Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)T

towerful

@ towerful @programming.dev

Posts
0
Comments
994
Joined
3 yr. ago

  • Revealed: the extremist Maga lobbying group driving far-right Republican policies

    Jump

  • Holy shit.Like, I can see a brief of "thrust stage with 3 screens, entrances between the screens, and access to the screens for manual pointing" might lead to this stage design. The cutouts at the side might be able to be justified for camera access.But that cutout triangle in the middle would be a pain to engineer and a health & safety nightmare to justify. So the cutout triangle is absolutely deliberate, and will have been discussed in depth. The only reason to keep it is because someone knew.

    Edit.Also, considering their logo is star shaped, I'm surprised the center thrust isn't more star shaped. Seems odd to go from 5 points and many sides to 4 points and 4 sides. Especially considering they are fine with the engineering and h&s justification of a triangle cutout mid-stage

  • Google’s AI Overviews are out of control

    Jump

  • People hate having their favorite brand associated with vile or unethical things.

    True. But not ads, which this quote is taking about. People hate ads. It's the ads people hate, not the context of the ads.If your favourite brand hired some neo-nazi as their new spokesperson, that's a bit different than some garbage ad sitting beside some garbage AI content.The only reason "ads beside garbage content" is ever leveraged (ie a news story) is as a way to either hurt the garbage content or hurt the company the ad is for.

    Like with shitty twitter content, consumers can pressure twitter to deal with the content by alerting companies that they are being seen next to shitty content. Companies then leverage the fact that they are paying twitter to get their ads away from that content. If enough companies do this, twitter might change their content policy to prevent this kind of shitty content.Like with YouTube, it has loads of demonitizing policies to ensure companies who advertise there don't get negative press due to association with the content, which means YouTube should have a majority of quality content.

    But, no. (The majority of) People don't hate their brand advertising next to particular content. People just hate ads.

  • xkcd #2935: Ocean Loop

    Jump

  • The xkcd explained brushes near it.

    Many of the passengers would suffer extreme injuries from the changes of velocity (up to 230 mph based on a loop radius of 3 x ship length) and rotation (unlike rollercoasters, or even airplanes during simple take-off and landing, passengers aren't normally strapped down).

  • Government tells Britons to stockpile as part of emergency planning

    Jump

  • 120 litres (4 people, 10 litres per person per day, 3 days) of water is also 120kg. Pretty unwieldy.Bathtubs are 160 litres. So, it's essentially storing an extra bathtub.

  • what if the hacker provided the public key for https connection?

    Jump

  • The certs are still valid.They are just not implicitly trusted

  • Locked

    Sea levels are starting to rise faster. Here’s how much South Florida is expecting

    Jump

  • I mean, you made a lot of aggressive comments and exploded back at commenters before you actually explained your stance/position.And it all read like "have pity on those beach front home owners when the tides come", as opposed to "yeh, beach front home owners are assholes, I wish they would do something to actually help. Unfortunately the regular population are essentially hostage to ever increasing rent, insurance and food prices making moving anywhere safer more and more difficult each season"

    Maybe it's cause it's text.

  • Locked

    Sea levels are starting to rise faster. Here’s how much South Florida is expecting

    Jump
  • Locked

    Sea levels are starting to rise faster. Here’s how much South Florida is expecting

    Jump

  • That took 2 comments of rage-bait bullshit for you to say that?

    Like, at no point did you actually say you are a helpless victim in this.It read like "I have and enjoy MY house on the beautiful coast. Why is everyone going to be so mean to me when the bill comes due?!"

  • Just how secure are the various reverse proxy options?

    Jump

  • So, is public accessibility actually required?Does it need to be exposed to the public internet?

    Why not use wireguard (or another VPN)? Even easier is tailscale.If you are hand selecting users (IE, doesn't actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

    Like I asked, what is your actual threat model?What are your requirements?Is public accessibility actually required?

  • Elon Musk confirms his threat: give me 25% of Tesla or you don't get AI and robotics

    Jump

  • Probably more expensive than you think...

  • Just how secure are the various reverse proxy options?

    Jump

  • That got a bit long.Reading more into bunkerweb.

    Things like the "limit" feature are going to doink people on cgnat or large corporate networks. I've had security stuff tripped by a company using my software, and it's a PITA cause all the requests from legit users come from only a few IP addresses.

    Antibot isn't going to be helpful for things like JS requests, because cookies aren't included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).And captcha. For whatever that is worth these days.

    Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

    Country is just geo-ip.

    Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP's IP is blocked for a day.

    This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users

  • Just how secure are the various reverse proxy options?

    Jump

  • LE certs can always be "side loaded" by acme.sh or LEbot or whatever, and the reverse proxy restarted to use the new certs. So, the whole "pro subscription to use specific certs" shouldn't be a factor, except a little more work/config (so, money Vs time).

    Now for my opinion...

    For base security, all it's doing is looking at whatever you tell it to look at in an http request and forward/drop/block as such.HAProxy is well battle-tested. Nginx is well battle-tested. Traefik and caddy are comparably newer contenders, but considering their adoption they are probably well battle-tested.Which means, an established reverse proxy is only going to be as secure as the software it's forwarding traffic to.

    If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible...But at least an attacker only gets access to the reverse proxy server. Which is why it's worth having that in a locked down isolated VM, ideally built in a way that is extremely easy to rebuild (declarative configs like docker-compose and some scripts, or even something like nixos for an immutable OS).

    As for add-ons... Most WAFs only look for things like XSS injection or SQL injection or exploitative HTTP request formats. Very very basic attack vectors that any decent HTTP stack and reasonably built software shouldn't have to even worry.Any DDOS protection is more likely to blast your network connectivity, which (for self hosting) a WAF isn't going to be able to do anything about.I'm not sure how good they actually are against a DOS attack that is caused by bugs/inefficiencies in the application. Maybe they monitor for long/increasing response times, and block further requests to them? Might cause a lot of false-positives for your users.

    So, the only real benefit - that I see - are zero-day exploit protections.... and that only matters if they are built around near-realtime updates like crowdsec is. I don't know how it compares to cloudflares WAF, tho.Any zero-day protection that isn't being managed and updated in near-realtime is about as effective as you monitoring news of your installed services/programmes and updating them regularly. Because you are likely to update your WAF and apps when you hear about those, or regular scheduled updates will deal with them before you even learn about them.

    I guess there is security in layers, and if layers of security is more important than CPU consumption/response time/requests per second (ie have an abundance of processing, servicing few users, etc) then it might be a no-brainer.

    The only other time I can see a generic WAF being useful is if you have rolled your own framework and HTTP stack, and are running your own software. Because, you won't get that right... So might as well have the extra protection of a WAF.

    Or, I guess, with really old unsupported software.But surely there is a newer take or fork of it?

    There is also the "am I worth it" factor.Like, what is your actual threat model?Defend against the usual script-based attacks (IE low hanging fruit), only expose/forward ports that are actually required, use some sensible security that isolates more vulnerable systems (IE a proxy) from more sensitive (ie a database or storage), and update regularly on stable/lts branches.

    Edit:I just googled bunkerweb.First we had firewalls. Then we got web application firewalls. Along came next generation firewalls. Now we have Next Generation Web Application Firewalls with paid features like "Pay per protected services" and "Best effort support included"

    Maybe I'm just salty

  • Shooting Something Into the Sun is HARD

    Jump

  • Haha, as soon as they said "pluto only needs 4.8km/s [dV]" I was like "great, let's sun-dive our waste from pluto, then"... Like, glossing over the whole "getting the waste to pluto" part. Which they then went on to discuss.

  • Iran's president, foreign minister and others found dead at helicopter crash site

    Jump

  • It's the only one they have with comfy seats and a mini bar

  • OpenAI says Sky voice in ChatGPT will be paused after concerns it sounds too much like Scarlett Johansson

    Jump

  • Apparently Amelia Tyler - the Narrator for BG3 - checked in on some random twitch stream, and they had an AI voice trained from her narration controlled by twitch chat - which was saying some fucking horrendous stuff.

    Scary as fuck.

    Remember to talk to everyone you know about voice scams. Scammers absolutely are leveraging this tech, and piling it on top of the usual "I've flushed my phone down the toilet, I'm texting from a mates phone and I need money to buy a new one for my job interview tomorrow" kinda scams.Agree on a password or something, so that if "you" ever call (edit: or text) and put them under pressure then they ask for the password. Scammers will instantly divert or bail.

  • When climate damage paralyzed traffic

    Jump

  • Those "once in a lifetime" or "once in a decade" weather events seem to be quite common these days

  • Velma Meets the Original Velma

    Jump

  • Between those that watched the short and those that didn't?

  • Deleted

    Does a VPN used on a smartphone with Wi-Fi disabled (mobile data only enabled) provide any sort of protection?

    Jump

  • If you pay for your VPN using crypto, then they can't tie it to your name, when they're reselling the traffic it's harder to tie it to an identity

    Surely that only works if you have personally mined the crypto yourself.And if you only use that wallet for paying for the same VPN service.Crypto isn't anonymous, the ledger of all transactions (IE the Blockchain) can be read by anyone.

  • Microsoft's carbon emissions up nearly 30% thanks to AI

    Jump

  • I tried to wash my brain, but I couldn't find enough clean water