This is a repository of apps to be used with F-Droid. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github).
I think this is good advice. Wondering if it’s really worth getting the Developer account for engineers reading my reports or not. Thinking of getting it for the betas. Don’t want to lose that fun tradition. Report bugs effectively - Discover - Apple Developer developer.apple.com/news/?id=k…
Cisco warned customers today of four critical remote code execution vulnerabilities with public exploit code affecting multiple Small Business Series Switches.
Cisco warned customers today of four critical remote code execution vulnerabilities with public exploit code affecting multiple Small Business Series Switches.
America is a world leader in allowing private companies to levy taxes on its citizens, including (stay with me here), *a tax on paying your taxes*.
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
FOR IMMEDIATE RELEASE- Purism has added a new model to the Librem L1UM product line with new hardware designed to protect infrastructure, including critical infrastructure.
Purism makes premium phones, laptops, mini PCs and servers running free software on PureOS. Purism products respect people's privacy and freedom while protecting their security.
How long till the state outlaws it and arrests the company for selling this in the name of stopping child abuse? Joking... I hope, at least for now luckily. Thanks again for everything you've done to protect the core of an open #internet in the face of an unprecedented onslaught by world governments! ❤️ #Librem #Purism
Easily extract RSS feeds from Apple Podcasts / iTunes, Google podcast, SoundCloud and blogs / websites with GetRSSFeed. Discover and subscribe to your favorite content in seconds.
As many of you know, there's been a few focused attempts at spamming the fediverse with crypto offers. The wat this is currently happening is that someone is registering hundreds or thousands of accounts on an instance (first it was mastodon.social, and most recently mastodon.world) and then proceeding to post messages with links to get your free crypto. These messages are sent using the "mentioned people only" visibility setting, meaning that if you're not tagged in them, you don't know that this issue is happening. It's unclear how spam victims are selected, however it's very likely collecting user names recently appearing in timelines.
Obviously, just like with spam and malicious emails, if you receive one of these messages, you should not click on links - at best it's a scam, and at worst, it's something that will attempt to steal passwords or install malware - usually for the purpose of stealing your identity, your money, and so on. If you receive such a message, simply use the reporting function on your instance to report the spam to your moderators and the moderators of the originating instance.
For this particular tactic, it is prudent to consider disabling direct messages from people you don't follow. To do that, go to settings, preferences, notifications, and check the box next to "Block direct messages from people you don't follow" at the bottom of the screen. It's also possible to block the domain of the spammers, however it's important to note that doing so will remove all your followers and follows on that domain.
took me almost 5 minutes to work out that on mobile you need to open Mastodon in a browser, click settings, then click the hamburger, then click notifications to find this disable DM button. No option in @Tusky from what I could see..
I've been handed a huge archive of sound effects from the Sunset Editorial collection, as well as the "Red" and "Gold" libraries, which were donated to USC Cinema in 1990. Additional split-apart versions will go up, but this is 20+gb of .wav files from original tapes!
From the original Blog Post:The “SSE” sound effects come from the Sunset Editorial collection which was donated to USC Cinema in 1990. Sunset Editorial had...
In the original 6265 as well as in the latest 6265bis draft, this paragraph exists: When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field. ...
multi header cookies has been a PITA in the js community for a while, specifically behaviors with header getters (eg deprecated getAll method from our Headers instances used by fetch, our primary http mechanism). It would be beneficial to do away with the edge case IMHO. I support your single header suggestion.
Hi, I have a set-cookie-parser library and I got a report that it fails when parsing fetch responses that contain multiple Set-Cookie headers. Looking through the spec and the output, I see that it...
Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe? This week, Google launched a new TLD or “Top Level Domain” of .zip, meaning you can…
Web Design References: News and info about web design and development. The site advocates accessibility, usability, web standards and many related topics.
My favorite part of Altman's Senate testimony: "we noticed ChatGPT spits out falsehoods, propaganda, hate speech, and bomb-making instructions, so we edited the training data to remove erotica."
Accessibility of web content requires semantic information about widgets, structures, and behaviors, in order to allow assistive technologies to convey appropriate information to persons with disabilities.
LibreOffice 7.6 will be released as final in mid August, 2023 ( Check the Release Plan ) being LibreOffice 7.6 Alpha1 the first pre-release since the development of version 7.6 started in mid December, 2022.
Ya comentamos por aquí hace algunas semanas que un proceso de #oposiciones en Catalunya se ha saldado con la cabeza de la responsable de Funció Pública por haber delegado el trabajo en una empresa privada (spoiler: sale de pena).
Segunda parte del drama. Misma empresa, otra vez liadas máximas, esta vez en el Metro de Madrid:
"Denuncian notas matemáticamente imposibles". CEO creativo con Excel: bueno, esa será tu opinión.
Los opositores a las plazas de maquinista y jefe de sector en el Metro de Madrid denuncian irregularidades en el proceso de selección celebrado el 23 de abril. Un concurso...
Recordar que la cesada había entrado en el cargo cuando el concurso para la realización de las oposiciones ya había sido licitado y adjudicado sin que tuviera nada que ver con ello.
No, si cortar cabezas políticas está muy bien, particularmente cuando la administración tiene medios para hacer lo que se externaliza. El problema es que la cabeza cortada era inocente ya que se encontró con todo el pescado vendido. Es a eso a lo que me refiero.
Me meto por meterme, porque no tengo vista del expediente ni mucho menos, pero cuando un contrato se ejecuta mal también se puede resolver y secuestrar la garantía, algo que la administración hace en demasiadas pocas ocasiones. También hay mucha negligencia, o directamente complacencia, en recibir cosas mal hechas.
@modulux La suerte es que todos estamos de acuerdo en que lo ocurrido fue una cacicada y que ni la administración ni la empresa implicadas van a pagar por ella.
Luego nunca se sabe si al final alguna cosa prospera, pero mi deseo es que haya un poquito de susto y que no se externalice (mucho) más por miedo a que haya otra de estas.
En mi admin se llegó a externalizar la redacción de un decreto. Que después quedó como el culo y se tuvo que corregir por los propios servicios que lo deberían haber redactado en primer lugar.
The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.
But do note this comment on the PR:
“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”
Add optional hCaptcha support.
Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_KEY are set, the admin can enable hCaptcha:
When enabled, users are shown a captcha when con...
Please, please do not do this under any circumstance, if you care about your instance being accessible to the #blind and visually impaired (hint, you should).
#HCaptcha is a horrible example of how not to implement a #captcha solution, forcing people to register their email address and store a cookie, as well as disable cross origin restrictions on their devices in order to pass validation.
There are much better alternatives, such as the no-hassle github.com/mCaptcha/mCaptcha, which does not need any user input other than checking a checkbox. Alternatively, use captchas that provide text versions, e.g. via solving a math question or at the very minimum, provide an audio version, knowing that it is not ideal for the hearing impaired.
A no-nonsense CAPTCHA system with seamless UX | Backend component - GitHub - mCaptcha/mCaptcha: A no-nonsense CAPTCHA system with seamless UX | Backend component
They have made an improvement, at least discord wise. I know they use that one, and there's probably an upgrade that gives text questions. I had luck with it a few times, but no further sites that I found using it, so don't know where to test.
As far as I know, companies who use it need to ask HCaptcha to enable the alternate text version. Even then, it may or may not pop up, for example to me it didn't pop up either on Discord mobile or on desktop, so right now I am not even able to log in to discord, even though I have an account I have used for years.
Specifically having to ask a company to provide an alternate solution when they are aware that there will be people who are unable to log in otherwise is just disgusting. You not only have to rely on a company (or possibly an individual) to do this, but also on HCaptcha. It is beyond ridiculous and it is certainly unacceptable. Hcaptcha is aware of this, and for years they have been telling us that there will be improvements, but they always choose the easy way out, which is, needless to say, not designed for the end user in mind. We are talking about just a Mastodon instance here, but imagine if this blocks you from accessing vital information that you wouldn't be able to otherwise. Health data, managing your passport or ID card on a government's site, hospitals, etc.
Nope, there's absolutely no guarantee that a text captcha for HCaptcha will pop up. I have checked on multiple devices, and many people I know have done the same. Only the regular image captcha is available. For some other people, the text captcha is available.
To my knowledge, mastodon.social does not have a captcha, at least it does not pop up here. When you create an account, the only checkbox that shows here is for indicating that you are agreeing to the privacy policy and terms of use.
Not here. No matter what I do here, it just does not pop up. I've cleared cookies, tried private browsing, desktop app, iOS app, email verification (which I have done years and years ago too), used multiple operating systems, multiple browsers, multiple Discord versions, even a VM, it just does not pop up.
I find that logging into Discord, as long as you're logged in on your phone, you can log into other devices using the QR code. You have to play with it at bit, but once you get it, it stays.
I do not speak German, but honeypots should work, as long as it is obvious to a screen reader user what does not need to be filled out or interacted with in general. For example, 'Check this if you are a spammer'. Simple solutions like entering commonly known information (like current year) are also effective.
Honeypots are great as long as the site hosting them is not targeted specifically.
Pitch bec6a1c has introduced hCaptcha support. This means that Mastodon transfers personal data to the USA (the user is forced to send a request and therefore their IP address to a USA-controlled d...
This is great, thank you. I don't get it though, they have implemented HCaptcha as an emergency feature, yet they state that they are aware of the accessibility implications. So basically they are saying that yes, we know that you won't be able to sign up or verify that you are a human, but still, have it because this is an emergency.
The correct way to handle this would be to say that yes, we are aware of the accessibility implications, so we do not implement this at all, but rather look for something else, because they exist. HCaptcha can be bipassed, see chrome.google.com/webstore/det…, so this is really not about finding an effective solution.
I would love to see an "open captcha" solution, that would be open source and privacy preserving. First step would be to collect requirements. For example, have solutions for people who cannot actually read the images (or hear sounds). Respect privacy by allowing servers to implement the test locally, without relying on third party. And of course be robust even if the code is public.
mcaptcha uses proof-of-work, which has lots of advantages but has also known issues. Big-iron computers can solve the puzzle much more quickly than small devices like cellphones, without depleting their battery. But it is sure better than passing user tracking data to Google...
I am a bit concerned that mcatcha solves a generic DDOS defense problem by imposing cost to the bots, which is different from "verify there is a living human behind the keyboard." Take the case in point, spammers creating bot accounts on "mastodon.social". Yes, they will have to spend a couple seconds of CPU time per account created. Is that going to deter them from creating a few thousand accounts?
I believe the difficulty can be increased to add more work, for example FriendlyCaptcha uses 10 seconds, which is enough time to fill out a form.
None of the captcha solutions will stop spammers if they are really determined, for example a lot of spam is created by hiring humans to solve captcha challenges. I look at this similarly to software cracking, since everything can be cracked there is no point spending time and effort to create the most foolproof defense, but rather something that makes it not worth it. Similarly to captchas, the cost to value ratio is what matters I think.
So in this light, a few seconds that can be spent on creating hundreds or thousands of new accounts is quite important, especially if the difficulty goes up and more time is added for each new challenge.
Every time I see talk about captchas, I'm reminded of that time when I needed to take remote control of a blind friend's computer to solve a captcha for them so they could register their account for...
Agreed. It's nothing more than a dirty work-around. I think it's kinda like when I run into the Nth form that requires to declare whether I'm a "Mr." or a "Mrs." without any other options and I think, fuck it, no spoons for this battle now, and just go for "Mrs."
MCAPTCHA is what servers like Calckey and Pleroma need to implement; Pleroma's even worse than Calckey; at least with Calckey, they use a solution that's workable, though a PIA. for Pleroma, the solution doesn't have any alternatives.
I agree with the impaired vision comment but hcaptcha does not require email nor disabling protection for me. Maybe they simply love me so I'm the someoone cannot imagine they do the things you described. 😉
That's because you can solve their image challenges. If you are blind or visually impaired, the only way to bipass it is to either register your email address, after which they give you an extra cookie to bipass the captcha when you check the checkbox, or companies need to ask HCaptcha to allow text versions and even then there is no guarantee that it will pop up as an alternate challenge (see my problems with Discord).
If you go with number one, you need to disable cross-origin restrictions, essentially making your browser less secure. You are not only giving out your email address, you need to store an extra cookie over and over again, because it expires. You are also limited to solving a number of captchas daily. Needless to say, there are so many things that are just horribly wrong with either of these approaches.
You are right, I did not specifically point out that this is only true if you are blind or visually impaired. But it follows from the fact that I recommend not using HCaptcha if you care about the blind and visually impaired, because of point a and point b. Sorry about the confusion.
Their V2 works, if you speak English, since they provide audio captchas. V3 works as well, since you don't need to do anything to verify. But they have their fair share of problems, for example your IP being flagged for abuse even though you did not do anything abusive at all. But that's a different story.
It's not only blind and visually impaired, though, what about blind deaf people? Them too. Or all the captcha companies who actually forget about the existence of those folks. I see only audios audios audios. Okay, they help us, the blind, but about those who're blind deaf, or blind and hard of hearing? That's not going to help them. Very little captchas actually have text options.
Of course. Text captchas are likely the most accommodating, if you don't count people who might find answering text challenges difficult. This is why I prefer captchas that need no, or very little interaction at all. Mcaptcha is one of these, which is why I recommended it.
I tried to register the other day on a web forum and they required me to move attributes of a shark to the right and others to the left. I have failed three times and were firewalled. Turns out English call the rear fin of the shark as "tail". 🤷
The accessibility of hCaptcha is very, very bad, requiring registration, a permanent cookie, and lowering browser security settings. This is an awful solution. Yes, I understand it's necessary to combat spam; but please don't do this at the expense of disabled users.
@talon Absolutely shocked to see this, very poor decision by Mastodon maintainers to merge this in and recommend admins use this to combat spam. Totally understand that something needs to be done to prevent spam bots from registering, but doing so at the expense of severely reducing accessibility is deeply concerning.
Especially when this whole thing could be solved by making the instance invite only. There are enough users to generate invitation codes that will keep the sign-up flow moving if that’s what they want. It also allows for easier growing of networks because you can set the invitation link to automatically follow you. I saw this coming a mile away and this is why I constantly bang the drum of closed small instances and teach others how to use their invite codes. This will become far worse
Invite-only puts a pretty hard cap on growth. A couple potential random ideas, and I realise they're not going to be perfect, but humans can create spam too.
Do not allow links on the first toot. Do not allow DMs for n hours after registration or until a DM has been received from another account.
And, of course, the easiest of all: allow people to limit DMs to followers.
The 2nd wouldn't really help: Many of these spam bots had registered weeks and months ago and lay dormant for that time.
The 3rd is already possible, though poorly implemented: senders - including good faith ones - receive no feedback, if the recipient has blocked DMs - they just think the recipient is ignoring them.
Right, I was referring to that issue, blocking DMs but not silently. Of course that might just move the spam to the timelines, but it'd be easier to detect there.
"You may wish to consider implementing hCAPTCHA yourself to protect your own instance," Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie. This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha. Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.
EXCLUSIVA | Un informe oficial alerta de que Doñana solo podrá salvarse si se reduce a la mitad el agua que se extrae para regadío.
El documento, al que ha accedido elDiario.es, revela que el parque nacional cuenta con la mitad de agua que hace 40 años no por efecto de la sequía, sino por el "mayor bombeo" de agua para la agricultura eldiario.es/sociedad/donana-po…
A Doñana no le ha faltado agua, sino que se la han quitado. En cuatro décadas, mientras la extracción de los acuíferos para riegos se ha multiplicado por seis, el agua que ha llegado a los ríos y humedales desde los depósitos subterráneos ha caído a …
On each episode of The Moment, I speak with a different guest about an individual moment in an episode of Doctor Who that they have a lot to say about.
The show is currently on hiatus, but it will be back soon! I hope to have more info for you in May 2023.
In the mean time, why not listen to an episode from our archive? They're all good!
Each week on The Moment, I speak with a different guest about an individual moment in an episode of Doctor Who that means a lot to them: something that really had in impact on them, or that they had a strong reaction to, or that they think a lot abou…
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Freshly compiled, will watch that when eating breakfast my @opensuse meeting today got cancelled as @SUSE people are having internal conference in Prauge this week
stormdragon2976 pushed changes to the master branch of the linux-game-manager project Alert function from audiogame-manager added. Used for when password may be needed to extract TobyMod to proper location.
It's a really great day when a company allows you to be one of the very first to make a video about a new product. #FractureSounds release Spotlight Piano for #Kontakt. I’m happy to bring you a #playthrough of my favourite presets (not the entire library however). I’ll show you the sounds I enjoy the most, and take you through almost all of the #NKS mapping, apart from an oversight where I forgot to discuss the microphones on page 1, due to the second page capturing my attention. #InspiredBySound - Fracture Sounds - Spotlight Piano: youtu.be/z2FwvW5PmVs
Welcome to this playthrough video of my favourite presets from Fracture Sounds Spotlight Piano for Kontakt.In this video, I take a look at the NKS parameters...
BREAKING: #Google to start deleting unused #email accounts so other people can use them.
Brandon
Unknown parent • • •Brandon
in reply to Brandon • • •