terribleplan

joined 1 year ago
[–] terribleplan@lemmy.nrd.li 1 points 1 year ago

Snappymail is simple and awesome if you want better webmail than roundcube, I switched and didn't look back. I am also a big fan of native apps, I'm using thunderbird on my PCs and and Fair Email on Android, both of which I am quite happy with.

[–] terribleplan@lemmy.nrd.li 4 points 1 year ago

Laptops/desktopes: no real naming scheme, they use non-static DHCP leases anyway.

Physical servers: NATO phonetic alphabet. If I run out of letters something has gone terribly ~~wrong~~ right.

VMs: I don;t have many of these left, but they are named according to their function and then a digit in case I need more. e.g. docker1, k3s1. This does mean that I have some potential oddities like a k3s cluster with foxtrot, alpha, and k3s1 as members, but IMO that's fine and lets me easily tell if something is physical or virtual. I am considering including the physical machine name in the VM name for new things as I no longer have things set up such that machines can migrate... though I haven't made a new VM in some time.

Network equipment: Named according to location and function. e,g, rack-router, rack-10g, rack-back-1g, rack-ap, upstairs-10g, upstairs-ap. If something moves or is repurposed it is likely getting reconfigured so renaming at that point makes sense.

[–] terribleplan@lemmy.nrd.li 3 points 1 year ago

I switched to Fogejo just by swapping out the image. So far gitea hasn't been malicious with its trademarks now being owned by a private company, but I feel better using software that is more closely tied to a nonprofit. I see no reason to switch back.

[–] terribleplan@lemmy.nrd.li 1 points 1 year ago

I have owned and otherwise dealt with a few different Startech 4-post open racks and have been very happy with them. I currently use one of their 25U racks for my lab, but am running out of space...

[–] terribleplan@lemmy.nrd.li 10 points 1 year ago (1 children)

I started on Gitlab, which was a monster to run. I moved to Gitea, until the developers started doing some questionable things. Now I'm on Forgejo (a fork of Gitea).

[–] terribleplan@lemmy.nrd.li 0 points 1 year ago

Yeah, all I know is that I am definitely seeing images loaded in from domains other than that of my instance as I load/scroll pages, which I want to be loaded via my instance for privacy reasons.

[–] terribleplan@lemmy.nrd.li 1 points 1 year ago (3 children)

I believe the Pictrs is a hard dependency and Lemmy just won't work without it, and there is no way to disable the caching. You can move all of the actual images to object storage as of v0.4.0 of Pictrs if that helps.

Other fediverse servers like Mastodon actually (can be configured to) proxy all remote media (for both privacy and caching reasons), so I imagine Lemmy will move that way and probably depend even more on Pictrs.

[–] terribleplan@lemmy.nrd.li 7 points 1 year ago (7 children)

IIRC Lemmy preloads all thumbnails for posts in communities you subscribe to into pictrs to be cached for like a month or something. So, yeah...

[–] terribleplan@lemmy.nrd.li 9 points 1 year ago (2 children)

I switched from Plex to Jellyfin several years ago and haven't really looked back. Overall I just didn't like the direction plex kept going (pushing shit streaming services, central auth, paywalling features), and dropped it even though I grabbed a lifetime plex pass back in the day. The only thing I miss about plex was the ease of developing a custom plugin for it since you could pretty much just drop python scripts in there and have it work, though their documentation for plugin development was terrible (and I think removed from their site entirely).

[–] terribleplan@lemmy.nrd.li 2 points 1 year ago* (last edited 1 year ago)

I would still go with one that isn't one of the biggest. My general advice is to find one that fits the vibe you're going for, communities you're interested in (e.g. some are focused on art or cybersecurity, etc), or is somehow tied to your locality. It shouldn't matter that much, though some servers will be a little more (or less) strict with things like federation, content warnings, alt text, etc. Usually the server will have some info telling you some of this, and their admin should be linked and likely has a post or two pinned to their profile explaining some of this as well.

I am partial to kind.social, though have opted to run my own instead of joining up anywhere.

[–] terribleplan@lemmy.nrd.li 16 points 1 year ago

Just run your own instance, I say.... that way it's your fault when you forget to renew the domain name instead of the poor soul running vlemmy.

[–] terribleplan@lemmy.nrd.li 4 points 1 year ago* (last edited 1 year ago) (1 children)

It depends on what specific thing you want to add geoblocking to, but often something like the MaxMind GeoIP database, which then can feed into a firewall to pre-emptively geo-block at a connection level, or as part of e.g. nginx geolocating the IP a of the connecting IP then making the blocking decision at request time.

There's a project that works with Traefik's forward-auth middleware to do this, which is probably how I would go about it if I wanted it at an HTTP level.

 

I tried what another user reported and it worked. I submitted a github issue as the security email seems to be unmonitored based on me trying to contact it (regarding a different issue) for over a week now.

Be careful about links you click in Lemmy, I guess.

cross-posted from: https://sh.itjust.works/post/774797

What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI's on posts leading to cross-site scripting. You can see this working in action by clicking the "link" attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI's seems like the easiest approach.

 

KNOWER is currently one of my favorite bands. Anyone else dig their vibe?

view more: next ›