just selfhosting XMPP+OMEMO, with the caveat that it is also flawed and leaks plenty of metadata.
The best alternatives to Signal (but not Discord) are SimpleX and Briar. Both are significantly better than XMPP/Matrix for privacy and security.
- Comment on big list of selfhosted chat apps to meet all your friends on a real "server" 4 weeks ago:
Lol
- Comment on big list of selfhosted chat apps to meet all your friends on a real "server" 4 weeks ago:
It still isnt great. Better than DeltaChat/Matrix but decently worse than Signal’s security.
- Comment on big list of selfhosted chat apps to meet all your friends on a real "server" 4 weeks ago:
OMEMO is better than nothing. Much better than OTR or PGP (looking at you DeltaChat), and the biggest problem seems to be the metadata and old versions used in some clients. The encryption (of message contents) at the very least is decent.
OMEMO is better than Matrix’s encryption, which the later doesnt offer proper forward secrecy and breaks all the time leaving messages inaccessible.
- Comment on GitHub - spacebarchat/spacebarchat: 📬 Spacebar is a free open source selfhostable discord compatible communication platform 4 weeks ago:
You can use WebCord with Spacebar.
- Comment on It's a Furby! 1 month ago:
Bro, 3 of us have now posted this lol.
- Comment on Goldenrod 1 month ago:
Don’t forget Kudzu.
- Comment on What are some unique Games to host server's of? 2 months ago:
Valhiem
- Comment on AI’s Unpaid Debt: How LLM Scrapers Destroy the Social Contract of Open Source 2 months ago:
- Most “Open source” LLMs are really just open weights, which is useless without the training data. This dilutes the definition of OSS. There is no way to train the model as a normal person (aka not Google or Meta, etc)
- LLM producers don’t credit the OSS they trained on, no attribution. Most models violate the licenses of all their training data (eg. GPL).
- LLM scraper bots put high stress on server infrastructure, creating a DDOS attack.
- Comment on 3 months ago:
If I had to guess, they probably don’t use the APIs, inside using scrapping of some sort.
- Comment on 🥵 🥵 🥵 3 months ago:
Poopy
- Comment on 🥵 🥵 🥵 3 months ago:
Poppy
- Comment on Assumptions 3 months ago:
Good Dinosaur reference?
- Comment on Usually 13. 3 months ago:
Thanks
- Comment on Usually 13. 3 months ago:
I couldnt upload as an image :(
- Comment on Usually 13. 3 months ago:
- Comment on stinky ginky 3 months ago:
Everything evolves over time. Ginko just hasn’t changed visibly in structure.
- Comment on [deleted] 3 months ago:
Maybe a setup FIDO2 LUKS unlocking, but that requires a security key: www.privacyguides.org/en/security-keys/
- Comment on [deleted] 3 months ago:
You could setup LUKS TPM unlocking.
- Comment on Mustaaaaaaaaaard 3 months ago:
One word: Kudzu
- Comment on Honestly Bizarre 4 months ago:
Even worse, “gross lil critters”
- Comment on [Help] My first serious self hosted server 6 months ago:
I liked qdirstat
- Comment on SilverBullet v2 released: open-source, self hosted, programmable notes 6 months ago:
If all you need is a simple note taking app, I recommend Notesnook. It is free and open source and offers E2EE cloud syncing. That is what I used as a Google keep alternative. Silverbullet is good, but may be too feature-full for something as simple as a Keep replacement.
- Comment on Peak batchelor 9 months ago:
Yummy electrolyte drinks
