• 0 Posts
  • 77 Comments
Joined 11 months ago
Cake day: November 4th, 2023
  • Kid_Thunder@kbin.socialtoSelfhosted@lemmy.worldSelf-hosted website for posting web novel/fiction
    3·
    5 months ago

    I see some comments recommending wordpress but wordpress is a security problem, especially if you’re using 3rd party plugins. It is such a bad problem that their are ‘wordpress security’ applications but even then wordpress sites get hacked all the time. If you are going to use it, it is best to let some other host handle it for you if you don’t know a whole lot about what you’re doing.

    There are many, many other content management systems out there. Some are lighter than wordpress and some heavier. They are all about posting and managing content. Most of them have some sort of user and authoring system. Once you’re webserver is set up, many are written in a mixture of php and python so setting them up is generally drag and drop with either minor configuration file edits or wizards. Many of them have sections that you can set up using a labeling/tagging system. Most of them allow you to have the ‘stories’ as private or draft where you have to actually click publish before people can view them. Some have user roles systems where you can limit viewing and even editing between different roles for sections.

    Generally, once their setup is done, they are point and click to do everything.

    Here’s a nice list of FOSS CMS’ (which includes Wordpress of course).

  • Kid_Thunder@kbin.socialtoTechnology@beehaw.orgSteam is a ticking time bomb
    31·
    6 months ago

    A 30% cut for steam games sold on steam and a 0% cut for steam keys sold by the publisher wherever they want with the caveat that they must give steam users the same sales at around the same time. They get their games hosted on Steam’s industry best CDN, a page with support for images and videos, an API with features users like, workshop API for mod hosting and delivery, and other SteamWorks API stuff for stuff like multiplayer, patch management without charging a fee for it, forum hosting to hit the highlights. Pretty much all of that drives engagement and is mostly turn-key though you do have to programmatically interact with their API when it makes sense.

    Steam provides a lot of benefit for a 30% cut of what is sold on their store front and a lot more benefit for getting all of the above for a 0% cut if they sell steam keys outside of steam.

  • Kid_Thunder@kbin.socialtoSelfhosted@lemmy.worldCan someone explain to me why NAT is not enough for security?
    2·
    7 months ago

    Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.

    Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.

    As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.

    I’d imagine that’s true for most people at home.

  • Kid_Thunder@kbin.socialtoSelfhosted@lemmy.worldCan someone explain to me why NAT is not enough for security?
    49·
    7 months ago

    NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.

    The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.

    Take for example this scenario:

    You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.

    Another scenario:

    You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.

    Take for example malware has been known to spread via Minecraft.

  • Kid_Thunder@kbin.socialtoPrivacy@lemmy.mlFTC bans antivirus giant Avast from selling its users' browsing data to advertisers
    9·
    7 months ago

    I disagree about ClamAV in-so-far as its vanilla virus signature database. You really should use some third party ones though you have to be careful since some like specifically malware patrol are way too general. For example, malware patrol will identify any document mentioning any drive.google.com URL a virus.

    In regards to MP, I actually submitted the offending signature to MP support and the CSR told said and I quote “Unfortunately that is not a false positive, there is confirmed malware hosted at drive.google.com.” It caught my attention because a bunch of READMEs from some github projects and some HTML files ended up in the quarantine. I asked if future signatures would include this general URL since I’m going to blacklist this specific signature and was told basically ‘yes, probably’.

    I do recommend third parties though and most are free for personal use. Some require a key and therefore some sort of sign up but it isn’t terrible except perhaps in regards to where I’m posting, some would consider it so.

  • Kid_Thunder@kbin.socialtoSelfhosted@lemmy.worldAnybody here running AD on-prem in your homelab?
    2·
    8 months ago

    The SSH keys don’t help me if I get locked out of a Domain Controller unless you’re using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you’ll have to execute powershell on the command line once in to use the AD cmdlets.

    On the other hand when you create a DC now-a-days (Server 2019…I don’t remember if this is asked in the wizard when in Server 2016) you can create a “Directory Services Restore Mode” password which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You’ll be asked to create it when you promote your DC.

  • Kid_Thunder@kbin.socialtoSelfhosted@lemmy.worldAnybody here running AD on-prem in your homelab?
    3·
    8 months ago

    Personally I use FreeIPA for my LDAP. I like that I can create sudoers rules from one centralized place and manage ssh keys across all clients. Granted I could just use Ansible I suppose, which is how I update multiple distributions in my network and online but I like that I can just change SSH keys and sudoers from one place easily instead of changing tasks/roles. I also usually run cockpit even on my non-Red Hat distros with SSH keys just so I don’t have to log into everything though it is somewhat limited outside of the Red Hat sphere.

    If you don’t want to use ProxMox or some other specialized HyperVisor ecosystem, you can also use Cockpit to manager your VMs along with your Pods. I wish there’d be more attention to it for features because it feels like it could do a lot more.

    I also don’t really worry about locking myself out for two reasons:

    1. I use SSH keys.

    2. I also have a break-glass local account on every system…with SSH keys. If its on your local network, you can use VNC/VM console/Remote Desktop with a local account while only allowing SSH with keys if you’d like. Just make sure if you’re going to allow remote access outside of your network that you never forward the VNC/RDP ports. For SSH when I do this I always pick some random port – never default and never common ones like 2222 to at least keep my logs less noisy from the botnet auto attacks.

    For my online VPS’ I use a firewall with geoIP from Maxmind and drop all ports but 443 from the world, except for whatever country I’m in. I drop all packets from certain countries that seem to auto-attack more often than others. I try to drop packets from all known (to me) Shodan scanners. If I’m not traveling I just restrict all other ports to my public IP’s subnet though my IP hasn’t changed for years. For status checking services like StatusCake, I use the “push” method instead using a simple cron job with curl instead of relying on servers around the world checking my ports. In this case, the services just check that my server has successfully hit them within X minutes to be “up”.

  • Kid_Thunder@kbin.socialtoMildly Infuriating@lemmy.world*Permanently Deleted*
    121·
    8 months ago

    As much as he may have a case so long as he didn’t act against store policy and actually attempted to he probably has a case, even in an at-will state.

    The problem is that it will likely be difficult to get an attorney to represent him without an actual retainer because these cases usually draw out for a long, long time and are difficult to fight. Unless there’s a legitimate case for a class action, then the chances are slim that anyone can afford to fight the case, even if they ultimately could win because no attorney is going to devote years to this for a ‘maybe’.

    The only route there may be a hope of winning here is for him to apply for unemployment and if he doesn’t get it, to appeal himself. He may get that as small of a win as that is.

  • Kid_Thunder@kbin.socialtoTechnology@lemmy.worldMusic Piracy Is Back, Baby
    18·
    8 months ago

    Yeah funny, right? I thought the same thing. It’d just be the older people and the younger would be more technically literate. But companies started abstracting a lot of things now and it’s both the older and younger that struggle with IT literacy.

    I think thin clients with VDIs will be the future and both make this stuff even more abstracted for users and also bring in the age of subscribing to workstations. At work, it’ll start by just plopping stuff in your documents folder or personal folder or whatever and/or the desktop. They’ll live on a network share and the VDIs will revert to snapshots to be ‘fresh’ every time but the users won’t really know that. Their stuff will be plopped down like it is local every time and ‘follow’ them from VDI to VDI.

    Then I think this will push to the home market and instead of spending a lot of money up front, you just get a cheap thin client, probably eventually a small little box with USB ports and mini-DP or whatever. You’ll then pay for the tiers you want. Want just a workstation to check mail on and do ‘web apps’ type stuff? $5 with a whole 5GB of personal space or whatever. Then there’ll be “productivity tiers” with pretty much the same stuff but more CPU, RAM and a small amount of vGPU allocated and you can install programs with something like 500 GB of personal space. There’ll be a “pro” version with more of everything and a “gamer” version with a lot of everything probably costing something like $30/$40 a month starting out per device.

    And of course eventually, you’ll be getting ads to “keep the prices increases down” and then that won’t matter anymore and you’ll be given the option to pay for ad-free add-ons, time on the workstation and so-on. Prices will raise nearly every year. Thin clients will turn into all-in-ones and be basically tablets where you buy based on screen sizes and probably able to wireless connect more displays.

    Technology in computing will become more abstracted and IT’s specialists will shrink once again because actual tech literacy will decrease.

    I think the only reason it hasn’t started yet is due to Internet throughput availability but that’s quickly changing.

    A boring dystopia indeed.

  • Kid_Thunder@kbin.socialtoTechnology@lemmy.worldMusic Piracy Is Back, Baby
    4·
    8 months ago

    Yeah… How many times does the lesson need to be learned? The worse deal the consumer is given, the more likely they’ll just pirate instead. This is in both price and usability/frustration level.

    I still remember when Sirius/xm was actually popular. Ad free good quality radio where you could tune in to specialized stuff for a good price.You could generally get it for around $6/7 per mo/device. At the time I was going to buy a new stereo head just for better navigation of my flash drive with my music (I was already off of burned discs). But Sirius/xm was so cheap and it had an added bonus of some discovery and stuff that why bother? I’ll just primarily use that!

    The prices raised a couple of bucks and commercials for their top 10 channels but they are very quick.

    Then prices raised and it was commercials for every channel and so on. I cancelled when it was $18/mo/device with commercials everywhere long enough that it wasn’t as bad but close enough to being as bad as radio, except I’m paying for it. My friends told me "yeah but you just call them when your time is up and they’ll always make it like $12/mo/device for the first year and sometimes if you complain after it runs out they’ll do it the second year too.

    But why bother when by then you had great alternatives like Pandora and then Spotify and so-on. You get the same experience as Sirius/xm but it is free. Don’t want ads? It’s just a few bucks a month!

    Now streaming music is going down the same road that every popular service of everything always does. Worse experience and ad revenue. The price point for the pay options rise and won’t atop. It won’t be but maybe a decade until you can’t pay for no ads. You’ll pay to be able to pick exactly what you want to play and to decrease ad time I’m sure.

    In the background as the deal gets worse and there is no alternative offering a good deal with a good consumer experience then piracy rises. It always does. Companies will always complain piracy hurts them and the artists but all they have to do is be more reasonable.

  • Kid_Thunder@kbin.socialtoPrivacy@lemmy.mlAre you you looking for a private office suite? Try Libreoffice
    401·
    8 months ago

    LibreOffice is compatible with Microsoft’s OOXML spec. They sold every suite on it in the nearly 20 years ago to stop fines from the EU. They sold competing suites on it instead of using anything else available.

    Microsoft however never actually fully supported their own spec and will save as “OOXML Transition” or whatever they call it now because they’ve been in ‘transition’ for nearly 20 years but still have proprietary blobs inside of it. You can however make MS Office save in OOXML Strict which is supposed to be compliant to the now ISO spec that LibreOffice actually supports.

    This isn’t LibreOffice’s fault.