I think wallabag is the self-hosted go-to for this, but I’m not sure of the extensions for it.

I used to use pocket because it allowed me to sync to my Kobo reader. Kobo have struck a deal with Instapaper and it works in a similar way.

The official instapaper plugin doesn’t do what In My Pocket does, unfortunately.

My LDAP PTSD is coming back…

I’ll make the following LDAP assumptions:

• LDAP directory is configured and available
• LDAP uri is configured and a lookup on system level is working and returns the correct POSIX uid/gid with LDAP query
• no POSIX conflicts on the client (no object in passwd has uid/uid 11004) I can assume this because the fail over is root
• LDAP search base is configured and returns expected POSIX values

And I’ll make the following postgres assumptions:

• pg_hba.conf is configured for LDAP server address, port, and search base
• postgres can instantiate and connect to its dbs using LDAP with ldap

Finally, I’ll assume that your nfsv4 mount is active and that POSIX operations work at Pam - level tests.

The line

group:      files [SUCCESS=merge] sss [SUCCESS=merge] systemd

Seems weird to me; either you add success clause to both uid and gid, or none, but not one and not the other.

This would also hint that Pam has not been updated to use LDAP.

That’s where I’d start.

Side note: LDAP is by default unencrypted on the wire, so to complete this exercise, you may want to setup secrecy on the server. This is especially important for db creds.

Yes. Proxmox isn’t doing anything magic another Linux machine (or windows for that matter ) can’t do. A router, for instance, is a good example of this.

Sorry, that was presumptuous of me. ‘TCP stack’ just means each container can have its own IP and services. Each docker, and in fact each Linux host can have as many interfaces as you like.

I imagine you would get a conflict when you try to go to 192.168.1.2:8000 or even localhost:8000.

You’re free to run a service on port 8000 on one IP and still run the same port 8000 on another ip on the same subnet. However, two services can’t listen on the port at the same ip address.

I just tried a few fonts on my old Kobo, as I’ve done a few times here and there, and I always end up back with a serif font. I’m not sure why, but I have suspicion that reading paperbacks and newspapers before ereaders existed has trained me to read faster with serif fonts.

mkvmake pulls the Forced flag from its source, so it’s likely that your DVDs have a set flag for certain subs. You can use mediainfo to check this on your mkv files.

Mkv is simply a container format, which means you can probably unset the forced flag with mkvmake directly without having to unpack all the streams and remux them.

Handbrake is amazing, but it does have a LOT of controls, so there’s only so much hand-holding it can do when you start looking behind the curtain of how av files work.

You will still have to make sure that port numbers don’t conflict

I’m sure I read you’re comment wrong, but you are aware that each docker container has its own tcp stack, right?

Context, man.

If you’re looking for something, use more words. If you’re x11/Wayland trolling, this is weak.

Sure, but if the compromise stays within its own app, like for a browser, sandboxing won’t help.

The bulk, and I mean like 95% of the compromises I see are normal employees clicking on things that “look legit”.

Excel is now wrapped in a browser. Discord, almost all work apps are all wrapped in a browser. So you can be completely locked down between apps like grapheneos, but if you are choosing to open links, no amount of sandboxing is going to save you.

This is why we deploy knowbe4 and proofpoint, cause people are a liabilities, even to themselves.

Sure, but op chose to follow a link. You can be sandboxed to high heaven and still get pwned if you make choices like that. Discord is particularly rife with this.

OK, I’ll bite… How exactly?

Yep.

I was hoping not to sound too harsh, I’ll have to work on that.

You aren’t going to like this:

Because if you got yourself pwned by a malicious link in discord, your account highjacked, etc., then having discord in a vm, container, chroot, jail, or whatever won’t help you on the server-side api abuse that got you pwned. In this case, you yourself should have been more vigilant.

From your article, and with respect, I think its nice you’re thinking more about security, but you’re mixing up quite a few concepts, and you should probably make smaller moves toward security that you actually understand, instead of going all-in on qubes with only a vague concept of the difference between sandboxing and paravirtualization.

The idea itself is fine (not getting into how not cool it is that a vendor holds the key to your bitlocker-encrypted disk once secure boot is turned on).

But so is WEP for WiFi, but no one uses that anymore because it’s considered compromised.

some are

65% of all TPM keys is “some”, I suppose. But that’s not the issue. Keys leak, it happens. The more troubling part is that Microsoft will cheerfully use the leaked key on your affected TPM and you’ll get the “safe” check mark in your next audit.

And this was warned about in 2011 when it started rolling out.

As for FUD, I don’t have a “fear” angle here. I can’t tell you how to live your life, use secure boot if you feel safe doing so.

I don’t understand… Your motivation for a secure operating system was from an incident where you were nearly social engineered? How will a “more secure” os help you with that?

If everyone has a copy of my passwords and authenticator keys, that wouldn’t suddenly make 2 factor auth a compromised idea.

Not sure how this relates. If you’re saying it was a good idea at the outset, then sure… If the keys hadn’t almost all been leaked by AMI and Phoenix. MS was supposed to have created a Microsoft Certified hardware vendor program for this, which fell apart pretty quickly.

Secure Boot is a joke, both practically (there are many, many tools in use to bypass it) and in my professional circles, it is considered obsolete like WEP. My audit controls for Secure Boot demand that an endpoint management solution like InTune is deployed.

You don’t have to take my word for it, obviously. I’m not trying to tell you how to live your life.

Secure Boot keys are considered compromised.

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

If you are recommending secure boot as a security measure, you should stop doing so.

Thank you!

Thanks.

For severe incidents like this, please post the most appropriate link, in this case https://github.com/umami-software/umami/issues/3852

Admins in self hosted usually don’t have that much experience with real, active compromise and may panic, let’s help them as much as possible.

I will add that Umami itself is not compromised, but vulnerable. That is a somewhat misleading title.

What was the vector? Did you have umami exposed publicly?

Link? Did you discover this yourself? There is no actual info here.