A1kmm @ A1kmm @lemmy.amxl.com

Posts

8

Comments

214

Joined

2 yr. ago

Well fingers crossed if kitteh liked it she'll want it again!

I use Restic, called from cron, with a password file containing a long randomly generated key.

I back up with Restic to a repository on a different local hard drive (not part of my main RAID array), with --exclude-caches as well as excluding lots of files that can easily be re-generated / re-installed/ re-downloaded (so my backups are focused on important data). I make sure to include all important data including /etc (and also backup the output of dpkg --get-selections as part of my backup). I auto-prune my repository to apply a policy on how far back I keep (de-duplicated) Restic snapshots.

Once the backup completes, my script runs du -s on the backup and emails me if it is unexpectedly too big (e.g. I forgot to exclude some new massive file), otherwise it uses rclone sync to sync the archive from the local disk to Backblaze B2.

I backup my password for B2 (in an encrypted password database) separately, along with the Restic decryption key. Restore procedure is: if the local hard drive is intact, restore with Restic from the last good snapshot on the local repository. If it is also destroyed, rclone sync the archive from Backblaze B2 to local, and then restore from that with Restic.

Postgres databases I do something different (they aren't included in my Restic backups, except for config files): I back them up with pgbackrest to Backblaze B2, with archive_mode on and an archive_command to archive WALs to Backblaze. This allows me to do PITR recovery (back to a point in accordance with my pgbackrest retention policy).

For Docker containers, I create them with docker-compose, and keep the docker-compose.yml so I can easily re-create them. I avoid keeping state in volumes, and instead use volume mounts to a location on the host, and back up the contents for important state (or use PostgreSQL for state instead where the service supports it).

He does indeed have a history of paying his way into looking like a visionary and/or an engineer. He bought into Tesla in early 2004, it was founded in mid 2003.

His comfort zone was convincing people to give him money for one really ambitious thing, and then using that money to achieve some other thing (that no one would have given him money for) that is sort of on the way, but which has commercial value to him.

For example, he has repeatedly said his companies will deliver full self-driving cars by dates that have passed - and convinced investors to get him in a position to compete with companies like Toyota, promised a 'hyperloop' and got funding to compete with other horizontal drilling companies, promised to send people to mars and got to compete with other satellite technology companies.

So making big promises paid off for him. For the investors, in terms of long term value, they might have been better off investing in existing companies he ended up competing with.

But I suspect he is now outside his comfort zone, and might not even realise how far out of his depth he is.

There is some poetic justice given the way Zuckerberg has apparently steamrolled other trademarks like Meta PC and Threads.com.

Hopefully the user-unfriendly corporate social media companies get so distracted fighting each other and destroying their own products that it gives FLOSS fediverse software a decent opening to get everyone onto the fediverse.

I must admit I read that as 'cat problems' the first time - and got increasingly concerned when I read the bit about 'under warranty' and 'dropping it' - until I got to the bit about driving! Upon re-reading, it made a lot more sense.

I think we need to try to get Firefox's user base up fast (and the user base for other browsers that are ultimately controlled by non-profits) - if non-commercial browsers dominate or even have 30+% market share, if they say no to something bad for users and the open web, it doesn't happen. While non-commercial browsers are a small minority, if they say no, services that work everywhere else follow Google / Apple and consider breaking Firefox acceptable collateral damage, and then Firefox etc... becomes an ever smaller minority, so they get forced into things like this.

The trouble is FAANG get advantage by posing an insidious threat - they treat users well when they are trying to gain market share, and invest heavily and maybe briefly offer a superior user respecting product. But when they get the market share to give them the leverage, the switch part of bait-and-switch comes out, and we see them try to take down the open web to cement their position against the non-profits, and make their browsers inferior for users to bump up revenue (enshitification, to borrow a term from Cory Doctorow).

And in fact will save you CPU cycles. For a bit, Chrome had a slight performance edge over Firefox. But once Google got the market share, Firefox caught up and got ahead, and Chrome didn't invest in keeping up, so Firefox is generally faster. The only exception is a few sites (especially Google ones) seem to be heavily optimised for Chrome, but not necessarily as much for Firefox. If you stay away from those sites, Firefox is generally faster.

Plus Chromium is increasingly becoming more hostile to efficient ad blocking add-on implementations - so if you want to block ads (generally recommended due to ad networks doubling as paid malware distribution networks), Firefox or other Gecko-based browsers are generally the best bet.

The proposal doesn't say what the interface between the browser and the OS / hardware is. They mention (but don't elaborate on) modified browsers. Google's track record includes:

1. Creating SafetyNet software and the Play Integrity API that create 'attestations' that the device is running manufacturer supplied software. They can pass for now (at a lower 'integrity level') with software like LineageOS combined with software like Magisk (Magisk by itself used to be enough, but then Google hired the Magisk developer and soon after that was dropped) and Universal SafetyNet Fix, but those work by making the device pretend to be an earlier device that doesn't have ARM TrustZone configured, and one day the net is going to close - so these actively take control away from users over what OS they can run on their phone if they want to use Google and third party services (Google Pay, many apps).
2. Requiring Android Apps be signed, and creating a separate tier of 'trusted' Android apps needed to create a browser. For example, to implement WebAuthn with hardware support (as Chrome does) on Android, you need to call com.google.android.gms.fido.fido2.Fido2PrivilegedApiClient, and Google doesn't even provide a way to apply to get allowlisted for (Mozilla and Google are, for example, allowed to build software that uses that API but want to run your own modified browser and call that API on hardware you own? Good luck convincing Google to add you to the allowlist).
3. Locking down extension APIs in Chrome to make it unsuitable for things they don't like, like Adblocking, as in: https://www.xda-developers.com/google-chrome-manifest-v3-ad-blocker-extension-api/.

So if Google can make it so you can't run your own OS, and their OS won't let you run your own browser (and BTW Microsoft and Apple are on a similar journey), and their browser won't let you run an adblocker, where does that leave us?

It creates a ratchet effect where Google, Apple, and Microsoft can compete with each other, and the Internet is usable from their browsers running unmodified systems sold by them or their favoured vendors, but any other option becomes impractical as a daily driver, and they can effectively stack things against there ever being a new operating system / distro to compete with them, by making their web properties unusable and promoting that as the standard. This is a massive distortion of the open web from where it is now.

A regulation that if hardware has private or secret keys embedded into it, hardware manufacturers must provide the end user with those keys; and that if they have unchangeable public keys embedded and require that software be signed with that to boot or access some hardware, manufacturers must provide the private keys to end users. If that was the law in a few states that are big enough that manufacturers won't just ignore them, it would shut down this sort of scheme.

At any place I've ever worked: no (unless you want to)! And if any do expect that, it would be a red flag that it isn't a great place to work, so if they don't hire you over that, you would have dodged a bullet.

Yesterday, I discovered that the doctor supervising the nurses doing the vaccinations at the clinic near me is a bit of an anti-vaxxer who tried to talk me out of vaccinating my daughter for COVID-19 (never mind the ATAGI recommendation is that everyone over 5 years receive it, and lots of recent science shows a clear net benefit for children of all ages and comorbidities), and played down the benefits and played up the risks. And when I said we still wanted to do it, he said the nurse would call back when they confirm they still have the vaccine in stock - and then they said it was too late to do it that day and we had to reschedule for Thursday.

It makes me sad that doctors get in the way of parents vaccinating their kids with vaccines that a committee of more specialised doctors than them have recommended every Australian over 5 should get. I wonder how many other parents he has done this to, not all of whom may have been such a strong advocate for their child as to push past the anti-vaxx nonsense coming from someone who should know better.

"With the narrowest of majorities – five seats – in the House, Republican Speaker Kevin McCarthy needed near-unanimous support for the more than 1,200-page bill. That forced him to appease ultra-conservative members of the party, who pledged not back down in negotiations."

Is working with moderates of a different brand of party really worse than kowtowing to the demands of extremists in the same brand of party as you? Because it seems that would be the obvious way to get moderate bills passed if you were moderate and that is what you really wanted.

Yeah everyone using Cloudflare is definitely centralisation, but maybe a kind of centralisation that allows for easier switching to something else if Cloudflare gets too crazy.

DDoS is a war of attrition - and the best way to win a war of attrition is to make it cost much more than $1 to make you spend $1, and to be able to outspend the attackers (e.g. the whole community bands together to support the victims against the attacker). I think the best response depends on who is attacking.

Network level DDoS is likely using stolen bandwidth - but the person directing the attack is probably paying someone for the use of it (i.e. they didn't compromise the equipment themselves, someone else builds botnets and rents them out). If you can identify what traffic is part of a DDoS, you can track down where it is coming from, and alert the owner of the network where it is coming from, which hurts the person providing the services to the attacker quite a lot. If I have a reputation of: if you attack me for someone else, I'll cost you a significant part of your business that will take you months to build back up, then you are not going to offer that service cheaply, or even at all.

Application level DDoS usually relies on amplification of cost - I do something relatively inexpensive (like send a packet opening a connection), and it makes you do something really expensive involving databases, disk IO etc...; a good mitigation is to redesign the API to flip that on its head, so you do something expensive, and I do something relatively cheaper for you. There is an open issue about using Hashcash to do just that at: https://github.com/LemmyNet/lemmy/issues/3204 - the downside is that it forces users (even on mobile devices) to use more compute / power for every request to Lemmy, but I think there is a balance that can be struck there where it isn't too bad for users, but makes that type of attack infeasible.

It comes down to how you define winning. Define L(X_i) as the 'loss' of warring party i at the end of the war - positive loss means that party i is worse off at the end of the war, while negative loss means party i is better off at the end of the war. If you are playing a board game, the rules might say someone always wins, and it is party i with the lowest L(X_i). But in a real life war, if party 1 started the war, their objective is probably that L(X_1) < 0 - i.e. they started the war to profit, not just to lose less than other parties. So in a real war, it is fair to say a party i loses if L(X_i) > 0, and wins if L(X_i) < 0. So to say no-one wins a war with parties P is to say \forall_{i \elem P} L(x_i) < 0.

Now in the case of wide scale nuclear war, parties likely launch all their nukes at each other within minutes so they launch before their capability to launch is destroyed. All major cities in all parties will likely be destroyed, and contaminated with nuclear fallout that may take years to decay to safe levels. Particulate thrown up by explosions would likely block out the sun and spoil all agriculture on earth for years (nuclear winter). Most people on earth would die. Government and civilisation would be unlikely to be able to continue under such circumstances - people might at least fall back to tribal organisation for a while.

So a widescale nuclear war would almost certainly lead everyone with a positive loss function - hence 'no winners'.

Despite what the image says, Aaron Swartz was actually never convicted of a crime in a court of law, and hence never sentenced. He was harassed by prosecutors, who posthumously dismissed the charges against him they were hounding him with (possibly because they were annoyed by earlier legal conduct of his that got prosecutors reprimanded by judges for inappropriate inclusion of private data in unsealed filings).