Ugh, totally read that as 2020

deleted by creator

I wish it was more shareable, but it’s also not as magic as it sounds.

Fundamentally it’s just a Linux install with some heavy customizations so that it does one thing only: boot Linux, and just enough prompts to get it online so that the VPN works, and download the root image into RAM that it boots into so I can SSH into the box, and then a bunch of Linux tools for me to use so I can reimage from there, or run a QEMU with the physical disk passed through so I can VNC into an install even if it BSOD.

It’s a Linux UKI (combined kernel+initramfs into a simple EFI file the firmware can boot directly without a bootloader), but you can just as easily get away with a hidden Debian install or whatever. Can even be a second Windows install if that’s your thing. The reason I went this particular route is I don’t have to update it since it downloads it on the fly, much like the Mac recovery. And it runs entirely in RAM afrerwards so I can safely do whatever is needed with the disk.

This is why every machine I manage has a second boot option to download a small recovery image off the Internet and phone home with a shell. And a copy of it on a cheap USB stick.

Worst case I can boot the Windows install in a VM with the real disk, do the maintenance remotely. I can reinstall the whole thing remotely. Just need the user to mash F12 during boot and select the recovery environment, possibly input WiFi credentials if not wired.

I feel like this should be standard if you have a lot of remote machines in the field.

Wat? What does imgur have to do with Boost and Lemmy?

The problem with this is the probability of your server being available for the next retry is fairly low.

Usually some sort of exponential backoff is used so it might retry after 5 minutes, 15 minutes, an hour, 3 hours, 6 hours, 24 hours, 48 hours, give up.

6-8 hours is probably too much for anything serious where you don’t want emails to just drop. It will work so if you’re just using it to sign up to sites and stuff, you can make sure your server is on to receive the verification emails and stuff. But I wouldn’t use it for anything important.

Apart from automating the quick hop to LTE to turn it on, not really.

Some VPNs stack two VPNs together, one that’s just to get on their network and the other being the real one. It helps a bit.

Although the ones that care about evading firewalls are typically not bargain bin VPNs like AirVPN and IVPN, and typically don’t use WireGuard because it’s terrible at hiding. It’s very good, very secure and very performant, but it also doesn’t try to masquerade as just another website or some form of TLS protocol over port 443. The serious ones have things like WebSockets, ShadowSocks, meek, and whatever one works on China today. But do you really need that much? It’s usually the kind of stuff where you have to make a choice between performance and bypassing most firewalls.

Sometimes OpenVPN will go through, because it can do that so if the firewall isn’t too smart it will miss it. But if WireGuard works by just authenticating over LTE, eh, worth it.

(And even then, if I was in charge of corporate IT and had to lock down the network to prevent exfiltration, you wouldn’t get any VPN past me, because I wouldn’t care about collateral I can just allowlist as it comes up. That’s a tradeoff places like Russia and China can’t quite afford.)

Your work is likely blocking the domains they use for authentication, but once you’re registered and got the peer IP and port, once you’re back on WiFi the corporate firewall doesn’t catch that.

A lot of VPNs just log in over an HTTPS API which isn’t exactly stealthy.

I mean you can make one without the metadata or phony metadata, it’s primarily used by software to validate you. It’s not like it validates any of the info. You can put RatoGBM@lemmy.world as your email of you want, good enough.The general idea is that a PGP key is an identity, not just a key pair. There’s plenty of non-PGP ways to make key pairs.

It’s useful when other people look through their keyring, so I can easily find which key I’m looking for. People don’t usually go find your key every time you want to send a message, they import your key then specify the ID or email of the key to use which is usually automatic based on who you’re emailing. And then when you message back, they want their messaging client to be able to look up your key and validate it automatically. I’m not going to go browse my files to find your key again to verify every single one of your messages. And I’ll be messaging you at some email address or other identifier somewhere anyway, so the key ends up tied to a form of identity regardless.

Same but without all the ads and blogspam wording: https://man.archlinux.org/man/core/shadow/gpasswd.1.en

Linux encourages users to send patches while Microsoft is the sole company that can modify Windows.

It’s very common to see patches from Google/Meta/Cloudflare/Amazon squeezing more performance for their particular use cases. That benefits everyone in the end.

Microsoft on the other hand is more concerned about its enterprise sales and overall profits. So they don’t care that much. Windows 7 was horribly bloated, and they didn’t address until Windows 8 because they had to, because they realized it was too bloated to run on their new tablet PCs so they had to do something about it.

Apple cares a lot, because their thing is energy efficient fanless netbooks, and phones, and tablets. macOS and iOS are very close in how they work, so Apple has all the incentive to keep it efficient because their software will also affect the hardware side of the business. Microsoft doesn’t, it’s the hardware partners that get stuck dealing with it.

The NT kernel is fairly good, it just doesn’t get the attention it deserves. Microsoft mostly add features on top of older features, they never go in and be like “this sucks” and rewrite a feature, because that’s very risky to do and may break millions of applications and affect their bottomline. Linux doesn’t have to care about that.

I’d say, if Windows was open-source, we’d have some pretty solid Windows distributions because the community would care to go in and fix a ton of bottlenecks that aren’t worth it for Microsoft as a company to even bother reviewing the patches let alone develop and test them. It’s much more lucrative for them to release AI crap like Copilot than make Windows 10% snappier. Because most Windows users are corporate people that makes decisions based on marketing and business items than being an enjoyable experience. Less frustrated users? Nah. More productive employees with crappy AI features that barely works? Hell yeah 🤑

TL;DR: Windows sucks because of Microsoft’s business interests don’t require Windows to be that good, merely good enough.

It’s definitely not perfect, but this also wouldn’t affect GUI apps because there’s no shell to send inputs into to run other commands. There’s also more container escapes than just that.

But it’s an added layer of security regardless, especially if you’re not directly running software designed to escape the sandbox. A drive by exploit in a browser for example, is less likely to successfully escape because the stars needs to align that you have both a vulnerable browser and a vulnerable kernel at the same time.

The average credential stealer or NPM malware is likely to be contained and not even realize it’s in a sandbox. You have to get malware and said malware is smart enough to exploit an unpatched CVE in your sandbox.

But no it’s not perfect, the only way to safely run malware is on a separate physical machine with no access to your local network, and ideally with no wireless technology at all (to avoid WiFi/Bluetooth exploits). Even VMs can be escaped, there’s a few CVEs for that too, and of course the processor bugs.

Security comes in layers, unless a layer is basically useless, it counts.

We could make an absolutely massive parking lot and then leave it empty, just like the real world.

So, why should people be fined for watching porn? Why does christian puritan views be pushed to everyone? Party of small government my ass.

“It’s not that bad” isn’t good enough. Why is that there, at all? Why should I somehow deserve to be in prison?

Not sure if Windows has that but I believe on macOS what happens is the app tries to record the screen, and if it fails macOS blocks the request and opens the security settings to enable the permission, and you have restart the whole application for the permission to take.

What’s done for Wayland is the portal system: applications can use portals to request access to specific things like screen recording, the DE does what it needs to do and it starts feeding the data to the application through the portal. It’s working fairly well, I haven’t had issues with those in a while. The application just requests what it wants, and the DE prompts the user (or auto accept the request) optionally remembering the choice as well.

Generally the solution for X11 problems is to implement a modern API for it in either Wayland or as a portal. Which breaks old stuff, but once updated it works fine.

The main obstacle is getting Gnome to agree to the protocols.

Patents are anticompetitive. Fuck patents.

Infinite scroll ftw

Lemmy’s default UI isn’t great. Thankfully there’s a few alternatives such as Tesseract which is the one I installed for my instance. You can use the public instance of Tesseract from dubvee: https://tesseract.dubvee.org/, it’ll let you log into your account on any instance.

It actually feels like a well polished product.

minSdk isn’t the same as targetSdk or maxSdk.

You can target Android 14 and still support Android 1.5 devices if you really want to. Android will enforce that you use Android 14’s security features, but you can still use the old APIs just fine on older versions of Android.

Android uses the target SDK to determine which restrictions to impose, because if you target Android 8 then your app can’t be aware of Android 14 features so it goes into compatibility mode. But the minimum SDK doesn’t matter, it’s just there to tell users of too old Android versions that the app can’t run.

Yeah, PipeWire is the replacement, but you can still remove PipeWire and install PulseAudio again for testing. It’s just not default anymore.

Looks pretty close to mine, especially timers. I don’t know, something’s weird. I use cache=none for my disks but I don’t think writethrough would cause the VM to lag, only disk IO.