• 0 Posts
  • 55 Comments
Joined 3 years ago
cake
Cake day: June 12th, 2023

help-circle

  • For the unprivileged container thing, containers tend to be lighter on resources than VMs at the cost of a little isolation (they share the same kernel as proxmox which could have security implications).

    The ability for lxc containers to run unprivileged with all the restrictions that entails alleviates a bit of that security risk.

    Both options are generally considered pretty secure but bugs/vulnerabilities could break isolation in either case. The only real 100% safe isolation is bare metal.

    I tend to run containers unless I have a really good reason to need a VM, and run unprivileged unless I have a really really good reason not to.


  • My recommendation is a VPN server to connect in from outside and have the default gateway for the VPN clients be a server that acts as a router that’s set up with your commercial VPN.

    That way, you can be outside on a phone or a computer, access your internal network and still have your public internet traffic go out through your commercial VPN without having to be able to configure multiple VPN connections at once (eg. Android doesn’t support that).

    Eg. 2 debian proxmox containers. One that runs wireguard (head/tailscale might also work here?) for external access and one that runs mullvad(or whoever) VPN cli and IP forwarding to be the gateway for your clients.

    Only downside is the extra hops to send everything through your home network first rather than straight to the commercial vpn which is probably fine depending on your speeds. You can always disconnect and connect directly to the commercial VPN for faster internet traffic if you need to.


  • TechLich@lemmy.worldtoFediverse@lemmy.world1st Feb is #GlobalSwitchDay
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    23 days ago

    But I don’t want a bunch of huge images in my face. Isn’t that what pixelfed and Instagramy things are for? I only want to click on the things I’m interested in, not be shown an ugly frustrating stream of giant, semi-traumatic political pictures one after the other. Thumbnails exist for a reason and claiming they’re bad UX is incorrect, it’s the industry standard design pattern for any control that allows a user to browse quickly through multiple images or to provide an impression to a user before they decide whether or not to open the full content.

    Lemmie/piefed is more about text and conversations so titles should always be the largest clearest part so you can read them quickly to know whether you want to engage with the post or not. Otherwise, how is it different from pixelfed? Likes vs upvotes is not a big difference.


  • “known by scientists for a long time” doesn’t necessarily mean true. Medical science believed in the four humours and thought most disease was caused by an imbalance in bile, blood and phlegm for like 1200 years before being replaced by the idea that it was actually miasma and stinky air.

    Germ theory’s claim that tiny monsters are eating your insides, maybe like invisible poisonous insects or miniature demons and you need to wash them off your hands - Sounded Batshit crazy by comparison.

    Questioning long-held assumptions and challenging scientific norms is a good thing, but every human has a grift that they’re vulnerable to and for some people, even smart, sciencey people, that grift is conspiracy alt science anti vax flat earth hollow earth aliens built the pyramids and the government doesn’t want you to know the truth.


  • Unfortunately that’s not really all you need. It needs integrity too. Need to be able to verify that the output came from the input and hasn’t been modified or tampered with.

    Also need to ensure that, despite being anonymous, people can only vote once and can’t vote on behalf of someone else.

    Also that whoever is receiving and counting the votes can’t miscount or lie about the count or figure out which votes came from where by decrypting individual votes as they’re received.

    The scheme they were using is “Helios” which involves people encrypting their votes such that a group of authorities can combine all the encrypted votes together homomorphically to count them and then decrypt the results without ever knowing any one vote. They then use zero-knowledge proofs to prove that they did it correctly and nobody could have known what any vote was or tampered with any results at any point.

    Someone just derped and lost their private key so they couldn’t decrypt the results after they’d been combined…


  • This is very true, though I’d argue that Windows makes most of the same assumptions with user accounts. Also, the internal threat model is still important because it’s often used to protect daemons and services from each other. Programs not started by the user often run in their own user accounts with least privilege.

    You no longer have 10 different humans using the same computer at once, but you now have hundreds of different applications using the same computer, most of which aren’t really under the user’s control. By treating them like different people, it’s better to handle situations where a service gets compromised.

    The question is more about passwords which is mostly down to configuration. You can configure Windows to need a password for lots of things and you can configure Linux to not. They just have different defaults.


  • The big difference between UAC and Sudo is that you can’t as easily script UAC. They can both require (or not require) a password but UAC requires user interaction. Sudo has no way of knowing if it’s being interacted with by a person or a script so it’s easier for applications to escalate their own privileges without a person doing it. UAC needs to have the escalation accepted with the keyboard or mouse.

    There’s still plenty of sneaky ways to bypass that requirement but it’s more difficult than echo password | sudo -S



  • I’m not anti-ai at all but this sort of thing feels like a security vulnerability to me?

    Any website with a malicious prompt injection on it could instruct the ai to scam the user.

    Almost like xss but instead of needing malicious user-inputted js, malware targeting the ai can just be written in text so an attacker could put it in a comment or whatever.


  • 600 million to 13 billion parameters? Those are very small models… Most major LLMs are at least 600 billion, if not getting into the trillion parameter territory.

    Not particularly surprising given you don’t need a huge amount of data to fine tune those kinds of models anyway.

    Still cool research and poisoning is a real problem. Especially with deceptive alignment being possible. It would be cool to see it tested on a larger model but I guess it would be super expensive to train one only for it to be shit because you deliberately poisoned it. Safety research isn’t going to get the same kind of budget as development. :(








  • “No conclusion whatsoever” is basically the scientific consensus on whether Dvorak has any effect on efficiency or typing speed. It’s hard to get good data because it’s hard to isolate other factors and a lot of the studies on it are full of bias or have really small sample sizes (or both).

    To anyone thinking of learning Dvorak, my advice is don’t. It takes ages to get good at, isn’t THAT much better and causes a lot of little annoyances when random programs decide to ignore your layout settings or you sit down at someone else’s computer and start touch typing in the wrong layout from muscle memory or games tell you to press “E” when they mean “.” or they do say “.” but it’s so small that you don’t know if it’s a dot or a comma and then you hit the wrong one and your guy runs forward and you die…

    That said, I’m also a Dvorak user and it is very comfortable and satisfying and better than qwerty. Just not enough to be worth all the pain of switching.