chameleon

Acts as access point, if you connect to it from another device you get access to stuff on the SD card (via app or built-in webserver)… at least in theory. Quality varies.

The email ecosystem is changing in recent years but yeah, it’s best to expect that there is at least one opportunity for any given email to be sent over the internet unencrypted. MTA-STS has been slowly changing the landscape but adoption isn’t going all that great.

You go to the settings and verify it. You don’t have to host anything, just verify that you own the domain via text file or DNS record and choose to set it as your handle. Bluesky’s ATProto has a couple extra layers of indirection and it’s very easy to get a custom handle as a result.

The downside of this setup is that running your own complete network is completely impossible. If you want to follow theonion.com, anyone can find did:plc:a4pqq234yw7fqbddawjo7y35 in the DNS without too much work. That’s the identifier for The Onion’s Bluesky account, and even if they swapped back to .bsky.social, that ID number would stay. But that DID tells you absolutely nothing about where the data is currently hosted.

So how do you figure that out? Well, you register it with https://plc.directory/ which is ran by Bluesky and cannot currently be replaced. There’s fancy cryptography involved that makes it hard for them to spoof data, but they are perfectly capable of simply not giving any data out for any given DID.

I’ll freely admit I don’t use that thing and was under the assumption it was feature complete. Regardless, the Android and iOS clients are also open, and I’ve found absolutely no indications that there’s any blobs in the repo or the like.

It’s not and I’m not sure how that article arrived at that conclusion. Their E2EE crypto is problematic homebrew crypto, but that’s very, very different from being closed. The whole desktop client including the implementation of that crypto is fully open source and lives right on GitHub. Plenty of people have independently reviewed it and came back with a very iffy impression of the whole thing.

Really the only difference is that Telegram doesn’t publish their backend, but the one Signal publishes is missing a couple of bits related to their “spam filter”, which happens to take in the source & destination of messages and do anything it wants with them. That doesn’t matter for either platform’s E2EE properties in any case, since distrusting the server is the whole point of E2EE.

Basically yes. Rancher Desktop sets up K3s in a VM and gives you a kubectl, docker and a few other binaries preconfigured to talk to that VM. K3s is just a lightweight all-in-one Kubernetes distro that’s relatively easy to set up (of course, you still have to learn Kubernetes so it’s not really easy, just skips the cluster setup).

Most paid certs aren’t worth much anyway. Payment and delivery info for DV certs isn’t validated by anyone, it’s literally the same concept as Let’s Encrypt. OV and EV are the only ones that theoretically have any value, but nobody is using those ever since they got rid of the URL bar labeling; even Amazon is on DV nowadays.

Gonna add a dissenting “maybe but not really”. YT is really aggressive on this kinda stuff lately and the situation is changing month by month. YT has multiple ways of flagging your IP as potentially problematic and as soon as you get flagged you’re going to end up having to run quite an annoying mess of scripts that may or may not last in the long term. There’s some instructions in a stickied issue on the Invidious repo.

Pretty much every form of these scams is some kind of advance fee fraud. Two more possible avenues:

• “Upgrade to a business account”. They send you an email purporting to be from the payment provider you used saying you need to upgrade to business to receive a payment that large, and the upgrade page is a fake website run by the scammer that asks for a “refundable deposit” or the like (with a little helping of credit card fraud and of course a business account will require all kinds of personal info useful for identity theft too).
• “But I want it as an NFT” was popular for a bit, they want you to “pre-pay the minting fee but it’s ok I’ll add it to your payment” and then they disappear. But they want it on a website ran by them and the moment you put the crypto in they disappear. Not sure this scam is popular nowadays because NFT screams scam to just about everyone for a lot of different reasons. But “rich guy spends $5000 on dumbass NFT” was a legitimate genre of news for a little moment.

It’s all preying on someone that thinks they got an easy paycheck for work that they’ve already done, on a populace of artists that could really use said paycheck to pay for food and are thus willing to overlook weirdness or principles. They also tend to pick on newer and younger artists that haven’t quite figured out how to run a business yet, hoping that they haven’t heard of scams specifically targeted to their sector.

Eh. I’ve been on the receiving end of one of those inboxes and the spam is absolutely, utterly unbearable. Coming up with a better system than a publicly listed email address is on Google at this point, because there is no reasonable way to provide support when you need a spam filter tuned up to such a level that all legitimate mail also ends up in spam.

Personally, I do believe that rootless Docker/Podman have a strong enough security boundary for personal/individual self-hosting where you have decent trust in the software you’re running. Linux privilege escalation and container escape exploits fetch decent amounts of money on the exploit market, and nobody’s gonna waste them on some people running software ending in *arr when Zerodium will pay five figures for a local privilege escalation or container escape. If you’re running a business or you might be targeted for whatever reason (journalist or whatever) then that doesn’t apply.

If you want more security, there are container runtimes that do cooler security stuff under the hood, like Firecracker/Kata Containers implementing a managed VM, or Google’s gVisor which very strongly intercepts kernel syscalls and essentially reimplements Linux in userspace. Those are used by AWS and Google Cloud respectively. You can integrate those into Docker, though not all networking/etc options are supported.

That’s because they had a lot of people “buying the dip”. CS is in a very similar position to SolarWinds during their 2020 security slipup. The extent of managerial issues there should’ve been unforgivable but unfortunately they got away with it and are doing just fine nowadays.

Realistically, immutability wouldn’t have made a difference. Definition updates like this are generally not considered part of the provisioned OS (since they change somewhere around hourly) and would go into /var or the like, which is mutable persistent state on nearly every otherwise immutable OS. Snapshots like Timeshift are more likely to help.

For that card, you probably have to set the radeon.si_support=0 amdgpu.si_support=1 kernel options to allow amdgpu to work. I don’t have a TrueNAS system laying around so I don’t know what the idiomatic way to change them is.

Using amdgpu on that card has been considered experimental ever since it was added like 6 years ago, and nobody has invested any real efforts to stabilize it. It’s entirely possible that amdgpu on that card is simply never gonna work. But yeah I think the radeon driver isn’t really fully functional anymore either, so I guess it’s worth a shot…

.eu has custom rules for whois. You’re not allowed to use privacy/proxy services for anything other than the mandatory publicly shown email field, but for domains registered by an individual, that email field and the user’s preferred language are the only things displayed. They’ve had those rules even prior to GDPR.