groet

joined 1 year ago
[–] [email protected] 13 points 6 months ago (2 children)

No. It's not a magic invisibility field inside. It's a magic object that works only on living "intelligent" creatures. It also doesn't work the same on different races. Only humans (hobbits are a subtype of human in Tolkiens lore) turn invisible. And because it's magic it also turns their clothing etc invisible. So either Frodo and his poop is invisible or nothing is.

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

I have set it up in a way where all the packets have to go through their VPN and if they don't, they get dropped before they leave my PC.

That is the function of a firewall and not of the VPN. As I understand portmaster it does both. But that is not normal VPN behavior.

VPNs are not magic. They are a piece of software that encrypt traffic and send it to a special server. They do that by creating a virtual Internet connection (think like pluging in an additional Ethernet cable or connection to an addition WiFi at the same time). Everything that is sent through the virtual connection is encrypted. Your system now has (at least) two valid Internet connections (one real and one virtual). For every packet it sends it needs to decide which connection it should send it from. This is decided by something called the routing table. When you start the VPN it will put two routes into the table.

  • traffic going to the VPN server goes through the real connection (so the encrypted VPN traffic is routed correctly)
  • everything else goes through the virtual connection (the VPN tunnel where it gets encrypted)

The attack described is a way how a network router can add a new route into your devices routing table to basically override the second route from the VPN. The route is still there, there just is another one that has a higher priority.

A VPN is not the ultimate authority over your network traffic. It is just another program sending and recieving taffic.

[–] [email protected] 13 points 6 months ago

There is a famous experiment , where a person gets 100$, and have to offer an arbitrary percentage of that to a stranger. If the stranger declines, both get nothing.

From the strangers perspective, getting offered even 1$ is a win, but the vast majority rejected anything below 30%

[–] [email protected] 8 points 6 months ago (1 children)

By design nothing in the chain can be altered. But of course you could have a block indicating "person X is now person Y". But you can always read that Y was at some point X (and at what point the change happened). That would not be good, as it would be a public ledger of all trans people. It would also make things like witness protection impossible because inserting a block "today in 2024, person W was born in 1974" is very suspicious

[–] [email protected] 53 points 6 months ago* (last edited 6 months ago) (18 children)

pizza

microwave

I don't think the mushrooms are the problem in that situation

[–] [email protected] 1 points 7 months ago (1 children)

If you want any system to connect to you, you need to open a port. You don't need to do that for outgoing connections (the OS and your router will automatically open ports for the return connection). So if everybody connects to one central system, nobody needs to (explicitly) open any ports (except for the central connection point)

[–] [email protected] 6 points 7 months ago (7 children)

Most VPNs use UDP. So set up a wireguard, tailscale or openvpn.

But you still need to "open up the firewall". UDP still works on ports the same way as TCP. I do agree however, that exposing a VPN port is more secure than exposing a port for a game server, as you don't know about the security of that server software.

[–] [email protected] 3 points 7 months ago (1 children)

Can you verify the software running on an instance is the same as the one in the source code repository? You can't. Can you verify the instance isn't running code to read passwords from your login requests even if the code is the original open source code? You can't.

That's why (and for other reasons) you should never use a password for more than one site/service/instance.

Lemmy admins (admins in the Lemmy application) probably can't read your password. But everyone with admin rights on the server operating system can.

[–] [email protected] 24 points 7 months ago (1 children)

Absolutely. But MS chose to go the evil route again and ask right when you want to open a link. In that situation users want to open a link and not choose browsers so they are more likely to click on edge. It is deliberately annoying which is what op is angry about

[–] [email protected] 11 points 7 months ago (1 children)

Well maybe it's multiple choice.

  • "Dong, beard broad shoulders"
  • "Tits, hips, smaller waist"
  • "Character deleted on death"

Choose any combination you want

[–] [email protected] 13 points 8 months ago (1 children)

The thing that confused me when first learning about docker was, that everybody compares it to a virtual machine. It's not. Containers dont virtualize anything. They take a (single) process from the host OS and separate that into its own environment. All system calls, memory access, file writes etc are still handled by the same os (same kernel). However the process is separated both on the file system and process level. It can't see other processes outside of the container and it also doesn't see the real filesystem. It sees a filesystem provided by the container. This also means it sees different file and user permissions. When you run a alpine Linux docker container on an Ubuntu system, the container only containes the (few) files for alpine but no Linux kernel no desktop environment. A process inside that container only sees the alpine files and not the Ubuntu files. It also means all containers see a filesystem independent of each other and can use libraries and dependencies of different versions (they are only files after all).

For administration it makes running complex services easy. You define how to setup that service (what base Linux distro to use, what packages to install, what commands to run, and how to start the process). You can then be save to assume the setup of that service did not interfere with the setup of any other service. "Service 1 needs a certain system wide config changed? Service 2 needs that config in the default state? And both need a different version of the same library?" In containers you can have all at the same time because they each see a different version of the same config and library.

And all this is provided by the kernel itself. All docker does is provide an "easy" way to create and manage containers but could could do all of that using chroot, runc and a few other.

As a note, containers usually don't come with systemd as they don't need an init system. You would run the service directly inside the container and then use systemd outside the container to make sure the container is started/restarted, or just docker as it can already do that.

I found a great article demystifying containers recently

view more: next ›