sylver_dragon

I suspect every security baseline is going to include guidance for removing recall. There’s just no reason for this sort of malware on a system.

While it was kinda lame for Mozilla to add it with it already opted-in the way they did

That’s really the rub here. Reading the technical explainer on the project, it’s a pretty good idea. The problem is that they came down on the side of “more data” versus respecting their users:

Having this enabled for more people ensures that there are more people contributing to aggregates, which in turn improves utility. Having this on by default both demands stronger privacy protections — primarily smaller epsilon values and more noise — but it also enables those stronger protections, because there are more people participating. In effect, people are hiding in a larger crowd.

In short, they pulled a “trust us, bro” and turned an experimental tracking system on by default. They fully deserve to be taken to task over this.

Are there seriously no lemmy users on a Mac?

Artist are probably still on Reddit to access the larger user base.

Widespread IPv6 adoption is right there with the year of the Linux desktop. It’s a good idea, it’s always Coming Soon™ and it’s probably never going to actually happen. People are stubborn and thanks to things like NAT and CGNAT, the main reason to switch is gone. Sure, address exhaustion may still happen. And not having to fiddle with things like NAT (and fuck CGNAT) would be nice. But, until the cost of keeping IPv4 far outweighs the cost of everything running IPv6 (despite nearly everything doing it now), IPv4 will just keep shambling on, like a zombie in a bad horror flick.

While the broader cybersecurity field has seen rapid advancements, such as AI-driven endpoint security

Ya, about that “AI-driven endpoint security”, it does a fantastic job of generating false positives and low value alerts. I swear, I’m to the point where vendors start talking about the “AI driven security” in their products and I mentally check out. It’s almost universally crap. I’m sure it will be useful someday, but goddamn I’m tired of running down alerts which come with almost zero supporting evidence, pointing to “something happened, maybe.” AI for helping write queries in security tools? Ya, good stuff. But, until models do a better job explaining themselves and not going off on flights of fancy, they’ll do more to increase alert fatigue than security.

One idea to always go back to is:

Extraordinary claims require extraordinary evidence

• Carl Sagan

This can be tough to evaluate sometimes, but it’s a good general idea.

Does the claim sit outside the natural world as currently understood by scientific theory?
If yes, then there’s going to need to be a lot of evidence. If not, the level of evidence is lower.

Does the claim involve a low probability event?
If yes, then more evidence is needed of that event.

Does the claimant have a stake in the claim?
For example, does the person get money, fame or other stuff by getting people to believe the claim? If so, more evidence should be required.

What type of evidence would you expect to see, if the claim were correct?
When things exist, they tend to leave evidence of their existence. Bones, ruins, written records, etc. If someone says something exists, or used to exist, but they should have archeological/anthropological evidence to back it up.

Sure, it’s always going to be a bit subjective as to what requires proof. And for a lot of low stakes things, there’s no point in going after it. If someone claims to be from Pitcairn, then what’s the point of questioning it? Just say, “huh, cool” and move on. If someone is trying to convince you that an historical figure existed, and that should effect how you see the world, maybe ask for as bit more evidence.

The fact that the OS is replaceable sealed the deal for me.

And the default OS isn’t locked down and doesn’t try to prevent you from doing other stuff with it. What you want to do isn’t in the Steam interface? Switch over to desktop mode and you have full access to the underlying OS.

My only complaint with the Steamdeck is that I find using the touchpad on the right side for long gaming sessions hurts my hands. I 3d printed some grips which help; but, I think my hands just don’t like the orientation. Still love my deck though.

Not really. IP addresses are really easy to change. And doubtless the threat actors will see that their IPs have been identified and will roll them over soon. The solution is to go after the tactics the attackers are using:

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

1. Install your updates. If you have a server open to the internet and you haven’t patched known exploited vulnerabilities, you deserve to have your network ransomed.
2. Many products have either vendor provided or useful third party security configuration guides. While there are situations where business processes prevent some configuration changes, these guides should be followed when possible. And weak passwords should not be on that list.

EDIT: for Oracle Web Logic, you do a lot worse that going through the DoD STIG for it.

I was always terrible with knots growing up. My father spent far too much time trying to teach me a basic trucker’s hitch and sadly never got to see me really “get it”. Then, when my own son was in Cub Scouts and supposed to learn some basic knots, something just clicked in my mind and I took an interest. The bowline was the gateway knot for me and learning that led me to finally apply myself to the trucker’s hitch. Just such a useful pair for tying up a load. I can understand why my father really wanted me to learn it.

Now, I keep a length of paracord on my desk and will fiddle with it, practicing knots whenever I’m doing something that leaves my hands free. And ya, having a basic set of knots down is just damned handy.

NextCloud running in docker on my server. I can then sync folders from both my desktop and phone.

I took up indoor rock climbing a couple years ago, partly because I have a similarly sedentary job and hate most forms of exercise. I can certainly understand the draw. I go 2-3 times a week and have stuck with it for so long because it forces me to get out of my head, but also doesn’t require dealing with strangers as much. It’s just a clam, focused activity which also happens to work my body.

Unfortunately, as a hobby, rock climbing is going to work your hands and arms. I would say that, as I have gotten better, I do a better job of using body position to prevent having to hang by my hands. But, just the other day, my foot slipped and I was hanging on by my fingertips for a couple seconds. And harder climbs may require you to engage your hands more. Though again, body position and technique counts for a lot.

Best advice I can give is: talk to your doctor. They will know more about how your condition will be affected by climbing and what your options are. Certainly more than random idiots on the other side of the internet.

Game: Quest for Glory I: So you want to be a Hero
Book: Colour of Magic, by Terry Pratchett
TV Show: Babylon 5
Movie: Spaceballs

All fairly old, but still some of all time favorites.

If you are located in the US and aren’t currently a complete fuck-up, the Federal Government can be a way into the GRC side of cybersecurity. Between civilian and DoD sites, they have analysts and auditors all over the place and always seemed in need of folks willing to pour over checklists and OQE artifacts. This first place to look for positions in that vein would be on usajobs.gov. Though unfortunately, the FedGov made the decision to classify both GRC and sysadmin positions under the 2210 category; so, you’ll probably have to dig through a lot of sysadmin listings.

Another path into similar positions is to look for FedGov/DoD facilities in your area. Once you find one, take a drive around the area and look for the names of businesses in the area and start researching those businesses and their open positions. There will almost certainly be the big ones, like Booze-Allen Hamilton, BAE, Boeing (yes, that Boeing. They do a lot outside of crashing aircraft), etc. But there will be a plethora of smaller companies with seemingly random names and little public facing who supply the local site with hordes of contractors. And, while these are contractor positions, they are a lot more stable than contract positions in the private sector. I spent 6 years as such a contractor and only stopped being one when I took a job elsewhere.

I will say that “entry level” is going to be harder. No one wants to hire an train someone without experience, which puts you in a catch-22. For all the suck involved, you may want to consider putting in some time working a help desk. At minimum, it keeps you in proximity to the field, teaches you something about systems and provides related, if not direct, cybersecurity experience.

Best of luck.

But they pinky promised that only the “good guys” would use the “front doors”. /s

I’ll add Kingdom Come: Deliverance to the list. Great story, fun (if challenging to learn) gameplay and really amazing environments.

What do you do to feel like you’re part of everyone else and in a way cope with some of the pressures of life around you?

I stopped giving a fuck about everyone else. I do what makes me, my wife or my kids happy. The rest of the world can go stuff a sock in it. Sure, I like to keep up on news and politics and will go read related sites when I have time and energy. I also listen to several podcasts and follow several Youtube channels. But, those are all things I do because I want to do them. If I’m not feeling like doing one of those things, I don’t. I also work and so have to keep up on the aspects of life related to that; but, I don’t pretend to be interested in things just to make coworkers happy. I am employed to do a job, they are employed to do a job. Sometimes we do a job together and I focus on the work at hand. And yes, I do socialize a bit with my coworkers as we have some shared hobbies and interests. But, if they start going off about basketball, I let them say their peace and then move on. It’s not my cup of tea and I feel no need to engage with it.

One of the most important secrets to life is learning to set boundaries. Don’t let other peoples’ wants become your needs. Be who you are because it’s who you want to be. If other people can’t deal with that, then they can go put their problems somewhere uncomfortable for them.

Can’t wait for the details to come out. My money is on half the systems running operating systems which are old enough to drink, along with an understaffed, underpaid security team who spends all their time chasing people opening phishing emails. And that will be coupled with management which “cares about security”. And by “care” they mean “don’t have a clue and don’t actually give a fuck”.

There may also be a (very weak) reason around bounds checking and avoiding buffer overflows. By rejecting anything longer that 20 characters, the developer can be sure that there will be nothing longer sent to the back end code. While they should still be doing bounds checking in the rest of the code, if the team making the UI is not the same as the team making the back end code, the UI team may see it as a reasonable restriction to prevent a screw up, further down the stack, from being exploited. Again, it’s a very weak argument, but I can see such an argument being made in a large organization with lots of teams who don’t talk to each other. Or worse yet, different contractors standing up the front end and back end.

I don’t know how anyone makes it without a password manager at this point.

Password reuse. Password reuse everywhere.

Perhaps a bit on the campy side, the opening theme song of the original Highlander was always one of my favorites:
Princes of the Universe by Queen.