xkcd__386

you're arguing with someone apparently uses other comments you made on other threads against you in this thread. It takes a special kind of individual to do that!

and he completely missed the point that they've jumped from "adware" to "nagware", if I may reduce the issue to one-word descriptions. Regardless of whether YT was free when it started or not, this is a clear shift

speaking for myself, if the one "built into [my] phone" is a Samsung app, hell yeah -- anything else (other than Chinese software -- side burn!) is better

ok that's hit my limit of reading inane responses

blocked...

just use a password manager; that's what it is meant for

I check my system out with linpeas occasionally, and -- once you wade through the false positives (carefully!) -- there's not a lot to worry about.

What's more, more priv esc issues seem to come up with these fancy new tools than plain old unix user-to-user separation. I think it's a question of powerful features => more complexity => more chances of something getting messed up.

And it's not that inconvenient -- I just run them simultaneously, hence why I said "modulo X11 security" earlier :-)

you're right, it's not a pretty situation.

My solution -- for several years now -- is to simply use different userIDs for different purposes. I can even run them simultaneously (modulo X11 security).

Just have to watch the usual news channels for privilege escalation bugs that may affect the tool I am using.

My threat model is strictly about local files (i.e., in $HOME). I don't care if the untrusted app can see how many mount points I have, what my IP address is, what services I am running (e.g., via ss -plnt) and any number of other things. As long as said untrusted app cannot see $HOME of any other user, I'm fine.

(Even /tmp is fine -- if you set umask properly then other users can't read each others files, only the existence of the file. Which -- again, I've thought about this carefully -- is not a concern for me.

A bit disheartening that "Chinese" is used as a synonym for "bad".

Gitea is Chinese? I did not know that...

I'll admit that organisations like Signal do have to consider that the "river may change its course" -- because they are used by at least some people whose very lives may depend on the security. "Out of an abundance of caution" -- as a lawyer might say.

But in reality, I don't think this will happen in my lifetime (I'm past 60).

I'm far from being a physicist, but there seems to be a lot of unjustified optimism going around here. And, I don't have the link handy but have you read the paper by Peter Gutmann that came out earlier this year? (I think "Peter Gutmann stunt cryptography" will get you something.

In the end, this debate can only be ended with time. So maybe I should save this comment and revisit every 3-4 years to assess what current S-O-A is.

OP has 10.6 k post karma, 1.7k comment karma; a ratio of more than 6.

Sadly reddit does not give us a way to block based on post karma/comment karma ratio; in fact most people don't realise how useful that ratio is (at least once the user has crossed into 4 digit karma) in weeding out junk.

I won't go so far as to say "there is no river", but this sounds like damming a cliff 10 miles away from the river, in the fear that erosion will eventually change the course of the river and bring it here

linux? Install "zbar" (some distros may call it "zbar-tools") which has:

• "zbarimg" -- input is any JPG/PNG etc,

• "zbarcam" -- input is the device's camera

This converts QR to text, but you can script it if you have lots...

way overkill

just use any Linux. If you're really paranoid create a second user on that machine and use that only for banking.

I use different userids for different types of browsing.

yeah this always annoys me.

Whether it's an Android bug or something on Linux or Windows or whatever, the reporting -- unless you look carefully -- makes it sound like everyone is impacted, even people who are sensible in how they manage their systems (in this example, they don't install arbitrary junk).

even if they're all equally trustworthy, security functions should always be handled by a tool whose sole purpose is security.

A browser is a massive piece of software with a huge attack surface. Why would you want to risk tying your passwords directly into it?

Use a dedicated tool.

(Personally, I don't trust cloud, and I don't want to self-host -- that has its own problems and effort managing your server and keeping it secure. So I use KeePassXC on laptop, KeePassDX on Android, synced with syncthing).

agree.

That said, I'm not sure if I ever saw a clickbait link that goes to arxiv.org (as far as I can remember)

Apologies for not answering your question, but hardware encryption is not a good choice.

At the moment I can only find https://www.kb.cert.org/vuls/id/395981/ (and others talking about the same research), but over the years I seem to recall at least a couple of others like this...

Use software encryption -- several tools exist, on all OSs (though accessing the same encrypted partition from multiple OSs may be a challenge, I will admit).

gocryptfs on linux, cppcryptfs windows, droidfs on android -- are supposed to be compatible so you can sync

I use gocryptfs heavily. I have in the past made that syncable using syncthing and accessed it via droidfs. I don't do that anymore for unrelated reasons but it should work.

Do take regular backups though, just in case.

I don't see a conflict detection logic in your description; make sure you address that if you do this.

Disclaimer: not sure if this goes against the spirit of "self-hosted" but here goes...

I discovered Silverbullet only recently, so I don't have the v1-vs-v2 issues you spoke of. To your other point about sync, I do use it on multiple machines, but there is no single server -- each machine runs its own local silverbullet. The data (markdown files, and attachments) are actually synced using syncthing.

On mobile I edit the same files using Markor.

Not sure if it actually helps you, so I'm throwing it in as food for thought

it is an absolutely critical skill...

...if you want to join NCIS.

Otherwise, shrug

sorry, couldn't resist

I agree about the live render.

In my case (not sure if it applies to you) the bulk of my editing is done on the laptop; the mobile is mostly viewing. Editing on mobile is only occasional so this did not bother me.

Plus, I have been using VIM since 1995 (yeah I'm old!) so there's that.

But Silverbullet renders how you described Obsidian -- only the current line is markdown. You could also try QOwnNotes -- another nice product that I have used briefly in the past

tried; didn't work.

I wouldn't use obsidian anyway since I have disabled play store and only f-droid on my main phone.

Try Markor, seriously. Especially in light of you saying "files changed in formatting", I can tell you that between Markor on Android, Vim on Linux, and Silverbullet on Linux, there is NO change in file format or any other side-effect. I use all three seamlessly (Silverbullet only recently though).

The round-tripping is excellent.

What do you use on laptop?

WTF do games have to do with ssh?

I've previously used remmina and Asbru -- both are good and have some plus/minus points vis-a-vis each other. (Tabby wouldn't even run on my -- then -- Ubuntu 22.04 LTS, for some reason I never bothered to check on. It worked on my manjaro box, but I wasn't going to spend time digging into the Ubuntu issue so it didn't make the cut for me).

it's electron underneath, which -- for me and evidently u/aksdb also -- counts as a browser engine.

Heck I avoid Electron even for things which are GUI if I can find a non-electron alternative ;-)

Edit: looks like I pissed off Electron fans. Good... like Linus once said, "people who are easily offended, should be offended" :-)

syncthing is actually what I use.

• app launch on laptop: I've installed it both on Linux (all my machines) and Windows (for a friend), and it has always worked. There may be a subreddit that is more suitable to ask -- and you should because that's not normal.

• notification: yeah that's a pain, but I asked the dev and he said there's no way around it. (Frankly, his explanation did not make sense to me, and I had counter-examples of other apps that don't have such a need, but whatever; I'm not an Android expert so who knows.

Out of curiosity, what actual software are you using to edit these files? I use vim on linux, and Markor on Android. I've also started playing with Silverbullet -- it's literally the only one I found that uses your existing markdown files as is, without (like Joplin or other tools) "importing" them into their (SQLite) database or whatever. I'm a hardcore "vim" guy, so being able to do anything I want on the content directly is very important to me, but that's just me.

ok I simplified things too much; I do actually use multiple user ids, but didn't want to sound crazy.

I have not properly digested what bubblewrap and similar tools do, but the classic Unix separation between userids is much more fundamental to every Unix. (I.e, this would work on any other Unix also). Maybe you have a link to something that'll explain bubblewrap to someone who's not exactly young any more?

Also, what are the downsides of bubblewrap compared to multiple userids?

Edit: forget all that, I just (re-)read the README at https://github.com/containers/bubblewrap and I'm not sold. Specifically,

The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation

I'm sure they're only being ultra cautious, as any good open source developer should be, and I'm also sure that's a very long shot. But the long shot is privilege escalation. I'll take normal Unix user-to-user and user-to-system separation over that.

SMH, as the kids would say

curiously, normal people here don't even know this happens. Even the occasional arrests (Delhi Police have a decent track record AFAIK, not sure about other cities), don't really hit the headlines. Like in many places, our politicians take most of the mind share!

wow.

I wouldn't IP block the whole of China -- it's not as simple as that. And if someone wants to visit my blog (under my real name, not this xkcd386 handle), etc., that's fine.

Just out of curiosity, what do you host that is "at risk"? I'll admit I have nothing that could be hacked remotely -- the only thing I have is a blog which is statically generated on my laptop and pushed so it's not as if there's PHP or something even! Everything else I have is on github and similar.

All my other "self-hosting" is literally on my laptop, and I don't really need "access from anywhere", so it's fine to have it on LAN. I'll probably use tailscale if I ever need that. I don't see a risk from China for that, even if I start using it, so I'm curious...

xz style hacks are always a risk with open source, but if it's Chinese, the chances are probably way way higher. China has laws that enforce compliance to CCPs orders, so even if the developer is honest he may not have a chance.

PS: I'm an Indian living in India, and have a huge anti-China bias

I don't use play store -- F-Droid only for me (1), so I can't try this.

What I've been using for "need to transfer files between devices on the same network" (as OP says) is:

• syncthing to constantly keep a particular folder updated between all my devices (2 phones, a tab, and 2 laptops right now)

• kdeconnect for ad hoc transfer between previously "paired" devices (laptops or phones)

• localsend for ad hoc transfer with other devices.

All work fine; specifically the 4 limitations OP posted aren't a problem with any of these solutions.

(1) well google is preparing to take away f-droid and almost all independent software but that's next year...

I get why they're doing it (perceived security)

nope;they're doing it as either malicious compliance with that game company they lost a case to (fortnite? I can't remember), OR, more likely, due to losing ad revenue from YT because apps like ReVanced and Newpipe have now started appearing on non-geek (i.e normal people)'s phones

my sentiments exactly; I'll be damned if I'll give them more money because they're shafting me elsewhere

BHIM (UPI) app in India -- this is recent, like less than 10-15 days ago. Until then it was fine, now you have to drop Developer Options before it'll even open.

good. Bye.

PS: may I add... haven't seen such a eye-searing website design in 15-20 years now.

not only do I have them on the same device, I have them on the same app -- all my TOTP codes are in my KeePassXC KDBX file.

I used to say this is bad and wrong and what not. But the threat model for 2FA is a remote hacker knowing your password for some website, either through a password dump from an insecure site or some sort of phishing (1). It is not the situation where he has gained access to your laptop/phone and/or your KDBX file, and knows the master passphrase for the password file.

(This is subtly different for online password managers, where you have to prove yourself to the online service, but I don't do cloud stuff so shrug).

I expect heavy downvotes from FFS fans, but what the heck...

FFS is certainly open source by a strict definition of the term, but a sync tool is a "critical" tool in my book. For critical tools, I would prefer the available source code to be not just a snapshot of the entire code at each release -- I'd like to see/follow development.

No idea why they don't do that, but it is what it is.

Also, my answer is actually rsync and rclone for CLI, syncthing for stable, permanent, syncing.

(PS: rclone bisync subcommand has matured quite a bit. For CLI use where I explicitly want to invoke the sync it's often as good as syncthing).

154k post karma, 3k comment karma

BLOCKED. No one with that kind of ratio is worth listening to

OP has 3.7k post karma, 45 comment karma; a ratio of 82!

I block such people and move on; totally useless karma whores. And in this case, from the URL that reddit shows me ("instatunnel.my"), and considering the subject line, it's very likely they're shilling something too.

Yet another proof that post-karma / comment-karma ratio is an excellent indicator of trolls, shills, and other mala fide users.

This <insert swear word> has 2.7K post karma, 157 comment karma -- a huge ratio (nearly 18)

Simplest and sanest is to use git-config. Even though this has nothing to do with git, it's a great way to edit and parse such stuff, and almost everyone already has git.

Create the config file like this: (I'll explain "exclude" line later):

[drive "drive-A"]
    dir = /d1
    dir = /d2
    dir = /d3
    exclude = /d1/timeshift
[drive "drive-B"]
    dir = /d4
    dir = /d5
    dir = /d6

Say the file is called "my-backups.conf", then this works:

LIST=$(git config -f my-backups.conf --get-all drive."drive-A".dir)

Best if the directory names you supply to the git config file have no spaces in them!

How I use the "exclude" is I massage that list into a set of "--exclude" options for my backup tool (restic). I leave that as an exercise for you :-)

robs AI agents of learning material.

Perfect. I'll double my efforts to clean my git history...

PS: if that's the only argument you can come up with, you're either a fool or a tool

OP has post karma 7.0k, comment karma 2.0k. Anytime the ratio is that high I block and move on...

Honestly, reddit needs an option to help us make this automatic (with our choice of threshold ratio)

a bit shallow

you'd think so, but you'd be surprised how often it turns out to be useful. I routinely block people with high ratios on tech subs.

I have no idea why I started a conversation with you; must have been bored. I'll block you now to save myself having to see your self-promotional crap again (which means you won't see this message, but people like you have multiple userids so you probably will...)

people like you, who just post endless streams of URLs and don't actually participate in discussions enough to get comment karma, are... well in the interest of being polite I won't say what I'm really thinking.

I've found that post/comment karma ratio is a really good indicator of quality.

Mind blowing insight for you right there, kiddo

1.4k post karma, 54 comment karma.

No need to read the article to know it's click-bait; karma ratio tells me enough.

wow. You're either a very clever scammer or dangerously naive about security. Over in the other thread at https://old.reddit.com/user/Srivari1969/comments/1mv5vws/vaultpassorg_a_simple_site_for_storing_complex/n9tibf5/ the conversation reveals that the password used to access the service is also the password used to decrypt the data, which means your server has access to all the data.

And then your response to the person who laboriously explained why this is bad is classic Indian-style righteous indignation. I'm tempted to say "nice try, <swear word>".

(For others reading, don't worry I'm an Indian living in India, this is not a knock on Indians, it's just ... well you read https://old.reddit.com/user/Srivari1969/comments/1mv5vws/vaultpassorg_a_simple_site_for_storing_complex/n9ulv65/ -- and if you're an Indian you'll get it, otherwise don't worry about it.

Edit: I just read https://old.reddit.com/r/Passwords/comments/1mv5xp5/vaultpassorg_a_simple_site_for_storing_complex/n9t125x/ -- "I'm giving back to society". What sanctimonious drivel, but again -- classic Indian response, including the namaste icon.

If you want to give back to society you would open source it.

I expect heavy downvoting, and I know it does not help OP's question at all, but I couldn't pass up the opportunity

https://github.com/xkcd386at/scripts/blob/master/fzfm

:-)

no. Rsync checks the content on both sides and sends only the difference. There's an entire PhD thesis topic implemented inside rsync; see https://www.samba.org/~tridge/phd_thesis.pdf

But we've already established you're basically clueless about stuff so no surprise that you think your command does the same.

looking at your responses to some of the other comments, I take it you haven't discovered a neat little trick called "shell scripts" to encapsulate rsync or cp to your "just a wee bit different, to prove I did something" specifications.

And FFS don't reply in that overly polite manner. You sound like you're using an LLM to at least polish your responses. This is f-ing reddit, no need to be formal and overly polite.

perl -ne 'print unless /debug/ || (/warn/ && !/API/)'

DONE!

Same syntax even, just || and && instead of | and &

(sotto voce: kids these days... SMH!)

I have a lot of it but it's unfairly earned, because the people I lord it over are students :-)

I go to a local college a few days a month to help the students with their projects, and almost all of them use some IDE (even on Linux). I'll freely admit my vim is not as tricked out as it could be, but I still manage to navigate the source code much faster than they can :-)

The bigger, or at least more visible, reason boys were favoured was not that they would financially take care of the parents. It was because of this horrendous practice called dowry. In certain communities the amounts involved were mind-boggling, and in many cases would put a serious dent in any father's life savings. To the point that if they had daughters they'd better start saving right now.

Thankfully this is (I believe or at least it seems so) largely gone, and even when practiced, in many cases it is merely symbolic.

(Like gender-determination, it is of course illegal, but that doesn't mean much in practice.)

I think what has reduced it a fair bit is better education, especially for girls, and a more urban population (more people moving to cities from villages, which has its own problems but let's not go there) leading to much more cultural diversity and awareness (neighbours in city apartment could well be from different parts of the country; this would not happen in villages), and so on.

all good points

but a lot of it gets mitigated heavily if you

• use, say, thunderbird for email

• never log on to that account on a laptop/desktop except in the rare occasion you need to do something with settings (e.g., setup a mail rule)

• never log on to google on Android, and disable playstore, play services

  • (the price I pay for this is that, I maintain a second phone for the rare occasion I need google maps. It's not a huge price in money terms; it's just my previous phone before I upgraded)

TLDR: never stay logged in (whether that is phone or laptop browser).

Note that my main email is actually fastmail, I do agree with the idea of reducing gmail, but it can't be totally avoided, as OP said

I was a long time borg user but switched to restic about 2+ years ago. My reasons were mainly that it is much faster (multi-threaded, and so is rclone so if you use that as a backend you can really see the difference), can backup multiple sources to the same repo (borg has warnings about that), and of course the fact that you can backup to pretty much anything that rclone supports.

In particular, I hated borg's constant whining about "this repository was previously located at /blah/more/blah/whatever.borg; are you sure you want to use it?". That and the limitations on backing up multiple sources to one repo seemed to imply a potential security problem if you did that (this is from memory, don't shoot me if it's not true. And in fact it may not be true now).

The fact that restic is a single static binary is a bonus; I can install it on all my devices without any version dependency issues common to python tools.

yeah but you should instantly fix that. Go and reformat all your disks, reinstall if you have to.

/s of course

Sarcasm apart, I hate the knee jerk reaction on this and other subs to devolve to zfs, as if changing the file system is ever a solution when someone asks a question of this nature.

or you could stop using a cloud-based service and use a local-file password manager -- anything from the keepass family.

I have everything (even TOTP) in one KDBX file with a pretty long master passphrase. I send a copy of that file to my wife and kids every time there's a significant change to an important password. Sometimes I send it to a buddy. (Family knows the master passphrase -- blame covid for that precaution; buddy doesn't).

Covers for all sorts of availability issues.

cue downvotes from bw fans :-)

Keeping the TOTP separate does not make any sense; that is not the threat model that TOTP is meant for

TOTP is for "some hacker on the internet got my password", not "someone got both my KDBX file and my master passphrase". If that ever happened you can bet he has your other two KDBX files and their passwords also.

Stop overengineering things.

Signal has no vested interest in snooping into my private messages.

But if I had a friend and I used this service that he was running, I'd always be worried that he might be... you know, curious!

Human nature

some of my favourite quotes on btrfs:

• 2024-02-28 -- https://www.theregister.com/2024/02/28/new_vers_bcachefs_zfs/ -- Bootnote:

  The Reg FOSS desk has lost his entire OS to corrupted Btrfs partitions several times, and remains extremely wary of it as a result. As such, we feel confident that the bcachefs slogan "The COW filesystem for Linux that won't eat your data" is a poke at Btrfs.

• 2022-08-31 -- https://www.theregister.com/2022/08/31/mx_linux_212/ -- After multiple destructive incidents involving fatal, unfixable disk corruption of Btrfs boot partitions [...]

tautology, for people like me who consider crypto itself to be a scam :-)

transnational repression from India on the Sikh communities in Canada

Disclaimer: I'm an Indian living in India.

Please don't make it sound so one-sided.

I don't like our "four-letter word PM" much myself, and I have no opinion on whether he did or did not instigate anything, but if these "Sikh communities" stayed "in Canada" without interfering in India (i.e., Khalistan separatism), I doubt there'd be anything to discuss.

ranger's bulkrename is a joke.

Try a swap (a <-> b), or worse, a circular rename (e.g., a -> b, b -> c, c -> a) -- it'll make it your problem to do the required intermediate steps.

Vifm just does it -- no fuss no muss. (Only tool even better at bulk rename is vidir from the moreutils package)

vim like -- best one is vifm. It's so vim like the config syntax uses the same keywords -- as much as they can apply to a file manager. You can even do things like :%s/foo/bar/ to rename files :-)

As for ranger, I was a big fan for some years, but eventually realised I don't need a tool whose configuration requires 4 different files in 3 different languages.

Or, consider how ranger does the simple task of "mkdir + cd". In ranger this is https://github.com/ranger/ranger/wiki/Custom-Commands#mkcd-mkdir--cd -- 20 lines of python.

In vifm it is

command! Mkcd :mkdir! %a | cd %a

(by the way, note the vim syntax, except for the %a which is specific to vifm).

just a side note: for directory comparisons, nothing beats vifm.

(Actually, I don't think mc can compare recursively at all -- at least I never figured it out. Would be great if you could tell me how, if you know!)

This is a pet need of mine, so I've compared all the file managers I was willing to use long term (mc is second on my fav list), as well as several tools, both gui (meld, kdiff3), and tui (vim'd DirDiff plugin), custom scripts built off of other tools (like hashdeep, or even rsync with --dryrun --info=progress2) and many more I can't recall.

Vifm has consistently beaten all of them for my needs. Most of them fall apart when files on one side have been renamed or directories have been juggled -- something that's not unusual when people curate their files occasionally -- so you want to know what new content is on each side. In vifm, that is the groupids option to the compare command -- where the listings on both sides line up according to matching content, not matching filename.

I could go on, but I'll stop here.

no I agree with u/GigaChav -- please never work in cybersecurity. You made an over-engineered, needlessly complex tool which has no real security -- for example anyone who knows the root password or somehow get root can access it, and at the end of the day the content is not even encrypted. A lot of it assumes the people who borrow your computer are not tech savvy -- which may be true in your case but not always.

It's fine to say "I'm learning bash" or whatever, but publishing this for others to use is crossing a line.

The correct solution is, as u/wolfegothmog said, to use gocryptfs and simply umount that dir when handing off the PC to someone else.

I have a similar problem. My laptop has all my financial/medical docs in one folder. I travel a lot, plus I teach occasionally at a nearby uni. When I go to the college I may not always be able to keep an eye on the laptop (I mean it won't get outright stolen but kids are kids!). So the financial and medical documents folder goes in gocryptfs, and I open it only for the short duration I actually need to work on those docs, and close it immediately.

OP's post karma is 7.2k, comment karma is 7. I can't recall when I saw such a high ratio.

I've been saying for a couple of years now that we need a way to block people based on this ratio, but of course hardly anyone cares :-(

what u/Mayayana said is just the tip of the iceberg. Brave goes beyond that, with several documented instances where they tried to pull something on their users, then -- when called out -- backtrack with an "oops, that was a mistake" or some such weasel words. (See https://en.wikipedia.org/wiki/Brave_(web_browser)#Controversies for some of them)

what did you expect from a user whose post karma is 27.9k and comment karma is 5.4k ?

I keep saying reddit needs a way for us to filter out posts based on author's post/comment karma ratio, of course no one else seems to care :-)

yes and no. Yes you are missing something, but no you're not the only one :-)

• I use keepassxc, so no biometrics. (Anyway I am an Indian living in India, so all that 5th amendment stuff does not apply, but you may find it worth considering)

• passkey implementations are still very hard to migrate from one system to another (as far as I understand them)

• that said, I only tested passkeys on a throwaway account; I'm not going to move just yet because I don't see the need

  • I do all the "best practices" for passwords and using KeePassXC properly is already pretty good at preventing phishing (it simply won't offer the password if the site URL does not match, though this is not as fool-proof as what passkeys does)

(Other reason I don't move is the android version of my password manager (KeePassDX) and the android version of my browser (firefox) don't support it yet)

does it have to be "bash" solution? Are you good with an editor?

Install "moreutils" package (available in every linux distro I ever met)

cd Videos
find . -type f | vidir -
:%s/\//_/g
:wq

Done :-)