Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)N

nickwitha_k (he/him)

@ nickwitha_k @lemmy.sdf.org

Posts
12
Comments
1633
Joined
3 yr. ago

  • Can any scientists confirm this important fact?

    Jump

  • My two meow at each other, humans, and the dog.

  • Deleted

    Permanently Deleted

    Jump

  • Would have to go back to before the license change in September 2024. The current license basically forbids forks, from my reading.

  • Deleted

    Permanently Deleted

    Jump

  • Yeah. That's a pretty shitty license to move to for endusers and others. Disallowing derivatives, etc. is within their rights but, really a dick move but, considering this commit message, not surprising.

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.

    There's nothing to forgive. Asking questions and being curious is how you learn this stuff.

    Is it really just permission rights "over-exposure" issue?

    From what I've read, it's more fundamental than that. It's a basic architecture issue. The datastore was publicly accessible, which it should never be. If they had it setup according to best practices, with an API to proxy access and auth, the datastore's permissions would be of minimal consequence, unless their network was compromised (still best practice to secure it and approach with a zero-trust mindset).

    Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?

    Generally, cloud datastores handle encryption/decryption transparently, as long as the account accessing data has authorization to use the key. They probably also didn't have encryption setup.

    Also, if you have time, recommend any links to web/cloud/SaaS security best practices "for dummies"?

    Here are some more resources:

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • I'd argue that it should not even be done in Dev. Dev, staging/testing, and prod environments should all be as close to one another as possible, especially for infra like datastores.

  • What an odd thing to say

    Jump

  • Welcome to Lemmy!

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • I agree. Some sort of solution is necessary but this probably isn't it.

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • On one hand, yes. On the other, women have, based upon crime statistics, legitimate reasons to avoid putting themselves in a situation where they may be assaulted or murdered for reporting problematic and/or worrisome behavior.

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • Yup. It sounds like they were following security worst practices.

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • Yeah. You also landed on a correct thought process for security. Cloud providers will let you make datastores public but that's like handing over a revolver with an unknown number of live chambers and saying "Have fun playing Russian roulette! I hope you win." Making any datastore public facing, without an API abstraction to control authN and authZ is not just a bad practice, it's a stupid practice.

  • Women’s ‘red flag’ app Tea is a privacy nightmare

    Jump

  • You've got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That's like WEBDEV99 (remedial course, not even 101).

    Really. Despite your stated "noobishness", you basically landed in the territory of best practices right of the bat.

    If you're looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/

  • What is the best Power Outlet, and why?

    Jump

  • I like type F for the symmetry. However, type K is smiling.

  • Palestinian who helped make Oscar-winning documentary No Other Land killed in West Bank

    Jump

  • They really need to stop the passivity in headlines related to these atrocities. "Murdered" is the word, not the passive "killed" which could imply a lack of intent.

  • Who is here?

    Jump

  • :D

  • YSK: This recent war on adult content was mostly started by a single law in 2018, pushed by a few evangelical groups pretending to fight sexual exploitation

    Jump

  • Are you trying to tell me that the largest sect of protestant Christianity in the US, which was explicitly founded on the belief that chattel slavery was right and "godly", might have trouble with respecting the consent of people vulnerable to coercion? /s

  • Who is here?

    Jump

  • ...Or...all three :D

  • She's a keeper

    Jump

  • But Salvation Army is anti-union and damn near anti-homeless. So, they can get bent.

  • AI Therapist Goes Haywire, Urges User to Go on Killing Spree

    Jump

  • LLMs should never be used for therapy.

  • Creative Title

    Jump

  • No. Conservatism has always only been about conserving aristocratic/oligarchic socio-economic power structures and establishing them where absent. Those are the only ideals they've ever had. All of the test was just a facade to pretend that their ideology has any place in a free, open, and equitable society.