Dark Arc

Plex is moving in the app direction… So Plex is probably moving away from what you want despite being one of the easiest options.

It would probably be helpful to know what you’re trying to accomplish beyond “what”. Like, why do you want to host your music and play it via a web browser.

IIRC telegram does as well

So, the web uses a system called chain of trust. There are public keys stored in your system or browser that are used to validate the public keys given to you by various web sites.

Both letsencrypt and traditional SSL providers work because they have keys on your system in the appropriate place so as to deem them trustworthy.

All that to say, you’re always trusting a certificate authority on some level unless you’re doing self signed certificates… And then nobody trusts you.

The main advantage to a paid cert authority is a bit more flexibility and a fancier certificate for your website that also perhaps includes the business name.

Realistically… There’s not much of a benefit for the average website or even small business.

So the local machine doesn’t really need the firewall; it definitely doesn’t hurt, but your router should be covering this via port forwarding (ipv4) or just straight up firewall rules (ipv6).

You can basically go two routes to reasonable harden the system IMO. You can either just set up a user without administrative privileges and use something like a systemd system level service to start the server as that user and provide control over it from other users … OR … if you’re really paranoid, use a virtual machine and forward the port from the host machine into the VM.

A lot of what you’re doing is … fine stuff to do, but it’s not really going to help much (e.g. building system packages with hardening flags is good, but it only helps if those packages are actually part of the attack surface or rather what’s exposed to the remote users in someway).

Your biggest risk is going to be plugins that aren’t vetted doing bad things (and really only the VM or using the dedicated user account provides an insulation layer there – the VM really only adds protection against privilege escalation which is pretty hard to pull off on a patched system).

My advice for most people:

• Make a new user on the system to run each game you want to run
• Run the game using systemd and that user
• Use something like kopia + the root user’s crontab (easier than systemd timers, but systemd timers also work) to backup the files on disk

For Minecraft in particular, to properly back things up on a busy server you need to disable auto save, manually force save, do the backup and then enable auto save again after your backup. Kopia can issue commands to talk to the server to do that, but you need a plugin that can react to those commands running on the server (or possibly to use the server console via stdin). Realistically though, that’s overkill and you’ll be just fine backing up the files exactly as they are periodically.

Kopia in particular will do well here because of its deduplication of baked up data + chunking algorithm that breaks up files. That has saved me a crazy amount of storage vs other solutions I’ve tried. Kopia level compression isn’t needed because the Minecraft region files themselves are already highly compressed.

So most dorms don’t want you using your own routers because a bunch of student routers causes A LOT of inference.

You should probably reach out not to the dorm folks but the university networking folks as they’re the ones that will ultimately make the decision on whether or not to turn things off/disconnect you.

A cheap networking switch would probably be okay by them to get some more wired connections in your dorm room (routers aren’t really a great way to do that).

https://www.amazon.com/Linksys-Business-LGS105-Unmanaged-Enclosure/dp/B00FV12VSW/ref=mp_s_a_1_1_sspa?crid=3PUXDK6TFLZIT&dib=eyJ2IjoiMSJ9.zm2b2eGNCSReGFJuUskv6-s3cUVDK12lfqOmf729Jjx1nw8mI07xRjx4RZCcnWDhplIUW-7IOfSn6R7TMu0yVy_k9hGXtOs0SNS7RO8sN4RI5aa_8-iwSOXz6biaUH5pE27eM8eYyBzJl9tkYxX4erfrbMwkWwhSrqIKQGOSqx1DQ1z5ZiDGCyQ_u0k8IhaN1Ra-Zpsr07cg-ZjJnDz6lA.iHHYMOhPc6OW0LmOOPkf8taxFxWnD5Sbwy_NxZwTQbU&dib_tag=se&keywords=network+switch&qid=1725717407&sprefix=network+%2Caps%2C186&sr=8-1-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9waG9uZV9zZWFyY2hfYXRm&psc=1

As a secondary concern, using a router will cause a double NAT for all your connected devices (universities don’t operate in the way ISPs do). That could cause some weird networking shenanigans, particularly for anything peer-to-peer like online games.

A fact I struggle with on an almost daily basis…

True, though presumably users in those places would be stuck with the “less trustworthy” instances (and ideally, would be able to get their local laws changed to make themselves more trust worthy).

It’s definitely not perfectly moral… but little in the world is and maybe it’s sufficient pragmatic.

Yeah, BlueSky has this concept of user moderation lists. It’s effectively like subscribing to a adblock filter. There might be some things blocked by patterns (e.g., you could have one that blocks anything that involves spiders) and there might be others that block specific accounts (e.g., you could have one that blocks users that are known to cause problems, are prone to vulgar language, etc).

I think the problem with credibility scores in general though, is it’s sort of like a “social score” from black mirror. Real people can get caught in the net of “you look like a bot” and similarly different algorithms could be designed to game the system by gaming the metrics to look like they’re not a bot (possibly even more so than some of the real people).

This is kind of what lead me down the route of bringing things back into the physical world. Like, once you have things going back through the normal systems … you arguably do lose some level of anonymity but you also gain back some guarantees of humanity.

It doesn’t need to be the level of “you’ve got a government ID and you’re verified to be exactly you with no other accounts” … just “hey, some number of people in the real world, that are subject to the respective nation’s laws, had to have come into contact with a real piece of mail.”

Maybe that just turns into the world’s slowest UDP network in existence. However, I think it has a real chance of making it easier to detect real people (i.e., folks that have a small number of overlapping addresses). The virtual mailbox the other person gave has 3,000 addresses… if you assume 5 people per mailing address is normal that’s 15,000 bots total before things start getting fishy if you’ve evenly distributed all of those addresses. If you’ve got 3,000 accounts at the same address, that’s very fishy. Addresses also change a lot less frequently than IP addresses, so a physical address ban is a much more strict deterrent.

Hm… I’m not sure if this is enough to defeat the strategy.

It looks like even with that service, you have to sign up for Form 1583.

Even if they’re willing in incur the cost, there’s a real paper trail pointing back to a real person or organization. In other words, the bot operator can be identified.

As you note, this is yet another additional cost. So, you’d have say … $2-3 for the card + an address for the account. If you require every unique address to have no more than 1 account … that’s $13 per bot plus a paper trail to set everything up.

That certainly wouldn’t stop every bot out there … but the chances of a large scale bot farms operating seem like they would be significantly deterred, no?

How would you feel if it was an independent third party (kind of an OAuth flow) with a well established presence and data policy?

(i.e., one with a face and name that you could sue if they did something bad with your address?)

I’ve been thinking postcard based account validation for online services might be a strategy to fight bots.

As in, rather than an email address, you register with a physical address and get mailed a post card.

A server operator would then have to approve mailing 1,000 post cards to whatever address the bot operator was working out of. The cost of starting and maintaining a bot farm skyrockets as a result (you not only have to pay to get the postcard, you have to maintain a physical presence somewhere … and potentially a lot of them if you get banned/caught with any frequency).

Similarly, most operators would presumably only mail to folks within their nation’s mail system. So if Russia wanted to create a bunch of US accounts on “mainstream” US hosted services, they’d have to physically put agents inside of the United States that are receiving these postcards … and now the FBI can treat this like any other organized domestic crime syndicate.

Sorry for the late reply…

Calls and texts aren’t really a thing any more, and most people communicate through apps instead. That means that even without a phone, there’s a pretty good chance you can still be included if you have access to a computer at home.

I find this varies a lot within different social groups … some people I know use different apps some people don’t use anything other than SMS/iMessage and/or maybe Facebook messenger.

My friends and I definitely communicated with Skype and things like that. I just never really had the chance to “grow my social network” if you will as a younger teen. Like summer 2009 I did a summer gym thing (my school let students take gym in the summer before high school for the high school PE credits and lots of kids did) … if I had a cell phone there’s a good chance I might have made connections with kids that had interests other than “get on the computer and play video games (and associated ‘nerdy’ interests).”

So in my mind, this means that not providing a phone doesn’t cut them off, it just delays communication. That means they’ll have less of a chance to become addicted to all the SM BS, while still being able to be included in things. I think that’s a healthy boundary to set.

That could be fair; it just kind of depends on what their peers are doing. I’d also caution against artificially creating hard barriers that won’t be for them later in life. My parents didn’t lock the fridge they just said we couldn’t have ice cream more than one time a week. It was ultimately on us to be able to honor that agreement.

Of course that wasn’t a bullet proof “solution”, I’m sure we snuck some ice cream here or there … and I’m sure we got caught at least one. But, IMO that’s just part of being a kid and a couple of bowls of ice cream when we broke the rule didn’t hurt anything, the rule still did its job (keeping our diets tilted towards good).

That said, absolutely none of my friends communication during HS or my communication in college was productive. We didn’t “discuss homework” or anything related to school, we merely arranged hangouts and flirted, with a little gossip to round things out. I highly doubt things have changed much, because that’s just what kids do. When I was young, cell phones weren’t a thing, and my sister spent hours on the phone talking about nonsense with her friends. That’s just how teenagers work, if they’re talking to friends, they’re not talking about school work.

I think this varies too. Of what I remember of college, sure the vast majority of stuff was non-school communication. However, there definitely was communication over projects (especially if I was doing something with friends vs random people in class).

That said, I’ll certainly be paying attention as my kids get older.

I think this is the biggest thing. Like, nobody can tell you how to parent your kid and I’m not trying to tell you what’s right. I’m just saying, my parents took a hard line stance on this, based on some made up rules about what I should or shouldn’t have that was way different than what nearly every other parent was doing. I didn’t have the gumption (arguably due to a mostly unrelated, hidden, depression that my parents attributed entirely to “teenage angst”) to advocate for that access or ask for help and largely just accepted my situation as the best I was going to get.

rclone or rsync is probably better but see my reply a few comments down (the very long one) about protocol aware cloning vs just cloning things at the file system

They do have versioning: https://docs.syncthing.net/v1.27.7/users/versioning

Of course, you actually have to use that, it has to work, and you have to have a strategy for reverting the state (I don’t know if they have an easy way to do that – I’ve never used the versioned side of things).

I have had some situations where Syncthing seems to get confused and doesn’t do its job right. I ran into this particularly with trying to sync runelite configurations and music. There were a few times I had to “force push” … and I vaguely recall one time where I was fighting gigs of “out of sync” in both directions on something and just destroyed the sync and rebuilt it to stop … whatever it was doing.

Don’t get me wrong, it’s a great tool for syncing things between computers; but I would not rely on it for backup (and prefer having a backup solution on top of the synced directories). There are real backup tools out there that are far better suited to this sort of thing. I suggested Kopia, you should get some integrity checking using its builtin sync (as it won’t be able to figure out what to sync if your origin is corrupted); you won’t get that with a straight up rsync or a syncthing, they’re not application-aware enough to know they’re about to screw you over.

Restic has a similar feature but I’ve always found Restic’s approach much more frustrating and not-at-all friendly for anyone less than a veteran in systems administration. Kopia keeps configuration in the repository itself, has a GUI for desktop use that runs jobs for you automatic, automatically uses the secrets manager appropriate for your operating system, etc … Restic you kind of have to DIY a lot of basic things and the “quick start tutorial” just kinda ignores these various concerns.

Even if you plan to just use cron jobs, Kopia will do sane things with maintenance. Restic last I checked you still need to manually run maintenance tasks and if any job maintenance or otherwise fails, you need to make sure to unlock the repository (which if you haven’t set up notifications … well now you’ve got a silent backup failure and your backups aren’t running).

I just kept running into a sea of “oh this could be bad” footguns with Restic that made me uncomfortable trusting it as my primary backup. I’m sure Restic can be a great tool if used in expert hands with everything appropriately setup; but nobody tells you how to do that … and I get the feeling a lot of people are unaware of what they’re getting into.

The folks making Kopia … they seem like they really know what they’re doing and I’ve been very happy with it. We’re moving from rsnapshot to Kopia at work now as well (rsnapshot is also fairly good you’ve got a bunch of friends with NASes that support hard links and SSH, but it’s CHATTY and has no deduplication, encryption, data integrity verification is basically left to the file system – so you better be running ZFS – etc).

Duplicati’s developer is back too, so that might be something to keep an eye on … but as it stands, the project has been bit rotting for a while and AFAIK still has some pretty significant performance issues when restoring data.

You could use kopia for this (but you would need to schedule cron jobs or something similar to do it).

The way this works with kopia… You configure your backups to a particular location, then in-between runs there’s a sync command you can use to copy the backup repository to other locations.

Kopia also has the ability to check a repository for bad blobs via its verify function (so you can make sure the backups stored are actually at least X% viable).

Using zerotier or tailscale (for this probably tailscale because of the multithreading) would let you all create a virtual network between the devices that lets them directly talk to each other. That would allow you to use kopia’s sync functionality with devices in their homes.

Syncthing is not a backup tool and may very well destroy all your data on its own (though this is rare).

If you’re on Android there’s no hope for your soul. /s

(Written on an Android phone)

I think there were some social blunders and connections missed because I got a decent phone later than my peers.

I got my first basic phone (a phone which barely functioned and regularly crashed doing basic things) at 16 back in 2011(?) when many in my class had gotten a basic phone by 2008. By 2010, pretty much everyone had at least a basic phone, many had smart phones.

I wouldn’t write this off as an irrelevant issue in a world where so much connection is done through phones (even if you personally don’t believe you were all that affected). I do think my parents decision to delay giving their shy-ish child living in a rural area a good phone (solely because they didn’t have one when they were kids) was a bad decision.

Actually being able to keep up with people between classes, discuss homework, to have gotten some pretty girls numbers earlier on, etc … that could’ve really changed my high school and middle school (or at least jr high) experience for the better.

These things are like arguing about whether or not a pet has feelings…

I’d say it’s far more likely for a cat or a dog to have complex emotions and thoughts than for the human made LLM to actually be thinking. It seems to me like the nativity of human kind that we even think we might have created something with consciousness.

I’m in the camp that thinks the LLMs are by and large a huge grift (that can produce useful output for certain tasks) by virtue of extreme exaggeration of the facts, but maybe I’m wrong.

The concerning thing is… I can’t tell if you’re joking.