ZIP bomb is definitely among the most mundane of issues you could cause yourself by automatically unzipping a compressed archive.
- Posts
- 0
- Comments
- 153
- Joined
- 3 yr. ago
- Posts
- 0
- Comments
- 153
- Joined
- 3 yr. ago
Why immediate jump to IT mode? Sure ZFS is great but running ZFS takes a decent chunk of RAM for cache.
I get the statement you're trying to make here - serving the name of a platform you dislike with the same reverence as he-who-must-not-be-named in Harry Potter (Voldemort) - but all you've done is obfuscate the search engine. Now if someone is skimming for information on the platform via search, you've hidden your comments and post from someone who might find your perspective useful. No one is going to try 15 ways of spelling a platform name (except maybe trying stackoverflow with and without spaces). Internet users are pretty lazy.
Why are you redacting platform names like it's profanity? My brain keeps trying to read it as markdown....
No I can't say I'm excited for an OS that will undoubtedly contain first-party spyware
I've only had issues with embedded serial consoles and things where you have to swap ctrl-h/? for backspace. But usually it's solvable with key mapping.
Also you mention vi/m but insert is red? That's the toggle switch between insert and replace mode (i vs shift-R)
If Unity had a problem with VLC playing copyrighted content they should have said so, not issued a takedown on LGPL grounds. Regardless of whether they're right or not from a lawyer perspective, it's a bad look for Unity to show the double standard here.
I'm probably the overkill case because I have AD+vC and a ton of VMs.
RPO 24H for main desktop and critical VMs like vCenter, domain controllers, DHCP, DNS, Unifi controller, etc.
Twice a week for laptops and remote desktop target VMs
Once a week for everything else.
Backups are kept: (may be plus or minus a bit)
- Daily backups for a week
- Weekly backups for a month
- Monthly backups for a year
- Yearly backups for 2-3y
The software I have (Synology Active Backup) captures data using incremental backups where possible, but if it loses its incremental marker (system restore in windows, change-block tracking in VMware, rsync for file servers), it will generate a full backup and deduplicate (iirc).
From the many times this has saved me from various bad things happening for various reasons, I want to say the RTO is about 2-6h for a VM to restore and 18 for a desktop to restore from the point at which I decide to go back to a backup.
Right now my main limitation is my poor quad core Synology is running a little hot on the CPU front, so some of those have farther apart RPOs than I'd like.
LLMs have a a tendency to hallucinate: https://en.wikipedia.org/wiki/Hallucination_%28artificial_intelligence%29
As someone else stated, the AI can't reason. It doesn't understand what a unicorn is. It can't think "a unicorn has a singular horn, so a non existent two-headed unicorn would have two horns". Somewhere along the line it'll probably mix in a deer or a moose that has two horns, because the number two matches the number of horns per head statistically.
Last year, two lawyers in separate cases with different LLMs submitted hallucinated case citations. It would have been trivially simple for them to drop the case number into a proper legal search engine, but neither did. This is a similar issue: the LLM will also prioritize what you want to hear, so it does what it's designed to do and generate text related to your question. Like the unicorn example, it has no reasoning to say "any legal research should be confirmed by making a call to an actual legal database to confirm citations" like a human would. It's just scribbling words on the page that look like other similar words it knows. It can make case notes look real as heck because it has seen other case notes, but that's all it's doing. (please excuse the political news story, but it's relevant)
- https://www.npr.org/2023/12/30/1222273745/michael-cohen-ai-fake-legal-cases
- https://www.bbc.com/news/world-us-canada-65735769
And it's not limited to unicorns or case notes. I found this reddit post while researching a feature of a software package (Nextcloud) several months ago. In the post, OP is seeking an option to pause the desktop client from the command line. Someone responds with a ChatGPT answer, which is quite hallucinated. Not only does such an option not appear in the documentation, there's an open bug report to the software devs to request that the feature be added. Two things easy for a reasoning human to do, but the AI is just responding with what you want to hear - documentation.
- https://www.reddit.com/r/NextCloud/comments/136hm7j/pauseresume_sync_from_command_line/
- https://github.com/nextcloud/desktop/issues/5649
I've also seen ChatGPT tell my friend to use power shell commands that don't exist, and he has to tell the model twice to generate something new because it kept coming to the same conclusion.
This elicited a genuine laugh from me.
Excellent work, OP. I can feel the scope creep in my bones.
I've got nothing against downloading things only once - I have a few dozens of VM at home. But once you reach a certain point maintaining offline ISOs for updating can become a chore, and larger ISOs take longer to write to flash install media by nature. Once you get a big enough network, homogenizing to a single distro can become problematic: some software just works better on certain distros.
I'll admit that I did miss the point of this post initially wondering why there was a post about downloading Debian when their website was pretty straightforward - the title caught me off guard and doesn't quite match what it really is on the inside. Inside is much much more involved than a simple download.
Therein lies the wrinkle: there's a wide spectrum of selfhosters on this community, everyone from people getting their first VM server online with a bit of scripted container magic, all the way to senior+ IT and software engineers who can write GUI front ends to make Linux a router. (source: skimming the community first page). For a lot of folks, re-downloading every time is an ok middle ground because it just works, and they're counting on the internet existing in general to remotely access their gear once it's deployed.
Not everyone is going to always pick the ""best"" or ""most efficient"" route every time because in my experience as a professional IT engineer, people tend towards the easy solution because it's straightforward. And from a security perspective, I'm just happy if people choose to update their servers regularly. I'd rather see them inefficient but secure than efficient and out of date every cycle.
At home, I use a personal package mirror for that. It has the benefit of also running periodic replications on schedule* to be available as a target that auto updates work from. Bit harder to set up than a single offline ISO, but once it's up it's fairly low maintenance. Off-hand, I think I keep around a few versions each of Ubuntu, Debian, Rocky, Alma, EPEL, Cygwin, Xen, and Proxmox. A representative set of most of my network where I have either three or more nodes of a given OS, or that OS is on a network where Internet access is blocked (such as my management network). vCenter serves as its own mirror for my ESXi hosts, and I use Gitea as a docker repo and CI/CD.
I also have a library of ISOs on an SMB share sorted by distro and architecture. These are generally the net install versions or the DVD versions that get the OS installed enough to use a package repo.
I've worked on full air gap systems before, and those can be just a chore in general. ISO update sometimes can be the best way, because everything else is blocked on the firewall.
*Before anyone corrects me, yes I am aware you can set up something similar to generate ISOs
Even better, you can
swapoffswap too!
As an IT Engineer this concept frankly terrified me and feels like your opening yourself up to a potential zero click attack - such as https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/
So my initial answer is an emphatic "please do not the ZIP". It could be as mundane as a ZIP bomb, or it could explain a vulnerability in the operating system or automatic extraction program. Having a human required to open the ZIP prior to its expansion reduces its attack surface area somewhat (but not eliminates it) because it allows the human to go "huh this ZIP looks funny" if something is off, rather than just dispatching an automated task.
With that out of the way - what's your use case with this? There has to be a specific reason your interested in saving a few clips here on one highly specific archive format, but not others like the tar unix archive, 7z, or RAR.