🅸 🅰🅼 🆃🅷🅴 🅻🅰🆆. 
 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍 𝖋𝖊𝖆𝖙𝖍𝖊𝖗𝖘𝖙𝖔𝖓𝖊𝖍𝖆𝖚𝖌𝖍 
  • 1 Post
Joined 9M ago
Cake day: Aug 26, 2022


And all those bicycles! So much rubber polution!

On that note, this is some exciting technology that’s coming that’ll help reduce rubber pollution from all sources:


It’s perverted and God hates cosplayers. Especially that one who lives in Rome and dresses in white all the time; God hates that silly hat. Oh, and he hates all those US cosplayers who cosplay as Nazis, with their silly uniforms, guns, and glammed-up cars.

Oh… wait… that’s fascists, not cosplayers. No, God’s ok with cosplayers.

True, all true. The KeePassXC auditor was able to get metadata and notes (which dismayed them, as there was no indication that notes were not encrypted) from a dump after DB lock.

Good points!

The audit is an interesting read. The author comes off a little fan-boyish, but has good credentials and his points are well reasoned.

I’m not a security specialist, but I thought the report understandable, approachable, and brief - in short, quite readable, and informative.

It’s not about metadata exchange, but metadata exposure.

Two of those platforms use self-hosted node servers. Behind a VPN with multiple customers, this is virtually untraceable. And certainly far less easily traced than by giving away your cell phone number to a company.


However, I’m perfectly happy with KeePassXC. It’s audited, secure, has a great UI, and if you want to accept less security can serve as a secret-service and ssh-agent replacement. There are a bunch of OSS tools and clients that support the kbx.v4 file format, and if you want to audit the code of the tools, they’re in almost every language. There are some really nice (pretty, user friendly) native mobile apps.

There’s risk in grabbing any old client, of course, but having such a diverse ecosystem is nice, especially if you don’t mind reading some code.

“Popular,” and even “ease of use,” are not relevant for the label of Gold Standard when we’re talking about security. Functionality for purpose is relevant, but if we’re allowing for weaker security in trade for ease of use then I’d say just use SMS; sure, it’s not as secure as Signal, but it’s a lot easier.

Reductio ad absurdum aside, there are by my count about a half-dozen systems which are more secure than Signal. Systems which don’t require you to give up your phone number, or publish it, or leak other personal metadata. You mentioned one, Briar, and there’s SimpleX Chat, Tox, and Jami (the latter two have been around for a few years, and IIRC Jami’s been audited). There are any number of apps (web and mobile) that claim encryption and anonymity such as Confide, Onion Chat, ChatS, Speek!, Peekno, and Threema. Ocelot and retroshare.io are peer-to-peer with no central servers, and are probably (metadata) secure.

I wouldn’t call any of these individually the gold standard, but several are obviously more secure than Signal.

I can’t get over how any system that required such a tracable and abusable piece of PII as a cell phone number could be considered the gold standard for privacy.

I just don’t like having to depend on a third party, or like the idea that they have access to my keys - even encrypted. It’s too many eggs in one basket, for my taste.

But lots of people like it, and I’ve never heard of any criticisms of it from the security community, so it’s probably an acceptable choice.

I don’t know which software, that can ever handle passwords, is immune to a hostile user capable of doing memory dumps on the target’s memory space. Are you aware of one?

This threat model would require inter-process memory security at the OS level; you’d need to be running BSD, or some microkernel. You’re not getting those protections on mainstream OSes, even with SE Linux, and every application that ever handles credentials in plain is at risk.

The point about Qt (and, TBH, probably about .Net) is how long the password remains in memory, and ao how big the attack vector window is, not whether or not it’s completely immune to memory dump-level threats. 'Cause Windows and Linux are both susceptable to that.


I read that! Props on the auditor for doing it gratis; it’s rare to see people pay back the benefit they get from OSS.


Tge real answer is not to give control of your passwords to a third party; it’s to not use crappy .Net programs.

KeePassXC is not affected.

We love a good civil war! And so far, 100% of the time the good guys won.

This assumes tracability of the coins, which would necessitate eliminating anonymity, which is a bold claim.

Oh, wow. I totally trust the Secrat Service on this. It’s crazy that all blockchain has the same, breakable, model. I’m sure Monero is shaking in its boots.

Most tech is expensive when new. Prices usually come down as it ages into the market.

Are any of these points unsolvable engineering problems?

TFA claims Signal is the gold standard, which raises my eyebrows, especially as th] author - in the same breath - admits Signal leaks metadata.

There are chat clients, less popular, less well funded, that don’t leak metadata. Signal may be a good choice for the average non-techie, but it’s hardly the gold standard for private chat.

restic. I’ve been using it for years, and specifically with B2 for at least 2.

  • Client-side encryption, by default
  • Single executable
  • Stable format
  • Backups are incremental by default
  • Backups are mountable (via fuse), so it’s easy to grab specific files from a snapshot

It really is a fantastic, free, OSS program.


I think it’s also on Play, if that’s your thing.

It is available in differerent versions. There’s one with no networking, but also one with various cloud syncing, including self hosting (Nextcloud).

I’ve been using the offline version for years and syncing with Syncthing.

What I like most is that it uses the todo.txt file format, which IMHO is the uber-task-format, and means that I have a variety of editing options on the desktop.

Yes, that’s exactly the situation I mean. People who’d rather run Gnome, or those of us who’d rather run a lightweight windowing system, can get all of tye benefits of KDE Connect without running all of the KDE cruft.

I have really come to depend on rolling-release systems. I have a few alliances that run Ubuntu, because of a dependency on vendor packages and insufficient interest in fighting with software+hardware issues, and I hate when I have to deal with them. The paupacy of software, the frequent breakage on release upgrades; I don’t know how people who prefer these systems justify how bad they are in comparison to Arch (or Nix, or any other rolling release-based distro).

I haven’t yet done it, but Arch is so reliable I’m tempted to create a daily -Syu cron job (or, more precisely, a systemd timer job, because I’m only yet running Artix on a couple of systems). The only thing that gives me pause are the kernel updates, which are frequency and necessitate system reboots.

Those kernel updates really make me wish Linus had focused on a microkernel architecture.

For KDE Connect, there’s a headless program called mconnect with no Qt (or KDE) dependencies. I use it with the KDE Connect Android app, and it works well. All of the commands on the Linux end are CLI, and many of the functions are supported.

Supported functions

Edit: link to source

I agree, I’d rather have it in .local/share/ or something like that. Not all *nix OSes use XDG (eg BSD variants), and even many linux distributions don’t use it by default. I suspect they did it for consistency as much as from a philosophy of “don’t hide things from users, they’re adults, not children.”

If you read Pike’s argument, it’s an argument for simply putting things in $HOME, out in the open.

I personally believe XDG has the right idea, but is a bad implementation. They should have put local, cache, and config without the dots.

IMO, the absolute worst offenders of FS use is Electron apps, which put all app files on .config. db files, cache files, temp files… they all go in .config/APPNAME, which makes version controlling .config a lot of work. That’s far mor offensive than an app creating a single, self-contained directory for itself in $HOME.

Oh, yum! Ok, I’m making that this weekend!

Does the type of beer make a difference? There isn’t much of it; have you tried it with, eg, a stout, vs a lager?

This is a client problem, a flaw in how clients exchange, manage, and maintain keys. How would server volume affect clients being unable to decrypt messages from people they were previously able to? Neither my wife nor I added new devices, or rotated keys.

My theory is that it was the result of a client version upgrade, because that does happen pretty regularly. And this hasn’t been the first time it happened; the previous time there was a week or so when messages were not decryptable, and then it mysteriously fixed itself.

Element and Matrix (the protocol) is just flakey.

Thanks to your post, I installed Steam and tried the demo. I’m going to have to figure out a think with my keyboard, b/c it isn’t playing nicely with the game, but I’m pretty excited.

I haven’t been interested in, or played, a resource management game in years; Factorio looks like it could be dangerously adictive.

Thanks for the videos!

I wasn’t. Should I have been? Who is that person, and why should I care?

Yup. A couple of months ago my wife’s Element and my Fluffychat suddenly started having problems decrypting each other’s messages. That was the last straw; having to go through Matrix’s annoying and tedious key sync dance every couple of months isn’t worth it. I switched us to SimpleX, which kinda sucks right now, but it at least works and doesn’t have a flakey, broken, unusable key management mechanism.

She’s completely off Matrix now. I still use it as a more complex, fussy IRC, because that’s where my rooms are… but I’ll probably go back to IRC eventually. The family is on Wire, which is also stable amd works well.

if you’re syncing passwords through a browser, a password manager, iCloud Keychain, or one of the Microsoft or Google equivalents, be aware that you are already trusting a cloud service

And this is a bullshit statement anyway.

I keep my passwords in KeepassXC and sync them with SyncThing; KeepasXC is absolutely a “password manager.” There’s no “trusting a cloud service” in there, anywhere.

Edit: 100% agree with you. I want proof that Google et al have no ownership of my identify before I use them.

It’s one of the easiest bread recipes I’ve seen, and frankly just as good as and fussy recipe thay requires more steps. This one is just “put everything in a bowl and mix it.”

Now, some breads do need more work that you really can’t simplify and still get the same result, like baguette. But I think people see bread recipes and think they’re a lot of work, get turned off, and never make their own bread. It’s a shame, because it doesn’t have to be hard, and it’s way cheaper - and IMO tastier - when it’s home made.

Rob Pike is the author of the most commonly quoted records about dotfiles, and how they were a mistake; this has indirectly led to the creation of the program under which we’re discussing.

Pike is also one of the original creators of Go, and it would have been extremely odd if he’d have perpetuated what he’s gone on record as being one of the great mistakes of Unix. One of the original creator of Unix was another of the creators of Go, which would lend strength to the belief that those involved believe dotfiles were a regrettable, unexpected, and undesireable consequence of shortcuts.

In short, many people believe that programs “hiding” files and directories is an antipattern, and they should put their directories out in the open, or where the user chooses them to live… jusy like Go does.

Mac and cheese is such a great base for meals! We do the same, and sometimes with burger. We often add peas to the tuna version, and onion to the burger version.

This is a really great suggestion! Once you have the mac & cheese, you can create a bunch of different dishes!

Also, my wife can’t have dairy, and we found a fantastic vegan mac & cheese by a company called Daiya. In our opinion, they’ve got the best-tasting dairy substitutes. They have a vegan cheddar cheese sauce and an alfredo sauce that’s really good, and also make standard mac & cheese boxes for quick-and-easy.

Americans tend to think if mac & cheese as unhealthy comfort food, but it’s a great basis for a variety of dishes.

+1 on your suggestion!

The one recipe I make, more than any other, is bread. It’s fast, simple, and aside from being a nearly every-morning staple, it forms the basis for many if our lunches. I make this once a week, throughout the year, and I doubt we make any other single, non-trivial recipe more frequently.

Unless “martini” is a recipe.

How is that the worst? Offlineimap adds three different dotfiles in $HOME. OhMyZsh turns one .zshrc into two (~/.zshrc and ~/.zshrc.local). Countless programs put multiple dotfiles at the top level – go is the worse just because it doesn’t start with a dot?

The directory is easily moved; the environment variable GOPATH declares where the tooling looks for it. Set GOPATH=~/.go in your profile or shell rc, and mv go .go. Or, if you’re cleaning up $HOME, move it to ~/.local (mv go .local/go) and set your GOPATH to that (export GOPATH=~/.local/go). Don’t forget to add $GOPATH/bin to your path, if you have executables you use.

Fediverse only, I use Fedilab and Jerboa; on the desktop, tut.

I do follow Pixelfed accounts from Fedilab, and that works well enough. I have a Peertube account but almost never use it, nor follow any account there.

I think an app could probably do both Lemmy and Mastodon reasonably well; I only wonder how communities would represent alongside boost streams. The biggest problem for me, by far, is finding and joining communities; my subscribe list remains both small, and static; on Reddit, it was large, and constantly growing. And I wish hashtags worked better on Mastodon. Fediverse apps kinda suck on the finding and filtering side. If you could fix that, it’d be a greater killer feature than simple integration, which Fedilab is already pretty decent at.

But anyone who has read the CSL and thinks Tik Tok is just doing “harmless aggregate advertising” is severely in need of a reality check.

Someone is absolutely processing specifics about any persons if possible interest beyond advertising.

Do Lemmy admins have to federate communities?
Suuuuper new to Lemmy, so apologies in advamce if this is a particularly stupid question. DDG has been no help. I'm a member of midwest.social. I'd like to subscribe, and post to, a community (sub?) on another server. I know the other server is federated with midwest.social, because I can see other subs, and I know the sub on the foreign server (in this case, lemmy.ml), which I found with DDG. So why can't I find the sub in Jerboa? I've searched by name, by name including server, by every combination of reference I can think of. !, #, @. It's a technical sub, and I can't imagine it's been intentionally blocked. So I'm thinking that maybe Lemmy is whitelist-based? Do admins have to explicitly include subs from other instances? Or is there some magic that I've somehow missed about how to get to a federated sub that maybe nobody has yet accessed on the instance I've joined? I found an old (1y) discussion about how to make Lemmy more accessible to new users. Someone offhand referenced this topic (accessing federated subs) needing more clarity, but with no explanation. A pointer to a how-to would be handy; maybe answers will help some future user when they find this post through whichever fad search engine privacy wonks are using in a couple of years.