hedgehog @ hedgehog @ttrpg.network

Posts

1

Comments

865

Joined

2 yr. ago

there is not a 'Searx Index' which is what this is about.

There’s YaCy, which includes a search index (which can be independent or can join a P2P network of indexes), web crawler, and web ui for searching. It can also be added as a SearXNG engine.

You can use YaCy, which can be run as an independent self-hosted index (in “Local” mode), where it will index sites visited as part of web crawls that you initiate, or you can run it as part of a decentralized peer-to-peer network of indexes.

YaCy has its own search UI but you can also set up SearXNG to use it.

I can’t speak to Android as a whole, but here’s how often Samsung Face Unlock will require you to re-auth with your phone’s passcode:

• after 4 hours of not using the phone
• after restarting
• at least once every 24 hours

iPhones do something similar, but it’s after 48 hours of non-use (instead of 4) and at least weekly instead of daily. Having to enter your password daily should help most people keep it memorized pretty well, but weekly - maybe not. So you definitely have a good point there.

One thing that can make it easier to remember - and just as secure - is to use a longer pass phrase instead of random characters.

If you using the diceware approach (“correct horse battery staple”), then 5 words has 32 times / 5 bits more entropy than a 10 character mixed-case alphanumeric password (64 vs 59 bits of entropy) (4 word passphrases aren’t random enough to be recommended - they have fewer bits of entropy (51) than even 9 character mixed-case alphanumeric passwords (53), though notably 10 same-case alphanumeric characters also have only 51 bits of entropy).

The EFF has a word list that’s been improved for usability. They also have a short list, comprised of words with at most 5 characters each, where you roll 4 dice instead of 5. With 6 words from that list you get 62 bits of entropy, which is good enough to be able to recommend.

Unless you’re using a random 10+ alphanumeric passcode and are fine entering it every time you log into your phone, with a short auto-lock period, you’re much better off enabling biometrics (assuming it’s implemented competently) in combination with a longer passcode and understanding how to disable it when appropriate.

I recently replied with this comment to a Gizmodo article recommending the same thing you did for similar reasons, if you’d like to better understand my rationale: https://ttrpg.network/comment/6620188

I haven’t used it and only heard about it while writing this post, but Open WebUI looks really promising. I’m going to check it out the next time I mess with my home server’s AI apps. If you want more options, read on.

Disclaimer: I’ve looked into most of the options below enough to feel comfortable recommending them, but I’ve only personally self hosted the Automatic 1111 webui, the Oobabooga webui, and Kobold.cpp.

If you want just an LLM and an image generator, then:

For the image generator, something that leverages Stable Diffusion models:

• Automatic1111
• InvokeAI
• ComfyUI

And then find models that you like at Civitai.

For the LLM, the best option depends on your hardware. Not knowing anything about your hardware, I recommend a llama.cpp based solution. Check out one of these:

• Oobabooga webui
• Ollama
• Jan
• LMStudio
• Kobold.cpp

Alternatively, VLLM is allegedly the fastest for multi-user CPU-based inference, though as far as I can tell it doesn’t have its own webui (but it does expose OpenAI compatible API endpoints).

And then find a model you like at Huggingface. I recommend finding a model quantized by TheBloke.

There are a couple communities not on Lemmy that discuss local LLMs - r/LocalLLaMA and r/LocalLLM for example - so if you’re trying to figure out which model to try, that’s a good place to check.

If you want a multimodal AI, you can use llama.cpp with a model like LLAVA. The options below also have multimodal support.

If you want an AI assistant with expanded capabilities - like searching your documents or the web (RAG), etc. - then I don’t have a ton of experience there, but these seem to do that job:

• H2OGPT
• Open WebUI, formerly Ollama Webui

If you want to use your local model as more than just a chat bot - integrating it into your IDE or a browser extension - then there are options there, and as far as I know every LLM above can be configured to expose an API allowing it to be used by your other tools. Some, like Open WebUI, expose OpenAI compatible APIs and so can be used with tools built to be used with OpenAI. I don't know of many tools like this, though - I was surprisingly not able to find a browser extension that could use your own API, for example. Here are a couple examples:

• Continue for VS Code / JetBrains IDEs
• "ChatGPT Utilities" for A1111 WebUI - this doesn't let you set the URL by default, but since it's open source you could modify it pretty easily

Also, I found this Medium article listed some of the things I described above as well as several others that I’d never heard of.

Last I checked (around the time that LLAMA v3 was released), the performance of local models on CPU also was pretty bad for most consumer hardware (Apple Silicon excepted) compared to GPU performance, and the consumer GPU RAM situation is even worse. At least, when talking about the models that have performance anywhere near that of ChatGPT, which was mostly 70B models with a few exceptional 30B models.

My home server has a 3090, so I can use a self-hosted 4-bit (or 5-bit with reduced context) quantized 30B model. If I added another 3090 I’d be able to use a 4-bit quantized 70B model.

There’s some research that suggests that 1.58 bit (ternary) quantization has a lot of potential, and I think it’ll be critical to getting performant models on phones and laptops. At 1.58 bit per parameter, a 30B model could fit into 6 gigs of RAM, and the quality hit is allegedly negligible.

I had a pocket TV back in 2007 or so. It had an antenna and everything. It was a bit bulky and not at all power efficient, though. IIRC it went through 8 AA batteries in about 3 hours.

I’m not sure why you’d want that over a smartphone or even just a small tablet, though.

Also, we have flying skateboards, they’re just prohibitively expensive or not yet being sold. Look up the ArcaBoard (was $20k back in 2015, doesn’t seem to be sold anymore), the Lexus Hoverboard, and the Flyboard Air. Unfortunately if you try to buy a “hoverboard” you’re just gonna end up with an electric scooter

I haven’t personally used any of these, but looking them over, Tipi looks the most encouraging to me, followed by Yunohost, based largely on the variety of apps available but also because it looks like Tipi lets you customize the configuration much more. Freedom Box doesn’t seem to list the apps in their catalog at all and their site seems basically useless, so I ruled it out on that basis alone.

I am trying to avoid having to having an open port 22

If you’re working locally you don’t need an open port.

If you’re on a different machine but on the same network, you don’t need to expose port 22 via your router’s firewall. If you use key-based auth and disable password-based auth then this is even safer.

If you want access remotely, then you still don’t have to expose port 22 as long as you have a vpn set up.

That said, you don’t need to use a terminal to manage your docker containers. I use Portainer to manage all but my core containers - Traefik, Authelia, and Portainer itself - which are all part of a single docker compose file. Portainer stacks accept docker compose files so adding and configuring applications is straightforward.

I’ve configured around 50 apps on my server using Docker Compose with Portainer but have only needed to modify the Dockerfile itself once, and that was because I was trying to do something that the original maintainer didn’t support.

Now, if you’re satisfied with what’s available and with how much you can configure it without using Docker, then it’s fine to avoid it. I’m just trying to say that it’s pretty straightforward if you focus on just understanding the important parts, mainly:

• docker compose
• docker networks
• docker volumes

If you decide to go that route, I recommend TechnoTim’s tutorials on Youtube. I personally found them helpful, at least.

It’s not changing the default behavior, so it still has it.

Per the article, they’re introducing a new opt-in feature that a woman, enbie, or person looking for same-gender matches can set up - basically a prompt that their matches can reply to.

I think Bumble also used to prevent you from sending multiple messages before getting a reply, but maybe that was a different app... If they still do that in combination with this feature, then I could see this feature continuing to accomplish their mission of empowering women in online dating.

Considering a password manager that also stores your second factor to be 2FA, assuming that it requires two factors to authenticate with on its own, is basically the same thing as considering logging into a site via SSO that itself requires two factors to be 2FA.

It’s also the same as considering a hardware security key with a PIN-protected Passkey to be 2FA.

As I said in my first comment, I’m more familiar with iOS, where 6 digit passcodes are the default.

That said, do you genuinely think the average person would use a random 10+ alphanumeric character passcode to unlock their phone after taking the advice of this article and disabling biometric auth?

I use Standard Notes for most of my notes. For simple todo lists, I use the Checklist note type. For project planning I generally use the SN Kanban Editor and while it has some quirks, I find it works fine on desktop and acceptably on mobile. It saves notes in markdown so I’ll sometimes swap the note type, make bulk edits, and swap back. I also use some of the other editors from https://github.com/jonhadfield/awesome-standard-notes like the MermaidJS one.

For notes that I plan to share or want to work collaboratively on, I use Hedgedoc. I tried it out because of the name and icon, thinking of it as basically a Gist tool, but then started using it for more because of how great the experience has been.

100%.

If you’re always concerned about sophisticated attackers, then you should also:

• Disable biometrics unlock whenever your device is about to leave your possession or you’re going to sleep
• Protect against shoulder-surfing / surveillance attacks that can capture you entering your password, e.g., by being aware of your surroundings and only entering your password or viewing sensitive information when you‘re certain your screen (and thumb locations) can’t be observed or by obscuring a view of your phone with your shirt or a blanket (like Snowden)
• Take the time to learn more about security in general and in relation to the specific threats that concern you

It calls them “passwords,” but personally I don’t consider a 6 digit number to be a password. And according to this article on GrayKey, 6 digit “passcodes” became the norm back in 2015. I haven’t seen any stats showing that people on average use more secure passcodes now, and making the passcode required more frequently isn’t going to encourage anyone to use one that’s more secure.

The article just says “disable biometrics” which is bad advice for the average person, as it will result in them using a 6 digit passcode. This is a knee-jerk reaction at best, and the resulting advice is devoid of nuance, made by someone who clearly doesn’t understand the threat discussed in the article, and would benefit literally nobody who might feasibly take it.

My advice is echoed by the article above, but it’s based off having an understanding of the problem area and suggesting a solution that doesn’t just address one thing. Anyone giving advice on the topic should consider:

• known threats and reasonably likely unknown threats
• the mitigations to those threats
• how the technology works for both the threats and the mitigations
• the legal landscape in your jurisdiction - for us, the US - both in practice and in theory
• people’s attitudes toward security, namely their willingness to suffer inconveniences for its sake
• how all of the above interact, and how likely someone is to take the advice given in a way that improves their security overall

The author of this article considered none of the above.

Copying an iPhone isn’t as straightforward as you seem to think. Copying data from a locked iPhone requires either an exploit or direct access to the SSD / memory chips on the device (basically, chip-off forensics, which likely requires bypassing the storage controllers), and I assume the same is true for Android devices.

I’m not saying such exploits don’t exist, but local police departments don’t have access to them. And they certainly don’t have the capability to directly access your device’s storage and then reassemble it without your knowledge.

Now, if your device is confiscated for long enough that it could be mailed off to a forensics lab for analysis? Sure, then it’s a possibility. But most likely if they want your data that badly they’ll either hold onto your device, compel you into sharing the info with them, or try to trick you into giving it to them. Hanging onto your data without a warrant for over a decade is a high risk, low reward activity.

Your data’s more vulnerable to this sort of attack in transit.

There are multiple takes on this, ranging from “tea bagging is fine” to “tea bagging is sexual assault” - see https://gamerant.com/teabagging-sexual-assault-controversy-explained/ for a rundown. I fail to see how allowing people to opt out of it would destroy any form of culture.

TBH I think seeing it as not at all rude makes you the exception. It’s clearly intended to be rude, to put your opponent on tilt, and most gamers get that.

Terrible article. Even worse advice.

On iOS at least, if you’re concerned about police breaking into your phone, you should be using a high entropy password, not a numeric PIN, and biometric auth is the best way to keep your convenience (and sanity) intact without compromising your security. This is because there is software that can break into a locked phone (even one that has biometrics disabled) by brute forcing the PIN, bypassing the 10 attempts limit if set, as well as not triggering iOS’s brute force protections, like forcing delays between attempts. If your password is sufficiently complex, then you’re more likely to be safe against such an attack.

I suspect the same is true on Android.

Such a search is supposed to require a warrant, but the tool itself doesn’t check for it, so you have to trust the individual LEOs in question to follow the law. And given that any 6 digit PIN can be brute forced in under 11 hours (40 ms per entry), this means that if you were arrested (even for a spurious charge) and held overnight, they could search your phone without you knowing.

With a password that has the same entropy as 10 random digits, assuming no further vulnerabilities allowing them to speed up the process, it could take up to 12 and a half years to brute force it. Make it alphanumeric (and still random) and it’s millions of years - infeasible within our lifetime - it’s basically a question of whether another vulnerability is already known or is discovered that enables bypassing the password entirely / much faster rates of entry.

If you’re in a situation where you expect to interact with law enforcement, then disable biometrics. Practice ahead of time to make sure you know how to do it on your phone.

Honestly that’s a great analogy.

I worked briefly as a CSR and during training they made a point of telling us that people had been fired because of doing exactly that when the mute button failed. That was over a decade ago, but I wouldn’t expect increased reliability today.

More recently, a friend who is a CSR told me that their software mute buttons only prevent the audio from going to the customer, but it’s still recorded and can be grounds for termination if the call was audited. I introduced her to a microphone with a physical mute button but made sure she knew that it could also fail (or most likely, that she might be using a different connected mic, in case the hardware mute would do nothing).

Office conferencing software also has a really bad record with their software mutes. I’ve had experiences with Teams, Zoom, and Webex where I’ve clicked mute, but wasn’t muted.

The mute button should be thought of as a feature for the person on the other line / the other people on the call - you’re reducing the noise so the focus can be on the conversation - not as a feature for your privacy. You can treat Private Games similarly - it’s so you don’t subject your friends to the thought of you playing sexually themed games, not so you’re guaranteed to be saved the embarrassment of people knowing that you’re playing them.

This is a very surface level overview of the frameworks it covers. The title is a bit of a reach, as it wouldn’t give anyone enough information to make a more educated decision about which framework to use.

Are you the author? I think it could be improved by including:

• metrics - number of apps that use each, number of job offerings, github stars
• who backs each project, and how much can we trust them to continue developing it in a way that’s friendly to developers
• for React specifically, a bit more info on the prominent frameworks - Next.js, Vite, Gatsby, CRA/CRACO, or ejected CRA - since the difference between them is substantial
• a high level description of the use case that the framework is designed for, as well as use cases where it isn’t well suited or has drawbacks.
• how does the development experience differ? Is there a lengthy build step? Does it offer hot reloading? Does it come with a built-in linter or integrate easily with one?
• Does it have a bundled testing framework, and how does that compare to other offerings? For example, CRA comes with jest and it can be a pain to configure jest to properly handle all of your dependencies - it doesn’t use the same build pipeline as your app and will fail if you’re using newer dependencies that use import statements instead of module.exports and you don’t individually configure each one. Vitest, by contrast, uses the same build pipeline as Vite.
• Ease of writing unit tests, component tests, and e2e tests (even if that means pulling in another library)
• ease of use with or without typescript
• some more substantial example apps per framework, like a to-do list that uses a simple API (preferably the same API in all cases). Currently the examples don’t even show what the code looks like with basic styling

If you are the author, I saw your article on Typescript and would also like to say that you can configure your linter to not warn about using any. There’s even a no-implicit-any rule that you can use if you only want explicit any types but don’t want, for example, responses from API calls to have that type by default.