Kata1yst

Kata1yst , 11 days ago

On a server, it allows you to track who initiates which root season session. It also greatly minimizes the attack surface from a security perspective to have admin privileged accounts unable to be remotely connected to.

Kata1yst , 11 days ago

Wouldn’t separate SSH keys achieve the same?

Separate ssh keys for the user and the admin? Yeah, see point 2, admins should not be remotely accessible.

Really? How, exactly? Break the ssh key authentication? And wouldn’t that apply to all accounts equally?

Keys aren't perfect security. They can easily be mishandled, sometimes getting published to GitHub, copied to USB drives which can easily be lost, etc.

Further, there have been attacks against SSH that let malicious actors connect remotely to any session, or take over existing sessions. By not allowing remote access on privileged accounts, you minimize risk.

Forcing a non privileged remote session to authenticate with a password establishes a second factor of security that is different from the first. This means a cracked password or a lost key is still not enough for a malicious actor to accomplish administrative privileges.

A key is something you have

A password is something you know

So, by not allowing remote privileged sessions, we're forcing a malicious actor to take one more non-trivial step before arriving at their goals. A step that will likely be fairly obvious in logs on a monitored machine.

Kata1yst , 11 days ago

I strongly disagree with your premise. Separating authentication and privilege escalation adds layers of security that are non-trivial and greatly enhance resilience. Many attacks are detected and stopped at privilege escalation, because it happens locally before a user can stop or delete the flow of logs.

If I get into your non-privileged account I can set up a program that acts like sudo

No you cannot. A non privileged user doesn't have the access necessary to run a program that can accomplish this.

And even if they do it’s too late anyway because I’ve just compromised root and locked everybody out and I’m in there shitting on the filesystems or whatever. Because root can do anything.

Once again, you didn't privilege escalate, because once you have a foothold (authentication) you don't have the necessary privileges, so you must perform reconnaissance to identify an exploitable vector to privilage escalate with. This can be any number of things, but it's always noisy and slow, usually easy to detect in logs. There is a reason the most sophisticated attacks against well protected targets are "low and slow".

And if I can’t break into your non-privileged account then I can’t break into a privileged account either.

You're ignoring my points given regarding the risks of compromised keys. If there are no admin keys, there are no remote admin sessions.

These artificial distinctions between “non-privileged” and “superuser” accounts need to stop. This is not good security, this is not zero trust. Either you don’t trust anybody and enforce explicit privilege escalation for specific things, or just accept that you’re using a “super” paradigm and once you’ve got access to that user all bets are off.

Spoken like someone who has never red teamed or purple teamed. Even admin accounts are untrusted, given only privileges specific to their role, and closely monitored. That doesn't mean they should have valid security measures thrown away.

Kata1yst , 11 days ago

That's called 'privilege escalation', and replacing system level calls with user level calls is closely watched for and guarded against with many different security measures including SELinux.

You've already outed yourself multiple times in this thread as someone who doesn't understand how security in the real world works. Take the L and try to learn from this. It's okay not to understand something. But it's very important to recognize when that happens and not claim to understand better than someone else.

Kata1yst , 14 days ago

They even literally have a section of the article that says they "see Fair Software as an alternative model to the free and open source software model", and they think it's superior because the "developers can profit".

Newsflash: the developers usually see fractions of those cents while most of the money goes to the management and shareholders of the company that employs them. Hmm, doesn't seem fair to me.

Also, developers can and do profit from FOSS in many ways, but the most popular models are with commercial support, SaaS offerings, and additional functionality (like providing a web interface, clustering manager or other external piece of the puzzle to solve the problem at scale in enterprise).

Like you said so succinctly: propaganda website to make rug pullers like Elastic and Hashicorp look better.

Kata1yst , 15 days ago

I use FreshRSS. Can't say I love the interface, but with the open and standardized API, there are dozens of beautiful front ends to choose on any device.

Kata1yst , 15 days ago

No no you don't understand. The evil corporate overlords abused their power to force a choice on a developer, even though that choice was objectively the right choice and the developer was throwing a tantrum.

This is truly awful. We must not let evil corporations, no matter their credentials, expertise, and decades of beneficial partnership with open source, tell immature and short sighted developers how to develop.

Kata1yst , 15 days ago

Accurate, but not bad, yes. It turns out standardized base systems and ABIs are important to an ecosystem.

Linux tried the disorganized free-for-all for two decades, and what we got was fragmented "Ubuntu admins", "debian admins", "redhat admins", "suse admins", and a whole shitload of duplicated effort in the packaging ecosystem, only for half the packages out there to be locked to Ubuntu or RHEL. So the corporate interests, and a fair number of the community efforts, centralized their problems and solutions into a small standardized suite in Mesa+Wayland+systemd+Pipewire+flatpak, etc

The result is a ton more interoperability, a truly open ecosystem where switching your distro doesn't mean hiring different people and using different software, and a lot more stability and maturity.

And hey, if a user or distro wants to do their own thing, they can make and own their niche, same as before. Nothing lost.

It's been kind of wild to watch over the past 15 years or so, makes me very hopeful for the next 15.

Kata1yst , 19 days ago

For real? Damn it that's going to be painful.

Kata1yst , 23 days ago

“We had a huge chunk of our engineering staff spending time improving FreeBSD as opposed to working on features and functionalities. What’s happened now with the transition to having a Debian basis, the people I used to have 90 percent of their time working on FreeBSD, they’re working on ZFS features now … That’s what I want to see; value add for everybody versus sitting around, implementing something Linux had a years ago. And trying to maintain or backport, or just deal with something that you just didn’t get out of box on FreeBSD.”

I still hold much love for FreeBSD, but this is very much indicative of my experience with it as well. The tooling in FreeBSD, specifically dtrace, bhyve, jails, and zfs was absolutely killer while Linux was still experiencing teething problems with a nonstandard myriad of half developed and documented tools. But Linux has since then matured, adopted, and standardized. And the strength of the community is second to none.

They'll be happier with Linux.

Kata1yst , 23 days ago

If you're trying to use it as a workstation or a laptop, you won't find much compelling. It's built with the intent to act as a server. In fact, as a web server or networking server it's second to none.

Administrating BSD is lovely. It's well documented and everything is very stable, understandable, and predictable.

Kata1yst , 1 month ago (edited 1 month ago)

I was actually surprised to find out QUIC is fairly close to being default.

Wikipedia

HTTP/3 uses QUIC, a multiplexed transport protocol built on UDP.

HTTP/3 is (at least partially) supported by 97% of tracked web browser installations (thereof of 98% of "tracked mobile" web browsers), and 29% of the top 10 million websites.

Kata1yst , 1 month ago

https://en.wikipedia.org/wiki/HTTP%2F3?wprov=sfla1

Kata1yst , 1 month ago

Never ask a man his pay, a woman her weight, or a data horder the contents of their stash.

Jk. Mostly.

I have a similar-ish set up to @Davel23 , I have a couple of cool use cases.

• I seed the last 5 arch and opensuse (a few different flavors) ISOs at all times
• I run an ArchiveBot for archive.org
• I scan nontrivial mail (the paper kind) and store it in docspell for later OCR searches, tax purposes etc.
• I help keep Sci-Hub healthy
• I host several services for de-googling, including Nextcloud, Blocky, Immich, and Searxng
• I run Navidrome, that has mostly (and hopefully will soon completely) replace Spotify for my family.
• I run Plex (hoping to move to Jellyfin sometime, but there's inertial resistance to that) that has completely replaced Disney streaming, Netflix streaming, etc for me and my extended family.
• I host backups for my family and close friends with an S3 and WebDAV backup target

I run 4x14TB, 2x8TB, 2x4TB, all from serverpartsdeals, in a ZFS RAID10 with two 1TB cache dives, so half of the spinning rust usable at ~35TB, and right now I'm at 62% utilization. I usually expand at about 85%

Kata1yst , 1 month ago

https://github.com/Genymobile/scrcpy

Kata1yst , 1 month ago

My favorite city builder in decades. A few notes.

Pros:

• Easy mode is relaxing and quite easy.
• Medium mode is a fun challenge at first, eventually becoming fairly chill as you advance in skill and confidence.
• Hard mode is always fairly hard, especially on harder maps.
• There are many resources to manage, but none that feel burdensome.
• The game is extremely thematic, it feels alive with charm.
• Graphics are excellent, though sometimes graphical glitches can still be encountered.
• The water. It's so hard to explain to someone who hasn't encountered this system before, but water is life in this game, and it's both beautiful graphically, and extremely well simulated by physics. Learning to control the water, and see the shortest paths to end water scarcity with beaver engineering is an amazingly fun and unique aspect of the game.
• Mods are well supported and the community is vibrant.

Cons:

• Not a ton of content. They've been very good about adding new mechanics (badwater, extract, etc) but there's still just 2 races of beaver and a dozen or so maps.
• No directed experience. In similar games I've enjoyed a campaign, challenge maps/scenarios, weekly challenges, a deeper progression system, just... Something to optionally set your goals. There's nothing of the sort in the vanilla game. It's fully open ended and there's only one unlock outside of your progress though the resource tree in a map.

All in all, I highly recommend it, especially at the modest asking price. If you love city builders, charming and beautiful art, thematic settings, dynamic challenge, and solution engineering, this is a fantastic game for you.

Other games I've enjoyed that scratch similar itches:

• KSP
• Cities: Skylines (but Timberborn has been far more compelling)
• Factorio
• Mindustry
• Planet Zoo (Timberborn has less of a directed experience, but is otherwise completely superior)
• Gnomoria
• Banished
• Tropico series (though I view this as more casual)

Get it and have fun is my recommendation.

Kata1yst , 2 months ago

Seriously. This guy thinks that regulators would have stepped in to stop OpenAI or Microsoft from acquiring a no-name 2 year old startup with two rounds of funding?

Please.

Kata1yst , 2 months ago

Used to be the best way to get performant graphics on Linux.

Like, 8 years ago.

Kata1yst , 2 months ago

I like kitty, but it's configuration system is completely nuts.

Alacritty was good, but had weird issues with fonts for me.

I ended up on Wezterm. Lots of modern features, performance, stability, and awesome configurability.

Kata1yst , 2 months ago

Apparently that wasn't one of his MBOs, so we can infer the board is a bunch of dumbasses.

Kata1yst , 3 months ago

There is a team, not a sole dev.

I'm not saying everything is roses and rainbows, but this is FUD messaging being spread openly by the mbin dev team.

Kata1yst , 3 months ago

Yeah honestly no idea regarding moderation. But the codebase is maintained by a team.

Kata1yst , 3 months ago

Didn't Solid get sketchy too? I remember feeling obligated to migrate to Material Files.

Kata1yst , 3 months ago

I've had great experiences with exactly one vendor of second hand disks.

https://serverpartdeals.com/

Currently running 8x14TB in a striped & mirrored zpool.

Kata1yst , 3 months ago

In my experience, nope. I tried so hard to use Logseq, but I had massive issues with speed, stability, and database corruption.

Really I think the root of the issue is their database. The database causes so many problems and makes their synchronization methods dirty hacks at best.

Kata1yst , 3 months ago

Zettlr for technical writing into any format.

Obsidian for a second brain based on the molecular notes method. And yes, I've tried all of the FOSS alternatives. None are ready to replace Obsidian yet.

Wallabag for saving resources offline for easy and permanent reference.

Lunarvim for actually sitting down to work instead of fiddling with and optimizing my setup.

Kata1yst , 3 months ago

Really all I do is setup fail2ban on my very few external services, and then put all other access behind wireguard.

Logs are clean, I'm happy.

Kata1yst , 3 months ago

ZFS is a very robust choice for a NAS. Many people, myself included, as well as hundreds of businesses across the globe, have used ZFS at scale for over a decade.

Attack the problem. Check your system logs, htop, zpool status.

When was the last time you ran a zpool scrub? Is there a scrub, or other zfs operation in progress? How many snapshots do you have? How much RAM vs disk space? Are you using ZFS deduplication? Compression?

Kata1yst , 3 months ago

Yeah, you should be scrubbing weekly or monthly, depending on how often you are using the data. Scrub basically touches each file and checks the checksums and fixes any errors it finds proactively. Basically preventative maintenance.
https://manpages.ubuntu.com/manpages/jammy/man8/zpool-scrub.8.html

Set that up in a cron job and check zpool status periodically.

No dedup is good. LZ4 compression is good. RAM to disk ratio is generous.

Check your disk's sector size and vdev ashift. On modern multi-TB HDDs you generally have a block size of 4k and want ashift=12. This being set improperly can lead to massive write amplification which will hurt throughput.
https://www.high-availability.com/docs/ZFS-Tuning-Guide/

How about snapshots? Do you have a bunch of old ones? I highly recommend setting up a snapshot manager to prune snapshots to just a working set (monthly keep 1-2, weekly keep 4, daily keep 6 etc) https://github.com/jimsalterjrs/sanoid

And to parrot another insightful comment, I also recommend checking the disk health with SMART tests. In ZFS as a drive begins to fail the pool will get much slower as it constantly repairs the errors.

Kata1yst , 3 months ago

Disagree. I've never encountered malware in over a decade. Cost of should be less than the cost of a Netflix subscription.

Kata1yst , 3 months ago

And most decent indexers these days.

Using automation software like the Arrs, dramatically improves the UX/UI, providing another layer of filtering too.

The cost for these things isn't terribly high. You can get three excellent indexers and a good provider for less than $12USD a month.

Kata1yst , 3 months ago

Why not a K8s cluster? Much more appropriate for modern software.

Kata1yst , 3 months ago

Voice has never made me want a different player, fwiw.

Kata1yst , 3 months ago

Voice, on F-Droid.
https://f-droid.org/packages/de.ph1b.audiobook/

Kata1yst , 4 months ago

He did though. And honestly the website has come very far in a short period of time, I really don't understand the concerns and whining in this thread...

From codeberg-

Core Team

• ernest
• szsz
• cooperaj
• rideranton
• AnonymousLlama

https://codeberg.org/org/Kbin/teams

Design Team

• cody

Kata1yst , 4 months ago

Why do you assume that? Why is your way of open source the right way?

All open source projects are run by a small team of people reviewing and accepting, rejecting, and prioritizing work. What part of this project's methodology bothers you?

Kata1yst , 4 months ago

What obscure location? Codeberg?

All the activity is open on Codeberg. You can see every member of that team actively merging and reviewing requests.

Kata1yst , 4 months ago

Development is happening in the dev's branches. Branches are generally kept local until submitted for a PR. You can easily see this in the origin branches and open PRs.

Honestly I'm not sure if you're trolling, don't understand git development, or if you really think that a project needs to iterate main multiple times per month to be your definition of "healthy open source", but I'm tired of shooting down such lazy attacks and won't be responding further.

Have a nice day.

Kata1yst , 4 months ago

Currently working on a replacement for BirdCAGE. It was a pretty cool project, that was unfortunately based on some pretty hacky code (not the dev's fault, he based it on BirdNet-Pi) and subsequently has been abandoned.

MVP is up and running, just polishing and adding features. Still no GUI just yet, right now it's just presisting the data locally (recordings with detections, spectrograms, and a database of detections) and submitting the results to Birdweather which you can use as a basic UI until I get around to it.

It's been a great learning experience.

Kata1yst , 4 months ago (edited 4 months ago)

I haven't made the repo public just yet, but I'll reply to you here when it is. Hopefully early next week.

Though for the record the current scope is to deploy on x86 docker and listen to remote rtsp streams.

I did just disparage the code of BirdNet-Pi somewhat, but it's a vetted and solid solution on pi-compatible hardware.

Kata1yst , 4 months ago

I absolutely love how thoughtful the dev's of this game are. You can tell they pick apart every detail and make sure it works as a whole. Nothing feels out of place or incomplete.

Kata1yst , 4 months ago

Maybe Diaspora?

Kata1yst , 4 months ago

Learn docker on the distro you're most comfortable with.

Kata1yst , 4 months ago

Super interesting, thank you for sharing. I've read a significant portion and will saving this for future reference.

It pairs nicely with this series on a foundational technical documentation framework: https://documentation.divio.com/

Kata1yst , 4 months ago

Highly recommend using tdarr. Not just because the radarr container won't do it, but because tdarr is so incredibly powerful.

Kata1yst , 4 months ago

It can. Most people just use the filesystem watcher, but this looks nice. https://github.com/deathbybandaid/tdarr_inform

Kata1yst , 4 months ago

You're talking about two very different technologies though, but both are confusingly called "AI" by overzealous marketing departments. The basic language recognition and regressive model algorithms they ship today are "Machine Learning", and fairly simple machine learning at that. This is generally the kind of thing we're running on simple CPUs in realtime, so long as the model is optimized and pre-trained. What we're talking about here is a Large Language Model, a form of neural network, the kind of thing that generally brings datacenter GPUs to their knees and generally has hundreds of parameters being processed by tens of thousands of worker neurons in hundreds of sequential layers.

It sounds like they've managed to simplify the network's complexity and have done some tricks with caching while still keeping fair performance and accuracy. Not earth shaking, but a good trick.

Kata1yst , 4 months ago

Hard disagree on them being the same thing. LLMs are an entirely different beast from traditional machine learning models. The architecture and logic are worlds apart.

Machine Learning models are "just"statistics. Powerful, yes. And with tons of useful applications, but really just statistics, generally using just 1 to 10 variables in useful models to predict a handful of other variables.

LLMs are an entirely different thing, built using word vector matrices with hundreds or even thousands of variables, which are then fed into dozens or hundreds of layers of algorithms that each modify the matrix slightly, adding context and nudging the word vectors towards new outcomes.

Think of it like this: a word is given a massive chain of numbers to represent both the word and the "thoughts" associated with it, like the subject, tense, location, etc. This let's the model do math like: Budapest + Rome = Constantinople.

The only thing they share in common is that the computer gives you new insights.