Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.
Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.
Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:
https://github.com/immich-app/immich/tree/main/e2e/src/api/specs
As a popular open source project, that would be e glaring security hole.
Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.
It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.
Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.
A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.
It’s extremely difficult to attack a service with only GET requests.
The security of which URLS are accessible without authentication would be up to immich.
I think you may be looking for a programmable keyboard.
With one, you can have arrow keys on the home row like vim, and make other universally recognized keys easy to reach including Home, End, PgUp, PgDn, App (right click), and all the modifiers. Some also build pointing devices into the keyboard as well.
I primarily use the Unicorne by Boardsource.
That’s something! But it doesn’t raise any money from people with other VPN providers or who don’t want to buy a VPN service.
Counterpoint: for those who prefer split ergo keyboards, the internal keyboard on laptops is rarely used.
A tablet where you can bring your own weird keyboard to pair with it is better.
Signal does a decent job of encouraging people to make one-time or ongoing donations to the service. I’ve supported them multiple times because they gave me a prompt to do so.
I don’t recall Firefox ever asking for a donation or subscription.
Mozilla could have allowed people the option to subscribe for a modest fee in addition to giving it away for free, to diversify their income and be less dependent on Google, but they have not been trying that hard to develop other revenue streams.
Although, If I have my own Amazon referral link in my blog post and they replace the referral code in their feed, I would not be happy about that.
They could be injecting their own ads or affiliate links into the content.
For example, if a post links to Amazon.
I have not looked at the source code.
Interesting research project but it’s not Linux and doesn’t natively run Linux apps.
https://www.theregister.com/2024/02/21/successor_to_unix_plan_9/
The story hypes this to be a bit more than this is.
Framework sent a laptop to the lead Mint dev. He’s going to try make sure it works well with Mint, but it already does.
The more low key framing straight on the Mint blog is here:
Watching history repeat itself.
Date pickers that assume you have a 5 digit birth year.
There is a small LCD in the middle. This is a different brand, but the same idea.
I noticed they choose Fuzzel as the launcher / dmenu replacement. Me, too!
WhatsApp is a Meta business unit, yes.
And it has its own rules and policies for what is shared with other Meta business units.
Google has spell out the same. Just because you provide data like location to one Google service doesn’t automatically mean every other Google service can access it.
And they can’t just change their internal data policies however they like as some of this is governed by legal regulations.
Here’s a a story about how Google is not allowed to share data across business units without user consent, at least in the EU.
https://www.theverge.com/2024/1/12/24036312/google-digital-markets-act-services-user-data-opt-out
Here WhatsApp spells out what it shares with Meta:
This coverage provides an example of what is sent, and it includes neither MACs nor HDD serial numbers.
https://ostechnix.com/manjaro-data-donor/