• 0 Posts
  • 27 Comments
Joined 1 year ago
cake
Cake day: June 3rd, 2023

help-circle
  • Just SSH. Every public facing piece of software (I.e. a web interface) adds more complexity for misconfiguration or security vulnerabilities.

    You can mount you remote filesystem locally and use your local file manager and text editors to manage most tasks. If you use ansible you can make changes to a local configuration and deploy the state to the server without needing to run anything special on the server side. It is especially effective if you also run docker.

    And for monitoring I usually just have a tmux with btop running. Which is fine if you don’t need long term time series data, then you might want to look at influxdb/grafana - but even those I would run locally behind a firewall, with the server reporting the data to the database.





  • frustboxtoPrivacyPay with Palm
    link
    fedilink
    arrow-up
    62
    arrow-down
    2
    ·
    1 year ago

    One scar away from losing access to your ability to pay …

    Biometrics can not really be changed. Except maybe through time or trauma (i.e. age or injury). They can be used to uniquely(?) identify a person - except maybe twins - at the expense of anonymity, which has it’s own set of problems.

    But because they can not easily be changed they’re a terrible security feature. Once they leak, they’re unusable and you’re hosed. You can’t issue a new palm print for your bank account like you could a new chip card and password.

    Also, just because you waved your hand over a scanner does not mean that you approve and consent of the transaction. With tap to pay there were ideas of mobile point of sales devices just tapping on peoples backpacks in a crowded area. You don’t even keep your biometrics markers in your pocket, they’re just out in the open for anyone with a camera. This may be bordering on paranoia, but a few years back (2014) German hackers from Chaos Computer Club took iris scans from Angela Merkel (then Chancellor of Germany) and finger prints of Ursula von der Leyen (then Minister of defense) using nothing but press fotos. Cameras have only gotten better.

    TL;DR: Biometrics can be used for identification but should never be used for authorisation.


  • Why you should care?

    Because the debate is not about whether or not you have something to hide.

    It’s about your right to consent. You should have the right to say no. And you should have the right to change your mind for any reason. You should have the right to regain control of who can store, access or process your data.

    Depending on where you live you may have such rights, or you may not. And the political debate is about granting, strengthening, weakening or revoking these rights. And you should care about having these rights, whether you use them or not.




  • You should absolutely have web environment integrity. Your browser should not allow the website to do things that you don’t approve of, so the integrity of your computer can be ensured.

    Wait, that’s not what they mean, is it? Oh no … 🙄

    Yea, I feel like Google has this a bit backwards. As always, I like to turn the metaphor on it’s head. You’re not visiting a website, you’re inviting a website. You’re allowing the website to use your system resources, bandwidth, CPU cycles, etc. And what you do with your own system is none of the websites business. They can protect their business model on the server side, if they need to. But maybe they just need better business models.


  • frustboxtoAsklemmyWhy are folks so anti-capitalist?
    link
    fedilink
    English
    arrow-up
    168
    arrow-down
    4
    ·
    1 year ago

    Capitalism sold us a fairy-tale.

    Companies compete for customers, they improve products so it breeds innovation and they also compete for workers, so it gets better for everyone! Except it doesn’t.

    The reality is quite the opposite. Here’s what happens. They want to maximize profits so that the owners of the company get more money. How do you maximize profits?

    • You can advertise, and attract more customers. Alright, but eventually everyone has a widget. Maybe you can poach some customers from a competitor, but ultimately the market is saturated. Things get replaced as they break there’s a natural equilibrium. How do you increase profits?
    • You can charge more. Raise the price. That only works so far before you lose customers to your cheaper competition, again you reach an equilibrium. How do you increase profits?
    • You can innovate! Oh yes, that’s what capitalism is all about, improve your production, instead of 5 parts that need to be screwed together, now it’s just one part that falls out of a machine. You spend less time making each widget so you make more profit. But eventually there just isn’t any room to innovate any more. How do you increase profits?
    • You can use cheaper materials. But here again, you bump against an equilibrium, the cheaper materials often break more easily - sometimes that is wanted (planned obsolescence) but your customers will notice the drop in quality and eventually they’re not willing to pay as much for your widget any more. How do you increase profits?
    • Well, the last big item on your list: payroll. Do more work with less staff, or in other words pay staff less.

    So what you end up with is low quality products, it’s a race to the bottom of who can make the crappiest product that the customers are still willing to pay for.

    And for the workers? Well, they don’t earn much, we outsourced their work to overseas or replaced them with machines and computers. All the money went into the pockets of the owners and now the workers are poor. They’re desperate to even find work, any work as long as it allows them afford rent and barely not starve. If one of them has concerns about the working conditions, fire them, somebody else is more desperate and willing to accept the conditions.

    So capitalism is destined to make us all poorer. It needs poverty as a “threat” to make you shut up and do your work “you wouldn’t want to be homeless, would you?”

    The problem is not money itself, it’s not stores or being able to buy stuff. That’s an economy you can have an economy without capitalism. The problem is that the capitalists own the means of production and all the profits flow up into the pockets of the owners. And often the owners are shareholders, the stock markets, they don’t care if a company is healthy, or doing well by their employees, all the stock markets care about is “line go up”, and it’s sucking the working class dry.

    Regulation can avoid some of the worst negative effects of capitalism. Lawmakers can set a minimum wage, rules for working hours, paid time off, health and safety, environmental protection etc. Those rules are often written in blood. Literally, because if not forced by law, capitalism has no reason to care about your (worker or customer) life, only profits.

    Oppose that with some ideas of socialism. aka. “The workers own the means of production” This is something some companies practice, Worker cooperatives are great. The workers are the owners, if the company does well, all the workers get to enjoy the profits. The workers actually have a stake in their company doing well. (Technically if you’re self-employed you’re doing a socialism) Well, that’s utopia and probably won’t happen, maybe there’s a middle ground.

    Unions are a good idea. Unions represent many workers and can negotiate working conditions and pay with much more weight than any individual worker can for themself.

    Works councils are also a good idea, those are elected representatives of the employees of a company. They’re smaller than trade unions, but can still negotiate on behalf of the employees of the company. Sometimes they even get a seat on the board of directors so they have a say in how the company is run.

    That’s how you can have capitalism but also avoid the worst effects of treating workers and customers badly. Anyway, unchecked capitalism is not a great idea. The USA would be an example of such unchecked capitalism.

    Especially when you know that money equals power and the wealthy can buy their politicians through the means of “campaign donations” and now the owners of companies control the lawmakers who write the laws these companies have to abide by … From Europe we look at the USA and are mortified, but let’s not make this even more political.



  • frustboxtoAsklemmyLeftist circlejerks everywhere
    link
    fedilink
    arrow-up
    26
    arrow-down
    4
    ·
    1 year ago

    Are we really still “both siding” this?

    You have one side stating that the current social and economic systems cause a lot of people to suffer and die in poverty - maybe we could change the those systems so that the world becomes more fair and fewer people suffer.

    While the other side basically says: people we don’t like shouldn’t exist. Let’s make their lives more miserable.

    And you think those two positions are the same?


  • frustboxtoPrivacy*Permanently Deleted*
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    I don’t mean some obscure about:config setting. I want it to show me some indication (doesn’t have to be a popup, those have their own set of issues) that tells me “Firefox blocked x extension on this site [enable it]” - like they do for popup windows that have been blocked.


  • frustboxtoPrivacy*Permanently Deleted*
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    They have a knowledgebase article explaining why …

    … that doesn’t explain why. Yes it explains the technical mechanism by which extensions can be blocked, but no explanation why this feature is even there. There’s just a sentence about “various reasons, including security considerations.”

    I think it would help if they explained some of those “various reasons”, maybe with an example. Then I might even agree that those are situations where that might improve the user experience. Or the security.

    But I would absolutely demand a transparent process for how, why and by who these decisions get made. And possibly a way to enable the extension regardless - you open a page, an extension is blocked, you get a notification explaining why and giving you an override option.

    Part of me wants to believe that this is just very poorly communicated. Mozilla has been doing this for a while, for example extensions don’t work on addons.mozilla.org or any of the about: pages. And that seems reasonable to me. But I also don’t like the thought of mozilla policing what a user is or isn’t allowed to do.



  • That depends on the password manager.

    There are password managers that work on your computer and the data never leaves your hardware. KeepassXC for example. The database is just a file on your computer - you are in charge of backing it up, synchronizing it to your other devices (i.e. phone) etc. The database file is fully encrypted so you could share it with a cloud provider like google drive or dropbox, or you could use syncthing which synchronizes files between your devices without cloud storage. If you use cloud storage there’s a small risk that the encrypted file gets into the wrong hands (but it is encrypted so it’s most likely worthless to any would be hacker).

    Some other password managers offer a web service where you can log into a website to see your passwords, and they have mobile apps and browser extensions. These do store your passwords in their cloud - the risk that those get breached is considerably higher. But even there it depends on the implementation details. Bitwarden for example kind of does something similar to keepass, where your “vault” is encrypted locally and then stored on their servers. Even if they get breached, the data would be useless. Lastpass had a breach recently and it turned out that they didn’t encrypt everything - so someone with access to the data could determine some details such as which sites a user had accounts on. And apparently some vaults used a weaker encryption so those might be decrypted eventually.

    And a lot of password managers are closed source so there’s no telling what they may do, just “trust me bro”.

    If I had to give a recommendation it would be bitwarden - it’s open source, it’s free although there is a paid plan if you need it and want to support them. It’s really easy to use. If you have extreme paranoia (no judgement) then keepassxc - it’s also open source and free, it’s just a little more effort to set it all up so it doesn’t get my first choice.



  • Several points

    They generate strong passwords - completely random with no scheme or method to guess. They are long and use many different characters. These won’t be easy to memorize, but that’s the point of a password manager, isn’t it? Much stronger than “google-monkey123”, “lemmy-monkey123” etc.

    They generate unique passwords - different passwords for every login. When, inevitably, one website had their database breached and it turns out that they stored the passwords too (you never store the passwords, only a “hash”, a scrambled version of it), that password of yours can’t be used on other websites. Or any scheme be detected “hey that guy just appends ‘monkey123’ to the name of the site!” That password was truly unique and is not a danger to your other online accounts.

    They protect you from phishing - consider this scenario: you get a message with a link, you click on it and the site asks you to log in, so you type in your login and password, but that was a phishing site, it looked like the real website, but really it wasn’t. And now the attacker knows your username and password. A password manager that automatically fills your login details will only do so if the domain name is exactly correct, on a phishing site it will not auto-fill, giving you a moment to stop and think.



  • I can only speculate.

    Typically the developer registers the app and gets a client-id, a client-secret, and sometimes an api key. With those the client app can authorize users and/or request data from the API. This will continue to function (and probably cost the dev money) until the client app credentials are revoked. Maybe some developers are giving their users a grace period until they can publish a new app (with new credentials) that is subscription based. They’ll likely eat the cost for the transition period.

    At least that is what Infinity does.