I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script.
It’s nothing new or groundbreaking, but I figure it never hurts to have another reminder.
Hahahaha noticed this too. 1.5 was where it was at tho
I think the general response is from confusion over what you could possibly have been using the url bar for in your browser if you didn’t know you could put urls there.
Hey y’all, this actually isn’t self hosting related, but who have you had good luck with for paid matrix hosting?
Right now, I do enough tinkering with everything that I would be willing to just pay to host a matrix server for my friends.
Unless it really is easy enough to do it on a synology nas for text/voice/screen share…but do I need to pay for a domain still?
We are (like everyone) on matrix.org now but realize we need to move eventually.
If you have your own VPS anyway, there is the Matrix Ansible Playbook which makes the setup with docker containers very easy. But I also get the sentiment that you don’t want to tinker around all the time and just want stuff to work.
Kudos to you for using Matrix in the first place, I hope you can bring a lot of your friends and family to switch over to it. So far this has been the biggest hurdle on my journey 😅
If you’re Canadian, you can get free and cheap .ca domains https://www.cira.ca/en/why-choose-ca/
The Wine Project, a compatibility layer that enables Linux and macOS users to run Windows applications, has released version 11.3 as the third maintenance update to the stable 11.x series. Here are the main highlights.
This release updates the integrated Mono engine to version 11.0, improving support for .NET-based applications. The bundled vkd3d library is now at version 1.19, enhancing Direct3D 12 translation over Vulkan. These updates are relevant for modern Windows software and games that depend on current .NET runtimes and Direct3D APIs.
Audio handling is refined, with the DirectSound implementation now including an improved FIR filter for more accurate sound processing and better playback in applications using legacy Windows audio APIs. Developers also introduced optimizations in PDB loading to reduce overhead when debugging or running applications that rely on symbol data.
There’s a new little spider on the wall in front of me in my office. Love seeing it wandering around.
https://lemmy.world/pictrs/image/125d5ef1-308d-4bad-ba76-fbe555afaf2c.jpeg
I give them a name, let them live there. Usually steve, don’t ask me why.
#spiderbros
The KDE Project released today KDE Plasma 6.6.1 as the first maintenance update to the latest KDE Plasma 6.6 desktop environment series with an initial batch of improvements and bug fixes.
KDE Plasma 6.6.1 improves the Custom Tiling feature to correctly respect key repeat, improves the Networks widget to show a more appropriate icon in the panel or system tray when Wi-Fi is disabled, and improves animation performance by leaning more heavily on the Wayland Presentation Time protocol.
This release also re-enables searching for Activities using KRunner and KRunner-powered searches, updates overall app ratings in Plasma Discover to match a simple average of the individual ratings, and improves the critically low power level notification on battery-powered devices.
The Networks Widget was the first thing I noticed.
The separation of ipv4 and ipv6 info and the added status page in the kcm was a nice addition.
I’m putting together an API for a project, and one of the requirements is MFA. I’m using TOTP and that all works. I also have facilities to clear the MFA token and regenerate / re-enroll the secret, but I’m wondering what the best practice is for invoking that.
Their email is required and verified during signup, so would a validation email be sufficient like with a password reset? Or should I require the user to contact the administrators to reset the MFA?
Solutions that work for a corporate application where all the staff know each other are unlikely to be feasible for a publicly available application with thousands of users all over the world
This is something of a hybrid. There will be both general public users as well as staff. So for staff, we could just call them or walk down the hall and verify them but the public accounts are what I’m trying to cover (and, ideally, the staff would just use the same method as the public).
Figure if an attacker attempts the ‘forgot password’ method, it’s assumed they have access to the users email.
Yep, that’s part of the current posture. If MFA is enabled on the account, then a valid TOTP code is required to complete the password reset after they use the one-time email token. The only threat vector there is if the attacker has full access to the user’s phone (and thus their email and auth app) but I’m not sure if there’s a sane way to account for that. It may also be overkill to try to account for that scenario in this project. So we’re assuming the user’s device is properly secured (PIN, biometrics, password, etc).
If you are offering TOTP only,
Presently, yes.
or otherwise an OTP sent via SMS with a short expiration time
We’re trying to avoid 3rd party services, so something like Twilio isn’t really an option. We’re also trying to store the minimum amount of personal info, and currently there is no reason for us to require the user’s phone number (though staff can add it if they want it to show up as a method of contact). OTP via SMS is also considered insecure, so that’s another reason I’m looking at other methods.
“backup codes” of valid OTPs that the user needs to keep safe and is obtained when first enrolling in MFA
I did consider adding that to the onboarding but I have my doubts if people will actually keep them safe or even keep them at all. It’s definitely an option, though I’d prefer to not rely on it.
So for technical, human, and logistical reasons, I’m down to the following options to reset the MFA:
1) User must contact a staff member during business hours to verify themselves. Most secure, least convenient. 2) Setup security questions/answers and require those after the user receives an email token (separate from the password reset token). Moderately secure, less convenient, and requires us to store more personal information than I’d prefer. 3) Similar to #2 except provide their current password and a short-term temporary token that was emailed to them when they click “Lost my MFA Device”. Most convenient, doesn’t require unnecessary personal info, possibly least secure of the 3. Note that password resets require both email token and valid TOTP token, so passwords cannot be reset without MFA.
I’m leaning toward #3 unless there’s a compelling reason not to.
My work has us call a helpdesk which verifies our ID (based off the number we’re calling from and other info) then gives us a one-time password to reset all our login info
Ever since Readarr was officially discontinued, many forks and replacements have popped up. I’m currently running pennydreadful/bookshelf, which seems to be chugging along. Faustvii/Readarr is also around but seems to not be actively meaintained??
There’s also Chaptarr, which looks promising, but I’ve heard concerns about it being vibe-coded and such (see rreading-glasses: “I do not endorse the vibe-coded Chaptarr project.”). Does anybody know to what extent this is true, and what the code quality is like?
??
Caliber web isn’t two separate applications, it’s a calibre-compatible database served via http. There is no desktop “calibre” involved.
There is integrated koreader sync, though.
Yep! for a while I deployed Calibre-Web alongside Calibre in a ‘books’ compose.yaml stack using Docker. I used volume mounts to expose my library to both containers. The main thing to be cautious of is that you don’t write to the db from both C and CW at the same time (which could result in corruption). Some folks spin up/down Calibre as-needed, but I had them both running and was just mindful. I personally ended up switching from C+CW to Calibre-Web Automated and fully removing Calibre. I’m able to do everything from CWA that I was doing in both previously. FWIW if you are managing devices (e.g., family, etc.), Kobo devices + Kobo sync via CW/CWA is wonderful for usability (books show up on devices ‘natively’).
I used this back in the day after i left university with free MATLAB.
Very functional, but struggled (8 years ago was the last I tried) with large datasets, especially variable exploring. It also was missing signal processing and filtering libraries back then.
I had since switched to python with numpy, Pandas, scipy, and matplotlib and it is phenomenal.
I would try it out because it has probably improved a ton, but Python is now available in excel (and it already was in libreoffice) for sharing scripts with people without python at work, so I don’t know if it is worth it lol.
Do it for the nostalgia, bro. I enjoyed using octave at uni as well. Gotta be some fun in there somewhere now. 😁
I’ve had this basil soaking in 190 proof Everclear since last year.
I started trying to clean up the workshop and realized I needed some painkiller to make that happen. I also had some Kool-Aid.
I cannot recommend this as a taste about beverage. But I can say that the flavors are subtle and complex when mixed together. They’re not unpleasant. I’m pretty sure I could make a stunning cocktail out of this with a bit more sugar.
Why am I cleaning the workshop? Because temperatures are getting warm enough where wood glue works again. And the workshop is a hot mess.
https://lemmy.world/pictrs/image/c5317d4e-0b8f-4d25-bb12-a19a8a2e546f.jpeg
whoooooooo shit
OK, so let’s not sell anything dangerous then.
There is new one of these for every generation. My favorite is the 1995 BBC mini-series.
