if you control your infra end to end, why do you need SSHFP? You can have all your servers publish their keys into LDAP automatically and then those can all be injected into the known_hosts on every admin's workstation. This is how I've seen it done. You always know the correct public keys for every server and don't have to involve DNSSEC in the mix.
If the attacker can get enough control to mess with those LDAP records DNSSEC wouldn't have mattered, they probably could also gain access enough to change the SSHFP records too.
I could see SSHFP being useful for internet facing sshd, but just put it all behind a VPN and then I think it doesn't matter as much anymore except in the most extreme security-sensitive scenarios.
@feld Well, that's another way to distribute them. You don't need DNSSEC, but you do need competent admins, and ldap distribution is one way to not require the user to do key verification.
One advantage SSHFP records is that openssh has the verification integrated, so you don't have to do extra work on the user's workstation.
automating getting those records into DNS is probably just as hard as getting them into LDAP, so it's only the distribution and verification that's harder with my suggested method
Если верить Платону, человечество потеряло способность мыслить, когда бог Тот подарил египтянам письменность. Не знаю, смог бы я с ним подружиться, но тут он точно не прав. Имхо, всё развитие человечества происходит скачкообразно — в моменты, когда мы находим новые способы обработки информации: изобретение письменности, книгопечатание, математическая нотация, компьютеры и вот теперь ИИ
Looks like I got parodied yet again a couple days ago. If you received a follow request from it, it was most definitely not from me, but rather a certain troll who is, I'm sure, very upset with me at the moment. Anyway, as a reminder, this account I'm writing from is genuine. You can look at my profile to be certain; it's got significantly higher numbers than the parody one.
I did report the parody account a couple days ago, but suspect it hasn't been suspended yet. It goes without saying, but this guy really needs to get a life.
I agree, even I have better things to do with my time than parodying Mastodon accounts, as I'm sure is true for most of the sane people who walk this planet.
@celrock Agreed. I did tell the troll that he did not have my permission to parody me during a conversation in The Global Voice's chat room, but it made no difference. He's now been permanently banned from the room for violating its rules and inappropriate conduct.
Good for him. I'm glad he's been banned somewhere at least. Hopefully, he'll run out of Mastodon instances to use to keep up his strange and disturbing hobby.
@carrottop1023 @celrock We've all had enough of him, believe me. Thankfully, we've got things squared away with the chat room, so we can now deal with situations like this more quickly.
o yea. for a domain I moderate, I had to suspend an impersonation account of the admin, whichjust happens to be this domain. he didn't sign up, but Chris only uses this domain, and the guy impersonated him on another instance.
@adisonverlice Believe me; you're not the only one. I even told him in a conversation in The Global Voice's chat room that it was getting old and nobody wanted it, but he refused to stop. We permanently banned him from the room immediately thereafter.
yeah. in fact, I just got a tip from, you would't believe it, mastodon themselves, that there was another impersonation account. I don't know how the hell I got this tip as i'm not sure reports can come here unless they're on this server or from this server, so I don't know how the fuck I got this report, but there was another impersonation account that I had to suspend. 1 after another...
@adisonverlice That's interesting about the tip, but I'm not at all surprised by the multiple accounts popping up like that anymore. I actually just disabled email notifications for both my account and The Global Voice's one that I manage. I'll get around to any follow requests when time permits.
I was just surprised that I got an account from mastodon themselves. that's something I didn't expect. I thought you could only send reports from this server to the server your'e reporting, not to every single person
I love Joplin so much. I set up the selfhosted Joplin Notes at some point, and I have never, not even one time, had to touch it. It updates itself, it doesn't crash, it doesn't take up enormous amounts of system resources for no reason, and all the apps just work with it on my Windows, Mac, and IOS computers. I've even got other users on it, and it works just fine. And the apps are also good. Offline? No problem! You can still look at the last version of your stuff. Need to publish a quick, well-formatted single page to the web? Done with a snap!
Ah, gotcha. ...Honestly, we're pretty awful with Docker and I don't think @quinn or I even knew what Watchtower was. Docker's one of those thigns we were dragged into kicking and screaming.
@nick@quinn You could also run cosmos-cloud.io. It'll run and update your dockers for you, configure your reverse proxies, manage your SSL certs, etc. But the nice thing is it uses the standard methods to do all of those things, so unlike other server management GUIs, you can do stuff via the command line or via cosmos-cloud and it doesn't matter.
I've been working with Docker and related tools for years; I even started playing with Docker before it reached 1.0. And this thread might be only the second time I've heard of Watchtower.
@matt@nick@quinn to be fair, it's not something you should do in an enterprise environment. In general, updates for things that aren't your hobby need to be deployed to staging, tested, and only then pushed to production. Watchtower just does an in-place update of the containers. But that's fine, and probably even better, for hobby projects.
Guess who found a random battery under his bed, and guess what handheld amateur radio that it is a secondary battery for? Yup, it was I who found the battery, and it is the second battery for the Radioddity G77 radio. How thoonking exciting, LOL. I think I will charge it up, and see if I can get a nice couple of thoonks out of it on ASL #55553, LOL.
Well, there are no doonking MicroSD cards here. I guess I could record some nice doonks with my Kenwood TH-D74 or my Icom IC-R30, both of which can record to MicroSD. Then the whole thing would work.
Whoever at Microsoft decided we needed a global Windows keystroke to launch Linkedin in the default browser, may you spend the rest of your mortal existence walking barefoot across floors made of legos with the pointy bits facing up.
I've been using IndentNav for a while to write Python. Recently I installed BrowserNav and now get way more positional info about HTML elements. It took some getting used to, but now the beeps and tones help me get an idea of the physical layout of a site or electron interface. It's similar to IndentNav, but it has more rules and works with web browsers instead of being focused on code in a text editor. Positioning is one of the pieces of information that I forgot how much I miss from my sighted days. It's especially helpful with API reference docs that rely on positional encoding. Since there's more info in the browser, I only have beeps instead of precise indentation levels to get a general idea of the structure #blind #nvda #nvaccess #browsernav #indentnav #accessibility #code
Hi @NVAccess I am planning to take the NVDA Expert 2025 Certification soon and have a question about purchasing the certificate. I have read that I can also have my details included on the page. Is this an all or nothing thing, or can I choose which details are listed on there? Thanks!
Great question - you can choose which details are publically included, and they don't necessarily need to be the same contact details as in your user profile
Perhaps November would be a good time for California to withhold taxes from the Federal Government and instead send money directly to states to cover their SNAP programs? That would be a very amusing development RT: friedcheese.us/objects/052ae3f…
For a while now, I've been trying to figure out why certain VST plugins would completely crash Reaper, or at best, break the entire plugin stack, which would at least give me enough time to save a project.
Turns out the problem was a virtual display driver I installed a while back, which apparently has some weird conflict with the AMD graphics driver on this laptop.
When certain VST plugins attempted to render their on-screen interface, bad things happened, and error code 87 occurred.
Add virtual monitors to your windows 10/11 device! Works with VR, OBS, Sunshine, and/or any desktop sharing software. - VirtualDrivers/Virtual-Display-Driver
@twynn I don't have the error message handy, but looking it up, apparently, it's somewhat common with autocad and AMD drivers. This laptop has AMD Integrated Graphics, but also an NVIDIA RTX-2060. So, I thought "hmm, have I done any other display related things other than updating the NVIDIA driver lately?" Only thing I could think of was that virtual driver. So I removed it, and everything's cool now.
A combination of looking up simptims associated with the error code and remembering that I installed that display driver around the time things started to break.
Apparently, it's a common problem with rendering apps, like autocad.
Discover how HumanWare is bringing AI-powered navigation and assistive technology to Meta’s Ray-Ban smart glasses. From “Follow Me” guidance to street-crossing detection, this is the future of accessible wearables.
The lack of object-selection / background removal being built into Linux/BSD desktop tools (gimp, krita, etc) is frustrating when you're used to those things just being there by default
Chatmail provides FOSS infrastructure for interoperable, secure, speedy and reliable end-to-end encrypted messaging. Check out clients as Arcane Chat, Bots or Delta Chat today!
@pertho I have a public Chatmail server and people I don't know have made accounts on it. I also have another running in South Africa under the domain e2ee.wang
When multi-transport is finished basically everyone's public Chatmail server will be routing messages for anyone who needs it. I've also brought up the possibility of using LoRa or Meshtastic type radios connected to the server to allow people under censorship situations or during internet outages to still be able to route low bandwidth messages to another Chatmail server which can then forward it on and deliver to the intended recipient.
@hub what I find incredible is that this type of catastrophe isn't the norm already, but maybe we're getting there now that AI is reinforcing the good old cost cutting
If only there was a federal Government that could put forth some privacy legislation to protect Canadians. But I guess the industry lobby doesn't want it.
A legal battle could soon be taking place in the gaming world after a proposed class action lawsuit claims that certain games are gathering children’s data without parental consent.
A legal battle could soon be taking place in the gaming world after a proposed class action lawsuit claims that certain games are gathering children’s data without parental consent.
Idea that just popped into my head: A cloud storage service or application which transparently makes use of lossless compression, potentially offloaded at least partially to the user's machine, and only bills you for the space taken up by the compressed file, while leaving all files uncompressed on the user's own file system. If compression and decompression take place at the client end, this reduces bandwidth. Obviously compressed data like zip files, and anything already using lossy compression like mp3s, is passed through unchanged. Known good compression algorithms and lossless transforms are used for certain kinds of data, E.G. WavPack for wav and some AIFF files, or flac if it can give bit-exact copies of every chunk, BMP automatically converted to/from PNG, etc. Something like brotli or zstandard for the rest, potentially with user-specific dictionaries which build up over time with their file history. For some users, it has no benefit at all as they're likely to already be handling compressed files, JPEGs, MPEG4 videos etc, but for others, it provides primarily a method of convenience, they don't have to manually get all these tools involved to maximize their storage potential with certain files, and they don't have to constantly convert back and forth with a copy elsewhere if they need to, say, actually work with the raw wav file for whatever reason.
you can take this idea much further and hash the user's files clientside, and then use ref couting instead of uploads if two users turn out to have the same file.
Interestingly enough, this approach potentially puts you in legal hot water in the US due to weird quirks about how music copyright works.
There's no birthday problem with something like sha256. There are more values than atoms in the universe. Even md5 is resistant to birthday paradoxes I think, as long as inputs are random and non-advbersarial.
Mastodon is quite silly. It almost looks to me like looking at a trunk line of conversations. Or perhaps a trunk radio system. There is little to no flow to anything, parts and snips of conversation are everywhere, and a lot of things are unrelatable, even with the fetch all replies feature. Sometimes it works, sometimes it doesn't. Not to mention the annoyance of having to open each thread to check what's available, every, single, time... And even when it appears to be working, and you've opened the thread, and you're seeing replies, you're still left scratching your head, well did it really fetch everything? Is there more to the story? However, the Mastodon project sure is actively and vibrantly being maintained and enhanced, so I am hoping threading becomes a greater focus and increased reliability comes in the near future. #AmusedAnnoyedRamblings #Mastodon
“Billions of atoms, spinning at random, expending energy, running down, achieving nothing.
“Entropy, like the stars. But what is the one thing that stands against entropy, against random decay? Life. See how the atoms are arranged here? They have meaning, purpose.”
Toronto friends: The Rocky Horror Picture Show with live audio description The Disability Collective presents! Let's do the time warp again! Back by popular demand, don't miss a screening of the cult classic The Rocky Horror Picture Show featuring audio description by JJ Hunt, and an all-Deaf shadow cast at Buddies in Bad Times Theatre on October 28th and 29th at 8 pm! Come sing, dance, and sign along to kick off your Halloween! Damnit, Janet! Let's make Halloween accessible! You can visit this link for pay what you can tickets, and or email Ali Hand ali@thedisabilitycollective.com to reserve an audio description device or for further support. showpass.com/the-rocky-horror-…
October 28 + 29, 2025 // 8PM PWYC: $5-$50all prices + fees
Let's do the time warp again! Back by popular demand, don't miss a screening of the cult classic The Rocky Horror Picture Show featuring an all-Deaf shadow cast! Come sing, dance, and sign al…
The following is a guest post from Drupal Accessibility Working Group maintainer Mike Gifford. The digital world is becoming increasingly regulated, and for good reason.
If you want to understand how untenable, radically new, and ridiculous the anti-trans idea of gender is, just consider Laker Jackson. He's an eighth grader in Arizona that is no longer allowed to participate in sports with his peers or use the boys facilities, despite having done so his entire life up until now without issue. He's a kid just trying to play sports with his friends and pee in peace.
He's also not trans.
Laker is a cis boy, but his birth certificate listed his assigned gender at birth as female. Because of anti-trans laws, his family can't correct the problem. Literally just a clerical error is all it takes for the government to decide, against all reason, that Laker is a boy.
Congratulations, the government now gets to decide your gender. That's a new power that the far right has decided the government should have over the past few years.
This is a repository of apps to be used with your F-Droid client. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github, GitLab, Codeberg).
feld
in reply to John-Mark Gurney • • •if you control your infra end to end, why do you need SSHFP? You can have all your servers publish their keys into LDAP automatically and then those can all be injected into the known_hosts on every admin's workstation. This is how I've seen it done. You always know the correct public keys for every server and don't have to involve DNSSEC in the mix.
If the attacker can get enough control to mess with those LDAP records DNSSEC wouldn't have mattered, they probably could also gain access enough to change the SSHFP records too.
I could see SSHFP being useful for internet facing sshd, but just put it all behind a VPN and then I think it doesn't matter as much anymore except in the most extreme security-sensitive scenarios.
John-Mark Gurney
in reply to feld • • •@feld
Well, that's another way to distribute them. You don't need DNSSEC, but you do need competent admins, and ldap distribution is one way to not require the user to do key verification.
One advantage SSHFP records is that openssh has the verification integrated, so you don't have to do extra work on the user's workstation.
feld
in reply to John-Mark Gurney • • •feld
in reply to John-Mark Gurney • • •Kevin P. Fleming
in reply to feld • • •feld
in reply to Kevin P. Fleming • • •you're missing out on the fun of LDAP+Kerberos
also sudo's support for storing the rules in LDAP is great. Any rule change is instantly reflected globally