[-] Mikina@programming.dev 14 points 2 days ago

Don't forget the gain of 10000 bucks in the repair shop they're running.

[-] Mikina@programming.dev 17 points 2 days ago

Routine visits are not covered per the last point, no?

[-] Mikina@programming.dev 14 points 2 days ago

It mentions that Privacy Guides have apps that help with batch-submitting requests to Data brokers for removal of data, but I couldn't find it there. Anyone has a link?

Also, is this something that applies only to the US residents, or is there a similar process for EU people? Most of the guides/services I've seen were US-only.

[-] Mikina@programming.dev 1 points 3 days ago* (last edited 3 days ago)

This is the first time I'm hearing about semver contract. I always assumed the x.y.z versioning was pridever, which was the first definition I found. And that says nothing about backwards compatibility.

So it might as well be the case of the XKCD.

https://pridever.org/

[-] Mikina@programming.dev 3 points 4 days ago* (last edited 4 days ago)

I highly recommend it, especially the kind where you have a pre-written set of characters and story with semi-scripted events, instead of just being "bring your own character" (not sure how is this kind of LARP called). It's such a different experience, because every character has a purpose, has as lot of conflicts, and everything is made to just work.

For example, one of the best LARPs we had here was a Disco Elysium inspired one, and it's just such a cool experience.

But be careful, there is a reason why people compare this kind of LARPing to heroin :D You will probably emotionally crash out after it ends, just like it is pretty addicting.

[-] Mikina@programming.dev 2 points 5 days ago

I might've been wrong, see other replies to my comment. It might've been some kind of honor equipment rental, where you can borrow sporting equipment, instead of it being a locker for people to store things in.

But the context of the post is basically the same. City did something nice, people vandalized it :D

[-] Mikina@programming.dev 17 points 5 days ago* (last edited 5 days ago)

Oh, it was definitely how that world worked, and she played that role really well.

But, the experience (especially in multi-day nonstop LARPs, where you immerse into the world and your character really extensively) is pretty indistinguishable from real-life. At least in how you perceive it. For the few days, your life has these problems now. And you just accept it and get into it, and don't even consider a difference between real and "imaginary" problems. It's hard to describe, tbh.

I was not trying to imply that any of the involved people were grifters, I was mostly talking about the experience of being in a situation like that, where you have to actually talk to someone like that. I'm pretty sure that there wouldn't be much of a difference between talking to someone who can roleplay well and has spend two days in their character, vs. talking to someone who spent most of their life being indoctrinated like this.

Or rather, the problem-solving part of it. I had literal days in that world to figure out how to approach this, what to say so it would work in that situation, how to argue with her. I didn't come up with anything that would work, and things that I came up with were swiftly rebated by fanatic religious speeches. Just like she had a pretty easy time of coming up with arguments I couldn't say much against, that would still be perfectly in-character, as she told me after the LARP.

EDIT: I may have misunderstood your comment, sorry :D. Yes, you are right, it was how the world worked - we did eventually all died because some kind of evil has been awakened, lol. But that doesn't change anything about the experience of having to argue with someone who's indoctrinated in a cult vs. you, who don't believe in stuff like that. It's difficult. From my point of view, they were grifters, because I had no indication of proof of what they are saying, so I did my best to figure out what to do or say, and I couldn't come up with anything.

[-] Mikina@programming.dev 2 points 5 days ago

Oh, you are right. There seems to be some text on the outside. Might've been just some equipment to borrow.

Ok, it might need more context :D

[-] Mikina@programming.dev 15 points 5 days ago* (last edited 5 days ago)

It might have been just a misinformation, but I've read somewhere that according to some regulations, the requirements for your food to be considered "free ranging" are nowhere near sufficient. Like, you can have a building with (tens of) thousands of chickens, but as long as they have 5x5m of outside ranging space, they are considered free ranging.

If anyone knows more about this, I'd love to learn, but it was pretty eye opening. I wouldn't be surprised if bullshit lobbying managed to secure "wins" like this, tbh.

EDIT: I was kind of wrong, it was a misinformation. I mean, unsurprisingly, aside from "free ranging" label in the US.

EU & UK

US

[-] Mikina@programming.dev 21 points 5 days ago* (last edited 5 days ago)

When have they cared about being virtuous? As far as I know, the main point of maga is mostly being vitriolious.

They are not using virtue as a goal to aspire to, but as an excuse to do vile shit and be racist dickbags.

[-] Mikina@programming.dev 20 points 5 days ago* (last edited 5 days ago)

At this point, any time there is "next big update" of anything, I don't want to have anything to do with it.

Kernel might be an exception (I mean, I did work in cybersecurity, so I understand the importance of updates pretty well), but still. I don't think there has been an update of anything I've been using that wasn't just an enshitification bullshit in the last few years...

[-] Mikina@programming.dev 56 points 5 days ago* (last edited 5 days ago)

I remember playing this 3 day LARP, the kind with pre-written in-depth characters and story that is played over 3 days strait in characeter, in Wierd Wild West setting, where I played a Trapper that was about to marry someone from the local village, my family was married into but my parents died shortly after.

It eventually turned out that the whole village is a cult that eats people to keep some kind of evil imprisoned, and my fiance's family is the one spiritually leading it, and I still can't forget the nights spent trying to reasonably argue and discuss with my fiance that it's definitely not ok and we should just leave.

I obviously never had to have discussions like this in real life, but it was pretty interesting how extremely futile it is. They have so many arguments you can't say anything against. Once they start with "But this is our purpose given to us by God, if we don't do this the whole world will end", or "It was God's will, you will understand soon", you really don't have much to say to that to get through.

Of course, it was just a LARP and she played her character well, but now I can pretty vividly imagine that talking to someone who's so much into anything like that is extremely difficult, to the point of being futile.

(I managed to convince her to leave, the winning argument was "Your grandmother tried to poison me, here is proof", lol).

1030
503 (thelemmy.club)
206
It is what it is (thelemmy.club)
59

I love it. It's elegantly simple piece of electronics, while also being an amazing audiovisual spectacle. For the whole office.

723
submitted 3 months ago* (last edited 3 months ago) by Mikina@programming.dev to c/games@lemmy.world
29
submitted 4 months ago* (last edited 4 months ago) by Mikina@programming.dev to c/privacy@programming.dev

Hello!

With the recent news about Discord, I've seen several people starting to consider Matrix as an alternative. That's why I wanted to share my experience with self-hosting it, because the whole hosting and upkeep of the server can be extremely simplified (and kind of cheap), if you choose the right tools for the job.

tl;dr - You can host Matrix with 2 very simple config changes and around 4 commands through this ansible project.

A little disclaimer - my use-case for Matrix is mostly to just bridge other messanging platforms, in my case it's Discord (text only), WhatsApp, FB Messenger and Telegram. I have set up voice support but never properly stress-tested it, and the user count of my server is 2 users. While the setup process will mostly be the same, I can't vouch for the chosen VM to handle higher traffic.

The main project I wanted to talk about is the matrix-docker-ansible-deploy, because it makes self-host the whole Matrix stack, along with a metric ton of optional services, extremely easy. For those that don't know, ansible is a tool that allows you to write "playbooks" of steps to run on a specified server that will set up whatever you need. In this case, the playbook is set up to install Matrix and any of the dozens of services, install it and their requirements, configure it, and all you have to do is set up config options telling it what you want and run the playbook, making it super easy.

So, how does the self-hosting actually looks like? I'm assuming knowledge about setting up hosting, ssh, domain, and basic work with docker.

You need to get a domain, and get a VPS. I've chosen Hetzner cloud CAX11 (ARM, 2 VCPU, 4GB RAM, 40Gb storage), which goes for ~7$ a month including storage and IP.

Get your private key and IP, and don't forget to set up firewall. You also need to set up Ansible and Just on your computer, here's the docker I'm using for the job. Make sure to run it from the matrix-docker-ansible-deploy folder (so from inside the repo):

docker run -it --rm -w /work -v `pwd`:/work -v $HOME/Work/Matrix-server/hetzner.key:/root/.ssh/id_rsa:ro --entrypoint=/bin/sh docker.io/devture/ansible:2.16.1-r0-0

Once you're there, you just pull the ansible project and can start with a Quickstart. This is the most difficult step - you have to set up and configure two files, one with your server host IP, and one with config vars.yml.

But, the basic config is extremely simple. You just give it a domain, and generate a few DB passwords, and you'll have a working matrix server. If you want other services, like bridges, it's usually also simple, and the documentation is clear. For example, adding voice support was literally just adding matrix_rcp_enabled: true into the vars.yml file.

Once you have that set up, the whole install process is literally running (from inside the ansible docker mentioned above)

just update (to update the playbook)

and then

ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start

And that's it. Assuming you have your server SSH key set up properly, it should simply run and install whatever you have configured. It might throw some errors, but so far every one I've seen was extremely clear.

Also, don't forget to update often! I'm using this command from the ansible docker (with ssh key setup) mentioned above that does it:

git config --global --add safe.directory /work && git pull && just roles && just setup-all

I've never had the ansible fail in a way I couldn't figure out, even when I was updating after more than half a year - the script is so robust it even told me to remove depreciated config options. It's one of those rare projects that is so extremely robust it can handle a lot of situations. The only difficult issue I had in the two years was running out of space, since that made random things fail, and Matrix is pretty data heavy (because it saves all images).

As for my experience with matrix, I've been using it as my only message app for two years, and most of the time, it has been fine.

There are a few caveats:

  • WhatsApp bridge requires me to log in to WhatsApp app every two weeks. I just have it in a separate quarantine profile on my GrapheneOS, and log it from time to time.
  • Messenger bridge has stopped logging in after two years of usage without issues last week. I haven't solved it yet, but it looks like Meta has upped their bot detection.
  • Discord bridge works great for chat, including servers, but AFAIK you can't join voice.
  • Telegram had issues with logging out when I used a new account, but after using my personal, it's all right. Topics don't work AFAIK, though.
  • And of course - all of the apps still get my data and my messages.

But, I was tired of not being able to convince my friends to switch, and by bridging it all to Matrix, I can at least avoid having their apps and visiting their sites, which is an OK compromise for me.

If you have any questions, feel free to ask. I wanted to share some visibility for this project, because just by watching the gazzilion of steps the playbook is doing, I can imagine that trying to actually self-host Matrix manually might be pretty long edeavour, but this project has so far done everything perfectly in a matter of three commands and a config change.

25
submitted 7 months ago* (last edited 7 months ago) by Mikina@programming.dev to c/privacy@programming.dev

Hello!

I've been following the discourse about the recent ChatControl update that has passed few days ago, and I have been wondering if it changes anything for the majority of people who were ok with the first version from 2021.

First a disclaimer - I'm vehemently against it, because it does affect me since I do use the alternative services affected, and I'm not trying to downplay the impact. I know that it's an issue for people already invested in privacy, but this question focuses on general population and services that reportedly already do the scanning anyway.

At least based on information on this website, most of the commonly popular services have been doing ChatControl since 2021:

Currently a regulation (that passed in 2021) is in place allowing providers to scan communications voluntarily (so-called “Chat Control 1.0”). So far only some unencrypted US communications services such as GMail, Facebook/Instagram Messenger, Skype, Snapchat, iCloud email and X-Box apply chat control voluntarily (more details here). As a result of the mandatory Chat Control 2.0 proposal, the Commission expected a 3.5-fold increase in scanning reports (by 354%).

My first question is - is this correct? I have not seen it mentioned anywhere else, not even a single comment in any discussion about the new resolution, and I don't want to spread false information. It sounds like an important fact that more people should be aware of, but everyone seemed to conviniently forget right after the first Chatcontrol passed in 2021, and the first round of trying to pass the second one (in 2023 or whenever) failed. If anyone has more information about the current state, I'd love to hear it.

Assuming that's correct, then my question/rant is - what does change for people who are already using these services exclusively? People like that had the last 5 years to do something about the serious privacy violation like this - stop using services that do the scanning. Most of them did not do that, forcing people like me to choose between privacy and being able to contact my friends, because "they don't want to install a new chatting app, and everyone is on Messenger anyway". And I'm pretty sure that they wouldn't stop even if the new resolution did not pass.

I realize it sounds more than a rant that a question, because it kind of is, it has been frustrating screaming about ChatControl to deaf ears for the past few years, but I'm also honestly asking what actually changes. Even though I am frustrated, I still want to have actual arguments, so when I'm convincing people to stop using those services, I'm not lying that "nothing changes for you if you don't switch" (assuming the current resolution does not get finalized and implemented). Plus, since people are now actually listening about ChatControl, telling them that it's already happening does have a greater impact.

1025
89
submitted 9 months ago* (last edited 9 months ago) by Mikina@programming.dev to c/gamedev@programming.dev

Unity has been sounding the alarm about a code execution vulnerability that has been identified in all applications built with vulnerable editor.

EDIT: While the below text kind of still holds for Desktops, I've absolutely forgotten about Android. If you have an Android game, you should definitely patch, since the situation is kind of different there.

Also, if your game is registered as custom URL schema handler, it can lead to privlidge escalation, or maybe even be triggered remotely (through a malicious link), so Update.

While there's definitely no harm in patching, in my personal opinion, the situation is needlessly overblown. I have worked in offensive cybersecurity, and the fact that Unity game allows you to locally run a code that

would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.

is not really exploitable. Since the attack vector is local, the attacker already has to have read/write/execute access to the application and your system, which usually means you have way bigger problems.

Not to mention that since Unity suffers with .dll injection vulnerability (which is what most mods are using), the attacker can do the same by simply replacing a .dll file of the game.

So, patch up if you can, but if you're not able or can't be bothered, in my opinion, it doesn't really matter. But please prove me if I'm wrong.

29
submitted 1 year ago* (last edited 1 year ago) by Mikina@programming.dev to c/gamedev@programming.dev

I've recently discovered this project, which assuming it works as advertised (which I think wasn't really tested yet, since it seems to be a pretty new repo) sounds like a pretty good library to add into your toolbox.

For those that do not know, LINQ is basically a query language over collections in C#, that allows you (from the top of my head) to do stuff like

someList.Where(x => x.value < 10).OrderBy(x => x.priority).Select(x => x.name)

which would give you a IEnumerable list with names of elements where value is smaller than 10, ordered by priority.

However, using LINQ in performance critical code, such as per-frame Updates, is not really a good idea because it unfortunately does generate a lot of garbage (allocations for GC to collect). Having a version that doesn't allocate anything sounds awesome, assuming you are a fan of LINQ.

What are your thoughts? For me, it sounds like something really useful. While it's not really that difficult to avoid LINQ, I'm a fan of the simplicity and descriptive nature of the syntax, and not having to avoid it would be great. It does seem there are quite a few issues starting to pop up, but it's definitely a project that could be worth it to follow.

31

Hello!

I've been wanting to start a blog, so I can get rid of the few opinion-pieces that are filling up space in my mind, but I've gotten stuck at selecting a good framework with which to host the site.

Does anyone have a recommendation for a lightweight blog engine, that can prefferably federate into ActivityPub? I know about Wordpress, but I wanted to avoid it mostly in regards to security. Not that it would be unsecure per se and with proper maintanance, but I'm lazy and will probably forget to update it often enough, and due to it's popularity it's a pretty common target.

So far I was considering https://writefreely.org/, but I'm not sure if I would be able to make it look good/interesting.

I've also heard good things about Ghost, but the linked website seems to imply that federation is still not ready, is that correct?

Is there anyone here with their personal blog, who have a software to recommend I should look into?

Thank you!

142
submitted 2 years ago* (last edited 2 years ago) by Mikina@programming.dev to c/gamedev@programming.dev

UPDATE: So, apparently it's mostly fake, taken from this article [translation] (where they even mention some kind of VCS).

However, even though it's not as absurd, it's a great read and a pretty wholesome story, so I recommend reading the article instead. And I'm even more convinced that this studio really does not deserve any of the hate they are getting.

Here is my summary of some of the interesting points from the article:

PocketPair started as a three man studio, passionate about game development, that couldn't find an investor for their previous games even though they've had really fleshed out prototypes, to the point where they just said "Game business sucks, we'll make it and release it on our own terms", and started working on games without any investor.

They couldn't hire professionals due to budget constraints. The guy responsible for the animations was a random 20-yo guy they found on Twitter, where he was posting his gun reload animations he self-learned to do and was doing for fun, while working as a store clerk few cities over.

They had no prior game development experience, and the first senior engineer, and first member of the team who actually was a professional game developer, was someone who ranomly contacted them due to liking Craftopia. But he didn't have experience with Unity, only Unreal, so they just said mid-development "Ok, we'll just throw away all we have so far, and we'll switch to Unreal - if you're willing to be a lead engineer, and will teach us Unreal from scratch as we go."

They had no budget. They literally said "Figuring out budget is too much additional work, and we want to focus on our game. Our budget plan is "as long as our account isn't zero, and if it reaches zero, we can always just borrow more money, so we don't need a budget".

For major part of the development, they had no idea you can rig models and share animations between them, and were doing everything manually for each of the model, until someone new came to the team and said "Hey, you know there's an easier way??"

It's a miracle this game even exists as it is, and the developer team sound like someone really passionate about what they are doing, even against all the odds.

This game is definitely not some kind of cheap cash-grab, trying to milk money by copying someone else's IP, and they really don't deserve all the hate they are receiving for it.

50

Hello!

I've recently stumbled upon an amazing blog about getting credentials from Bitwarden vault through DPAPI and Windows Credential Storage, and what suprised me is that any low-privileged process can just ask for all information in Credential Storage, without requiring any user input (the article discusses it in the second half, even though the first half is about abusing DA credentials), through the CredEnumerateW WinApi call.

Since that vector was pretty interresting, I tried running their PoC for listing the cred storage on my, and several colleague machines, and was surprised that every machine had domain account credentials listed in plaintext, that could be grabbed by any low-privileged process just by calling this WinAPI.

I suspected that it's because of Outlook or Teams, because I found articles from few years ago mentioning that they do get saved there. However, one colleague did not have his credentials there, even though he was using Teams and Outlook, and had his password saved.

So, how did that password get there? Why most people we tried the PoC with do have a domain password saved, but some do not? Or is it because of Windows Hello? I'd love to get some kind of solution/recommendation about how to avoid having your password, in plaintext, in such an insecure space. Or was I dumb enough to save it into Edge somwhere, and have promptly forgotten about it?

And more importantly - how this isn't a pretty severe vulnerability, and is considered "as designed" by Microsoft? The fact that any process can just ask for your credentials is mind-blowing, plus it isn't even detected by EDRs we've tried it with when discussing it with our SoC.

view more: next ›

Mikina

0 post score
0 comment score
joined 3 years ago