• 1 Post
  • 42 Comments
Joined 1 year ago
cake
Cake day: July 16th, 2023

help-circle


  • The smallest footprint for an actual scripting probably will be posix sh - since you already have it ready.

    A slightly bigger footprint would be Python or Lua.

    If you can drop your requirement for actual scripting and are willing to add a compile step, Go and it’s ecosystem is pretty dang powerful and it’s really easy to learn for small automation tasks.

    Personally, with the requirement of not adding too much space for runtimes, I’d write it in go. You don’t need a runtime, you can compile it to a really small zero dependency lib and you have clean and readable code that you can extend, test and maintain easily.


  • I’m very interested to hear what went wrong.

    We’ll probably never know. Given the impact of this fuck up, the most that crowdstrike will probably publish is a lawyer-corpo-talk how they did an oopsie doopsie, how complicated, unforseen, and absolutely unavoidable this issue has been, and how they are absolutely not responsible for it, but because they are such a great company and such good guys, they will implement measures that this absolutely, never ever again will happen.

    If they admit any smallest wrongdoing whatsoever they will be piledrived by more lawyers than even they’d be able to handle. That’s a lot of CEO yachts in compensations if they will be held responsible.




  • x1gma@lemmy.worldtoTechnology@lemmy.worldUnofficial Reddit API
    link
    fedilink
    English
    arrow-up
    110
    arrow-down
    2
    ·
    4 months ago

    Please don’t take personal offense, but you have merely a project scaffold with an unrealistic goal that will be blocked and C&D’d into the ground, without any other projects created.

    It doesn’t matter how hard you’re working on your anonymity, this project will be ripped apart by a horde of lawyers in seconds. You’re not only doing something questionable or against ToS, you’re directly attacking and sabotaging their monetization. This will not be taken lightly by the legal team of reddit.

    You want to provide a better, cooler, more robust and other random buzzwords API than the own of reddit. So, you alone, want to provide a better API than the whole team of reddit does for their absolute core product, all by scraping. This is simply not realistic.

    While we’re at the topic of monetization, scraping, ETL into your own model and providing the API - for the amount of content that reddit has (quantity, not quality) this will be a highly resource intensive task. How do you plan to fund that, since your API will be better than the official one, I can expect at least the same performance as well, right?

    And also, most importantly, even if you magically achieve working around all that and get that working - why? Who is your expected user group? Pretty much every software using reddit moved away from reddit or simply has died. AI gen content is rampant, and most discussions seem like bots talking to bots. There is literally nothing to gain from an API to reddit - so why would anyone bother using it?


  • The third option is to use the native secret vault. MacOS has its Keychain, Windows has DPAPI, Linux has has non-standardized options available depending on your distro and setup.

    Full disk encryption does not help you against data exfil, it only helps if an attacker gains physical access to your drive without your decryption key (e.g. stolen device or attempt to access it without your presence).

    Even assuming that your device is compromised by an attacker, using safer storage mechanisms at least gives you time to react to the attack.




  • Kinda expected the SSH key argument. The difference is the average user group.

    The average dude with a SSH key that’s used for more than their RPi knows a bit about security, encryption and opsec. They would have a passphrase and/or hardening mechanisms for their system and network in place. They know their risks and potential attack vectors.

    The average dude who downloads a desktop app for a messenger that advertises to be secure and E2EE encrypted probably won’t assume that any process might just wire tap their whole “encrypted” communications.

    Let’s not forget that the threat model has changed by a lot in the last years, and a lot of effort went into providing additional security measures and best practices. Using a secure credential store, additional encryption and not storing plaintext secrets are a few simple ones of those. And sure, on Linux the SSH key is still a plaintext file. But it’s a deliberate decision of you to keep it as plaintext. You can at least encrypt with a passphrase. You can use the actual working file permission model of Linux and SSH will refuse to use your key with loose permissions. You would do the same on Windows and Mac and use a credential store and an agent to securely store and use your keys.

    Just because your SSH key is a plaintext file and the presumption of a secure home dir, you still wouldn’t do a ~/passwords.txt.


  • How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

    You. Don’t. Store. Secrets. In. Plaintext.

    There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

    Edit: “If you got malware then this is a problem anyway and not only for signal” - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

    “you need device access to exploit this” - There is no exploiting, just reading a file.



  • These were casual, mutual conversations that sometimes leaned too much in the direction of being inappropriate, but nothing more. Nothing illegal happened, no pictures were shared, no crimes were committed, I never even met the individual. […] That’s on me as an adult, a husband and a father.

    Jesus fucking christ. If you, as a father, are “leaning too much in the direction of being inappropriate” with a minor, you’re a fucking pedophile. There is nothing to discuss that’s leaning into being inappropriate with a minor, except if you’re a pedophile. Trying to make it sound less of an issue just because there weren’t pictures sent, is a pathetic attempt of an excuse for being a pedophile.

    For being so real and no filter, there’s a fucking lot of sugarcoating for admitting the fact that he sexted with a minor.

    I specifically don’t get how you can do that as a father, and even being the complete asshole that he is, not even once thinking that the victim could be his own child. I really wonder what he would say about such a tweet in this case.

    Absolutely fucking disgusting.






  • I get that online services cost a shitton amount of money to operate, but the sheer level of degrading quality is not OK. This is just one example of how services are completely barreling towards the shitter at 100+ MPH with no brakes or airbags. I feel some guilt for using content blockers, but that guilt is being wittled away every single day because of websites like this.

    That’s only partially true. “Simple” pages like a wiki are stupidly cheap in comparison of operational costs. This is not some online image editor, some huge social media outlet or whatever. From a content perspective, the traffic to be served is an absolute joke.

    What drives costs for operations up is stupid design decisions (e.g. Cora) and bloating your own page using several ad providers, trackers and a metric fuck ton of additional services like disqus and whatever all of this idiotic shit is called.

    And what drives “cost of operations” up the most is pure greed, because for most parts there is no longer an internet community, where someone wants to contribute something cool. Maybe that’s where they started, but seeing their page hits climb obviously makes them think about monetizing them. Just add some non intrusive ads, page views still climb, and you see the money coming in - in the case of Fandom with mostly zero effort, since the content is brought by the editors, who even also generate ad views, while generating content. Add one more ad, income doubled. Add a potentially more intrusive ad bringing more money per view - maybe your income triples. It’s all just a pump and dump until it becomes the ad-riddled trash, but you don’t really need to care, since it’s still high ranking in Google results and still brings in visitors.

    Obviously this does not apply to all, but to a fucking lot if not most pages, and it’s getting even worse with gen-AI content and “features”.