great, thanks. i’ll try it out as i have some spare resources on my server.

🤔 maybe there is a lack of distributed fediversed search engine instances where:

1. everyone can host a search engine for their very own pages
2. everyone can crawl other pages and provide (maybe with permissions) the crawled data to other search engines (as compressed snapshots, api …) or provide a search engine by themselves for all.
3. such search engines can be ranked or marked with “has anti features xyz” and put into followable ‘collections’ per topics.
4. possibility to add 3rd party rankings and filters, so that one can use only a subset of a search engine list that was pieced together by someone you know or trust, reduced by rankings or filters published by another one you somehow trust to limit the items in the first list.

then: “for software development i use linuz personal ‘devel’ collection, this way i don’t have to manually click through big G’s gigabytes of SpaMalAds they always only frustrate you with and i am not distracted with dyo stuff when searching for server administration things like ‘puppet stages howto’. for my home projects i use my friends ‘home of DYO’ collection, i get more results than i need but get new ideas as well without seeing work stuff when looking up how to build a puppet stage for my little one. 👨‍👧 for kids its awesome, our school provides a collection including specialized search instances that fit learning, while that collection is also peer reviewed by a company that spezialized to ensure it does to not contain search engine instances that also index any unfitting content pages.”

oh btw: no i do not have any info about duckduckgo status unfortunately, i stepped over it by myself today 🤷‍♀️

that a moderately clever human can talk them into doing pretty much anything.

besides that LLMs are good enough to let moderately clever humans believe that they actually got an answer that was more than guessing and probabilities based on millions of trolls messages, advertising lies, fantasy books, scammer webpages, fake news, astroturfing, propaganda of the past centuries including the current made up narratives and a quite long prompt invisible to that human.

cheerio!

1. i am sure you won’t pay for it if my laptop disappears this way (if yes, lets make a contract with a lifetime “fee” of 0$ i pay you whilst you pay for everything that got stolen from me in a plane)
2. ppl with kleptomania do travel too
3. how could you know? you are not talking about you and your colleagues or such?
4. such statistics were made by those who benefit from planes looking more safe.
5. “work and travel” vs “steal and travel”, which is more likely be done by a thiev?
6. not all theives “need” to steal, some just do so because they can, others maybe because its family tradition.
7. sometimes it could be more important that nobody could possibly put something into(!) your bag (and remove it later) to let you get it through customs for them, those arguably “would” buy such tickets to do so, as it’s probably part of their income, but i guess thats only a problem when flying in or out of countries with big illegal drug imports.
8. <something i forgot>

it might take ages for her to choose the right boots for rebooting ;-)

if your wife wasn’t vi-impressed, maybe she already is vi-improved ;-)

I see only one reason, why i would want to be early at the seat. its bcs if i am not, my backpack might be placed above but multiple seats away by the crew, where it is then uneasy for me to have an eye on it whilst easy for theives to take and open them, especially on long flights there would be plenty of opportunity like when everyone is sleeping.

but for this case i use locks on the backpack anyway, so that anyone who wants to open it, either opens it where nothing of value is in it thus no lock, or at least has a much harder time than when trying the very same with other bags…

also on longer flights i usually did not have that problem, but that could also have been just luck

hm you have a point that it might not have been removed completely, but the problem with that point that i personally have is that this reached me too late to just believe it was really never removed. For some reasons i would not believe blindly in “evidences” that are in control of the one that is in question and could manipulate it later for such claims and also was experienced to not be trustworthy for what they say…

saying that, there are ways to check if something was there at a time or not. the one source i know that could help here only seems to store records from 29th jun 2023 18:44:33 onwards which is too late for this.

https://web.archive.org/web/20240000000000*/https://abc.xyz/investor/google-code-of-conduct/

you are right, it does not make a difference in if they can be trusted, but it makes a difference in why not and what to expect if you do so despite the red flags or -as a gov- just let things go on. A person who by accident was speeding should maybe be treated differenrly than a person who intentionally(!) does so while risking others lifes. and what would be more proof of intention than a written statement or removed canary? thus such a statement does make a difference in terms of they just cannot handle their stuff, don’t care at all or maybe even have evil intentions.

examples:

some kids making a fire in the forest cause they don’t know the risks

vs.

some young adults making a fire in the woods cause they just don’t care despite knowing the risks

vs.

a company making fire in the woods because its cheaper to do stuff there and they lack the resouces to do it safe and someone else will pay the firefighters anyway.

vs.

a company stating to want to do so cause they like it despite they could afford doing it secure but just no one could or would sue them anyway.

while i don’t want to say google is like no.4 here, to me these examples all make huge differences, no matter if the woods actually cought fire or not.

my idea currently is to finish some projects that have priority and afterwards then look for lineage os on raspberry pi, combined with gsm modem and maybe a gps module, all powered by a slim powerbank. might make up a huge bulky phone but i almost want to start building it now. On the other hand if i wait until my other projects are finished, the whole thing might be ready made available for self assembly…

after looking at the ticket myself i think the relevant things IMHO are:

• a person filed a bug report due to not seeing what changes in the new version caused a different behaviour
• that person seemed pushy, first telling the dev where patches should be sent to (is this normal? i guess not, better let the dev decide where patches go or -in this case- if patches are needed at all), then coming up with ceo style wordings (highly visible, customer experience of untested but nevertheless released to live product is bad due to this (implicitly “your”) bug)
• pushiness is counterparted by “please help”
• free-of-charge consulting was given by the one pointing to changes likely beeing visible in changelog (i did not look though) but nevertheless it was pointed out to the parameter which assumes RTFM (if docs were indeed updated) that a default value had changed and its behavior could be adjusted by using that given parameter.

up to there that person -belonging to M$ or not (don’t know and don’t care) - behaved IMHO rather correctly, submitting a bug report for something that looked like it, beeing a bit pushy, wanting priority, trying to command, but still formally at least “asking” for help. but at that point the “bug” seemed to have been resolved to me, it looks like the person was either not reading the manual and changelog, or maybe manual or changelog lacks that information, but that was not stated later so i guess that person just did not read neither changelog nor manual.

instead - so it seems to me - that person demanded immediate and free-of-charge consulting of how exactly the switch should be used to work in that specific use case which would imply the dev looks into the example files, maybe try and error for himself just so that that person does not need to neither invest the time to learn use the software the company depends on, nor hire a consultant to do the work.

i think (intentional or not) abusing a bug tracker for demanding free-of-charge enduser consulting by a dev is a bad idea unless one wants(!) to actively waste the precious time of the dev (that high priority ticket for the highly visible already live released product relies on) or has even worse intentions like:

• uploading example files with exploits in them, pointing to the exact versions that include the RCE vulnerability that sample file would abuse and the “bug” was just reported cause it fits the version needed for exploitation and pressure was made by naming big companies to maybe make the dev run a vulnerable version on it on his workstation before someone finds out, so that an upstream attack could take place directly on the devs workstation. but thats just creating a fictive worst case scenario.

to me this clearly looks like a “different culture” problem. in companies where all are paid from basically the same employer, abusing an internal bug tracker for quick internal consulting would probably be seen as just normal and best practice because the dev who knows and is actually working on the code is likely to have the solution right at hand without thinking much while the other person, who is in charge of quick fixing an untested but already live to customers released product, does not have sufficient knowledge of how the thing works and neither is given the time to learn or at least read changelogs and manual nor the time to learn the basics of general upstream software culture.

in companies the https://en.m.wikipedia.org/wiki/Peter_principle could be a problem that imho likely leads to such situations, but this is a guess as i know nobody working there and i am not convinced that that person is in fact working for the named company, instead in that ticket shows up a name that i would assume to be a reason to not rely too much about names in the tickes system always be realnames.

the behaviour that causes the bad postings here in this lemmy thread is to me likely “just” a culture problem and that person would be advised well if told to learn to know the open source culture, netiquette etc and learn to behave differently depending on to who, where and how they communicate with, what to expect and how to interact productively to the benefit of their upstream too, which is the “real price” all so often in open source. it could be that in the company that rolled out the untested product it is seen to be best practice to immediately grab the dev who knows a software and let him help you with whatever you can’t on your own (for whatever reason) whenever you manage to encounter one =]

i assume the pushyness could likely come from their hierarchy. it is not uncommon that so called leaders just create pressure to below because they maybe have no clue of the thing and not want to gain that clue, but that i cannot know, its just a picture in my head. but in a company that seems to put pressure on releasing an untested product to customers i guess i am not too wrong with the direction of that assumption. what the company maybe should learn is that releasing untested and/or unfinished products to live is a bad habit. but i also assume that if they wanted to learn that, they maybe would have started to learn it like roundabout 2 decades ago. again, i do not know for what company that person works -or worked- for, could be just a subcontractor of the named one too. and also could be that the pushyness (telling its for m$, that its live, has impact to customers etc) was really decided by someone up the latter who would have literally no experience at all on how to handle upstream in such situations. hierarchies can be very dysfunctional sometimes and in companies saying “impact to customers” sometimes is likely the same as saying “boss says asap”.

what i would suggest their customers (those who were given a beta version as production ready) should learn is that when someone (maybe) continously delivers differently than advertised, that after some few times of experiencing this, the customer would be insane when assuming that that bad behaviour would vanish by pure hope + throwing money into hands where money maybe already didn’t help improving their habits for assumingly decades. And when feeding everhungry with money does not resolve the problems, that maybe looking towards those who do have a non-money-dependant grown-up culture could actually provide more really usable products. Evaluation of new solutions (which one would really be best for a specific usecase i.e.) or testing new versions before really rolling them out to live might be costly especially when done throughout, but can provide a lot of really high valueable stability otherwise unreachable by those who only throw money at shareholders of brands and maybe rely on pure hope for all of the rest. Especially when that brand maybe even officially anounced to remove their testing department ;+) what should a sane and educated customer expect then ? but again to note, i do not know which companies really are involved and how exactly. from the ticket i do not see which company that person directly works for, nor if the claim that m$ is involved is a fact or just a false claim in hope for quicker help (companies already too desperate to test products before live could be desperate again in need for even more help when their bad habits piled up too long and begin falling on their heads)

the xz vulnerability was done through a superflous dependency to systemd, xz was only the library that was abused to use systemd’s superflous dependency hell. sshd does not use xz, but systemd does depend on it. sshd does not need systemd, but it was attacked through its library dependency.

we should remove any pointless dependencies that can be found on a system to prevent such attacks in future by reducing dependency based attack vectors to a minimum.

also we should increase the overall level of privilege separation where systemd is a good bad example, just look at the init binary and its capability zoo.

The company who hired “the” systemd developer should IMHO start to really fix these issues !

so please hold your “$they have fixed it” back until the the root cause that made the xz dependency level attack possible in the first place has been really fixed =)

Of course pointing it out was good, but now the root cause should be fixed, not just a random symptom that happened to be the first visible atrack that used this attack vector introduced by systemd.

All who could have an idea of what to do with it could seek a way to get that data out of every company or gov that have it for their specific reasons, no matter if data was collected lawful or not, or if access to the data is then lawful or not.

1. search for source of evidences on crime scenes: if one of your relatives happened to have been (related to crime or just bad luck) at a place where later on some evidence was collected, you might cause trouble for them bcs your data is very similar to theirs and that is obvious to laboratories. depending on the the “later on” current state of technology it could affect relatives more than two or three steps away from you. if you live in a country where law enforcement gives a shit about truth and just seeks for one argument to punish just anyone they can point a finger at, that could become a huge problem for the whole family then just because there was data that could have been abused.
2. illegal organ traders could - once they have access to your data - think you or your relatives could be a source of nice income if a client of theirs happen to pay enough. however you will probably never know as the illegal organ traders are unlikely to ring the doorbell to ask nicely for a contract. How much do you think would a richie in personal needs pay for “spare parts” if those who deliver them wants him to just never ask where it came from ? does it matter if such organ teaders could know a “compatible match” by data only? maybe not because they might know tomorrow or someone might put up an AI to do the matching (does it matter if that matching by AI is correct then? i guess such traders don’t really care and their customers probably, but wouldn’t that be possibly too late then?)

For me the latter is actually enough to not willingly give my DNA data to anyone. for no reason. gov might already have it (covid probes had been collected and frozen at least) but actively pushing your data out inzo the world would be insane IMHO.

Laboratories often use Microsoft Windows, Microsoft Active Directory and Microsoft Exchange, thus i personally see no reason to NOT believe that any data they have received once in time would - sooner or later - end up rotating uncontrolled in the hands of uncountable criminals waiting for any chance to make quick or huge money out of it.

looking at the official timeline it is not completely a microsoft product, but…

1. microsoft hated all of linux/open source for ages, even publicly called it a cancer etc.
2. microsoft suddenly stopped it’s hatespeech after the long-term “ineffectivenes” (as in not destroying) of its actions against the open source world became obvious by time
3. systemd appeared on stage
4. everything within systemd is microsoft style, journald is literally microsoft logging, how services are “managed” started etc is exactly the flawed microsoft service management, how systemd was pushed to distributions is similar to how microsoft pushes things to its victi… eh… “custumers”, systemd breaks its promises like microsoft does (i.e. it has never been a drop-in-replacement, like microsoft claimed its OS to be secure while making actual use of separation of users from admins i.e. by filesystem permissions first “really” in 2007 with the need of an extra click, where unix already used permissions for such protection in 1973), systemd causes chaos and removes the deterministic behaviour from linux distributions (i.e. before systemd windows was the only operating system that would show different errors at different times during installtion on the very same perfectly working hardware, now on systemd distros similar chaos can be observed too). there AFAIK still does not exist a definition of the 'binary" protocol of journald, every normal open source project would have done that official definition in the first place, systemd developers statement was like “we take care for it, just use our libraries” wich is microsoft style saying “use our products”, the superflous systems features do harm more than they help (journald’s “protection” from log flooding use like 50% cpu cycles for huge amount of wanted and normal logs while a sane logging system would be happily only using 3%cpu for the very same amount of logs/second whilst ‘not’ throwing away single log lines like journald, thus journald exhaustively and pointlessly abuses system resources for features that do more harm where they are said to help with in the first place), making the init process a network reachable service looks to me like as bad as microsoft once put its web rendering enginge (iis) into kernelspace to be a bit faster but still beeing slower than apache while adding insecurity that later was an abused attack vector. systemd adding pointless dependencies all along the way like microsoft does with its official products to put some force on its customers for whatever official reason they like best. systemd beeing pushed to distributions with a lot of force and damage even to distributions that had this type of freedom of choice to NOT force their users to use a specific init system in its very roots (and the push to place systemd inside of those distros even was pushed furzher to circumvent the unstable->testing->stable rules like microsoft does with its patches i.e.), this list is very far from complete and still no end is in sight.
5. “the” systemd developer is finally officially hired by microsoft

i said that systemd was a microsoft product long before its developer was then hired by microsoft in 2022. And even if he wasn’t hired by them, systemd is still a microsoft-style product in every important way with all what is wrong in how microsoft does things wrong, beginning with design flaws, added insecurities and unneeded attack vectors, added performance issues, false promises, usage bugs (like i’ve never seen an already just logged in user to be directly be logged off in a linux system, except for when systemd wants to stop-start something in background because of it’s ‘fk y’ and where one would 'just try to login again and dont think about it" like with any other of microsofts shitware), ending in insecure and instable systems where one has to “hope” that “the providers” will take care for it without continueing to add even more superflous features, attack vectors etc. as they always did until now.

systemd is in every way i care about a microsoft product. And systemd’s attack vectors by “needless dependencies” just have been added to the list of “prooven” (not only predicted) to be as bad as any M$ product in this regard.

I would not go as far to say that this specific attack was done by microsoft itself (how could i ?), but i consider it a possibility given the facts that they once publicly named linux/open source a “cancer” and now their “sudden” change to “support the open source world” looks to me like the poison “Gríma” used on “Théoden” as well as some other observations and interpretations. however i strongly believe that microsoft secretly actually “likes” every single damage any of systemd’s pointlessly added dependencies or other flaws could do to linux/open source very much. and why shouldn’t they like any damage that was done to any of their obvious opponents (as in money-gain and “dictatorship”-power)? it’s a us company, what would one expect?

And if you want to argue that systemd is not “officially” a product of the microsoft company… well people also say “i googled it” when they mean “i used one of the search engines actually better than google.com” same with other things like “tempo” or “zewa” where i live. since the systemd developer works for microsoft and it seems he works on systemd as part of this work contract, and given all the microsoft style flaws within from the beginning, i consider systemd a product of microsoft. i think systemd overall also “has components” of apple products, but these are IMHO none of technical nature and thus far from beeing part of the discussion here and also apple does not produce “even more systemd” also apple has -as of my experience- very other flaws i did not encounter in systemd (yet?) thus it’s clearly not an apple product.

usually at first you can do such, and later on, when a ceo wants more money, you then can buy that together with the new “pro” features actually nobody needs nor wants.

maybe better look for more stable solutions before they start acting like a broadcom ;-)

Before pointing to vulnerabilities of open source software in general, please always look into the details, who -and if so - “without any need” thus also maybe “why” introduced the actual attack vector in the first place. The strength of open source in action should not be seen as a deficit, especially not in such a context.

To me it looks like an evilish company has put lots of efforts over many years to inject its very own overall steady attack-vector-increase by “otherwise” needless increase of indroduction of uncounted dependencies into many distros.

such a ‘needless’ dependency is liblzma for ssh:

https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

… and that was were and how the attack then surprisingly* “happened”

I consider the attack vector here to have been the superlfous systemd with its excessive dependency cancer. Thus result of using a Microsoft-alike product. Using M$-alike code, what would one expect to get?

*) no surprises here, let me predict that we will see more of their attack vectors in action in the future: as an example have a look at the init process, systemd changed it into a ‘network’ reachable service. And look at all the “cute” capabilities it was designed to “need” ;-)

however distributions free of microsoft(-ish) systemd are available for all who do not want to get the “microsoft experience” in otherwise security driven** distros

**) like doing privilege separation instead of the exact opposite by “design”

there was a study saying that there is not “the” best way of learning, but it is best to combine multiple ways, like with an app, by book, listening to audio only (i listened to radio stations via internet and got some exercise for free), a bit of talking, visiting a country that only speaks that language and so on. trying everything a bit in parallel.

that is because of our brain learns better when given more different types of “connections” to learn.

i started with duolingo (website only, not the app and only the free parts) 4 years ago and now i speak quite fluently. but i also partly read a book about grammatics, visited a spanish speaking country (more than once), viewed movies with only subtitle in my language and did lots of phone calls in spanish only.

my advice is:

look at free apps, whatever pleases you, take chances, listen to the sound (movies, radio), try to speak, and read easy books or go through exercise books.

duolingo is good to keep on going while not really motivated as the shortest thing that counts are really only minutes and one can choose to do something that is already easy. this way at least continuation is kept even if pace is down for a while. and it is much easier to go on with pace when not having really stopped.

i am happy to have a raspberry pi setup connected to a VLAN switch, internet is behind a modem (like bridged mode) connected with ethernet to one switchport while the raspi routes everything through one tagged physical GB switchport. the setup works fine with two raspi’s and failover without tcp disconnections during an actual failover, only few seconds delay when that happens, so basically voip calls recover after seconds, streaming is not affected, while in a game a second off might be too much already, however as such hardware failures happen rarely, i am running only one of them anyway.

for firewall i am using shorewall, while for some special routing i also use unbound dns resolver (one can easily configure static results for any record) and haproxy with sni inspection for specific https routing for the rather specialized setup i have.

my wifi is done by an openwrt but i only use it for having separate wifis bridged to their own vlans.

thus this setup allows for multi-zone networks at home like a wifi for visitors with daily changing passwords and another fror chromecast or home automation, each with their own rules, hardware redundancy, special tweaking, everything that runs on gnu/linux is possible including pihole, wireguard, ddns solutions, traffic statistics, traffic shaping/QOS, traffic dumps or even SSL interception if you really want to import your own CA into your phone and see what data your phones apps (those that don’t use certificate pinning) are transfering when calling home, and much more.

however regarding ddns it sometimes feels more safe and reliable to have a somehow reserved IP that would not change. some providers offer rather cheap tunnels for this purpose. i once had a free (ipv6) tunnel at hurricane electronic (besides another one for IPv4) but now i use VMs in data centers.

i do not see any ready product to be that flexible. however to me the best ready router system seems to be openwrt, you are not bound to a hardware vendor, get security updates longer than with any commercial product, can 1:1 copy your config to a new device even if the hardware changes and has the possibility to add packages with special features to it.

“openwrt” is IMHO the most flexible ready solution for longtime use. same as “pfsense” is also very worth looking at and has some similarities to openwrt while beeing different.

went through lots of plane accidents to find the one i think to remember, but had to stop as i do not want to increase fear of flying. however i stumbled about this one, Airbus A320 Air France flight 296 on 26th of June, 1988 which was sort of related as some “security” mechs seemed to have prevented crash prevention there and fired discussions. but this one was earlier and it was not boeing (and it looks like no one tried to cover things). however since it was during an airshow, not a commercial flight, i now figured out that the one i remember could have been a testflight, cargo flight or something else like a flight show as well… not sure if i “can” find it, the little i remember.

ok, i have to admit, that i was thinking of google-“services” free phones like the new ones from huawei. but sure android is made by google (but not “owned” by them). however i can try to “rescue” my argument by saying something like “just use a nokia 3310! they’re still working and the batterie should still last a week if not more” ;-)

however projects like lineage os might be a good choice to have threeth (as in more than “both”), more security, less dependency from google, and also more influence on the actual software included in the build, if it’s not even possible to just compile it yourself and have freedom of changing every line of code as you wish.

anyone remember the time when google removed(!) their internal “don’t be evil” rule? guess this is part of the outcome of that “be evil” that came along with removal of the opposite. Abuse of this mechanism is IMHO veery predictable ;-)

There are plenty of google-free cellphones, one could easily stick to better products of better companies. help yourself, google’s not gonna do that for you within the next 5billion* years as they IMHO already stated they “want” to be evil now, always remember that ;-)

*) thats round about when our sun expands too much for earth, so i currently dislike doing any predictions beyond that point ;-) i do not predict google would last that long, only that they’ll keep beeing evil until their end.