JRaccoon

!lemmySilver

Just testing does it still count if the comment contains other text after the command. It’s not immediately clear from the instructions how that works.

Is there a similar bot on Lemmy?

They can include runnable JavaScript too, which can cause vulnerabilities in certain contexts. One example from work some years back: We had a web app where users could upload files, and certain users could view files uploaded by others. They had the option to download the file or, if it was a file type that the browser could display (like an image or a PDF), the site would display it directly on the page.

To prevent any XSS (scripts from user-provided files), we served all files with the CSP sandbox header, which prevents any scripts from running. However, at the time, that header broke some features of the video player on certain browsers (I think in Safari, at least), so we had to serve some file types without the header. Mistakenly, we also included image files in the exclusion, as everyone through image files couldn’t contain scripts. But the MIME type for SVG files is image/svg+xml… It was very embarrassing to have such a simple XSS vuln flagged in a security audit.

My use case is a bit different than yours but still worth mentioning, I think; I have Sharry running in Docker and it makes sharing and receiving files super easy. All downloads and uploads are resumable so they work well even in unstable networks.

I never understood why exactly it’s such a controversial topic. It’s my third year on Mastodon, and I’ve never felt the service was lacking just because not having proper quote posts. But then, I also don’t understand most of the arguments against them, especially when/if they’re implemented as an opt-in for the original poster.

Basically, people on both sides seem angry over nothing, and I’m just like, ‘Neat, a new feature. Anyway…’

You will be able to choose whether your posts can be quoted at all.
You will be notified when someone quotes you.
You will be able to withdraw your post from the quoted context at any time.

To me this sounds like the right way of doing it. Quote posts have always been kinda a hot topic on Mastodon. Some people want them while others absolutely do not. So best just let everyone to decide for themselves.

In addition to what others have already pointed out, please also note that mentioning any other account in a “private” message chain will allow that account to retroactively see all the messages in the chain.

Basically DMs in Mastodon are pretty useless.

There would need to be a way to guarantee that only the browser could do this, or at least some way to tell exactly what the source was.

I don’t think there’s a way to do that. Let’s say browsers implemented this. I could then just take a copy of Firefox source code and make my own version, which is exactly the same than normal FF except the fancy screenshot tool has been slightly modified to allow editing the page before taking the screenshot.

The website (Telegram in this case, but can be any website) adds a specifically crafted text to the clipboard and then tricks the user into pasting that text into the Windows Run dialog, which can be used to execute any command(s), basically like a command prompt.

The text the attacker places in the clipboard is actually a command to download and execute an executable file from the internet, giving the attacker remote access to the system or whatever the payload happens to be.

It’s a pretty clever trick. Perhaps MS should consider adding a warning before allowing pasting into the Run dialog or cmd for the first time. They already have this in the Edge browser console.

the malicious package was added to PyPi last year in June and has been downloaded 885 times so far.

That’s a pretty long time to go undetected. Makes you wonder how many other similar packages there currently are, yet to be discovered, in PyPi, npm and others.

I do it if I’ll be away more than just couple of days. Some of my hardware is pretty old at this point and I’m just a little paranoid about the possible fire hazard. I’m sure it would be fine to leave everything running but no real harm in shutting it down either.

Also, if applicable, have a different person perform the restore every time and have them do it just by following the documentation. This way multiple persons have actual experience with the process if the shit ever hits the fan and this also makes sure the documentation is accurate and up-to-date.

Sure. I’m not recommending anything, just stating what has worked for me. For simple use cases, I think most of the DDNS services are pretty much the same anyway and it’s easy to switch to an another one if one stops working for some reason.

I’ve been using No-IP free plan for years without issues. Inputted the credentials to my routers DDNS client and then basically forgot about it. Free users need to confirm their account once a month via email but that’s just one click.

If your domain registrar happens to have an API to update DNS entries, you could implement DDNS yourself by writing a simple automated script to check the external IP (e.g. via ipify.org) and if it’s changed from the last check then call the API to update the DNS entries.

My main issue with CVEs nowadays is that it seems one gets generated even when 99% of the use cases for the software in question are not vulnerable as the vulnerability requires a very specific configuration/circumstances/etc. to be exploitable. In large projects with lots of dependencies this adds a lot of noice and there’s a risk that actual important CVEs go unnoticed.

I was going to give the example of the Carnival cruise ship that sank in the 2010s (I think) largely due to the captain’s incompetence[…]

That’s Costa Concordia. It received extra media attention and is mostly known due to the awful behavior of the captain who first directly caused the accident and then fled the ship before most of his passengers.

Well, just by looking at responses in this thread, the controversy most definitely still exists. Some seem to like it and others hate it fiercely.

Cool, thanks for the explanation.

a single application that gets bundled with all necessary dependencies including versioning

Does that mean that if I were to install Application A and Application B that both have dependency to package C version 1.2.3 I then would have package C (and all of its possible sub dependencies) twice on my disk? I don’t know how much external dependencies applications on Linux usually have but doesn’t that have the potential to waste huge amounts of disk space?

Sorry to ask, I’m not really familiar with Linux desktop nowadays: I’ve seen Flatpak and Flathub talked about a lot lately and it seems to be kinda a controversial topic. Anyone wanna fill me in what’s all the noice about? It’s some kind of cross-distro “app store” thingy?