The tech giant says the system only analyzes hand-movement points from a short video, does not record audio, and deletes the footage after verification.

It’s just a short video guys, there’s even no audio! And they pinky promise to delete it.

What a fucking shitshow that is. Like, honestly, I’m fine with regular captchas, even if they are the shitty ones. The newer (?) captchas that force you to do solve 5 bullshit “place this there” captchas are already reason enough for me to just leave the site. But if you force me to record a video of me throwing gang signs at the camera, probably several times again, because the movement was not correctly identified, I’m sure as fuck to never visit anything related to you ever again.

I also love the irony that Google fights people bots, while they are scraping the whole internet and investing into AI automation massively.

I fully agree with you: it’s NOT easy. And you must understand what you do. It’s not just deploy a container and run happy.

This is literally what you’ve called misinformation.

Again, not everyone is self-hosting only for learning and experimentation only. Making a deliberate call that mailing infra might be too hard might be too hard, have too big of a knowledge gap, or is simply not worth the effort is something I’d call more serious than hardlining on “self host everything or stay on gmail”, especially in the case of mailing, where it’s pretty much impossible to self-host on your own hardware / network.

Full instructions do not reduce any effort or resources involved or complexity of the problem. And the problem is that you’re suddenly moving from “I’m hosting a few services” to being balls deep in networking, dns, and a deceivingly easy protocol which blows up in complexity due to being federated and absolutely dominated by big providers at the same time, and all of the extensions for security.

Except for learning, self-hosting serves a purpose. You might want privacy, you might not want to be dependent on corpo infra or external services at all, you might want to host something that offers something more or better than a SaaS solution - but first of all, it needs to work. For mail, you gain none of those. Self-hosting on your own hardware (or rather network) is pretty much impossible, so you’re reliant on a hosting provider at least. There is basically zero difference in functionality between mailing servers or providers. Sure, you’ll run into problems when copy pasting instructions, but those problems will break the service. Fucking up your DNS or networking will break your whole server. At the same time, while failing silently it will costs a magnitude of effort more than most other usually self-hosted services.

Because it works for you, doesn’t mean it’s easy. If you have the experience, and done it at least once successfully, it’s “easy”. Compared to the average self-hosted configure and run a docker image and reverse proxy it’s objectively harder to run.

The issue is not running the individual components or servers, but that there’s infrastructure and to some extent crypto involved, which is just outside of the comfort zone for many. You tried to host it like any other thing on your homelab? Nope. Has your VPS been involved in spam? Enjoy the blacklist you’ll never find out about and the debugging why it doesn’t work. No experience in managing your DNS? Have fun getting DMARC/DKIM/SPF to work.

Theres just way more stuff that needs to be done, and a lot of it will fail silently.

Use at your own risk.

What an amazing conclusion, and the best part is, no matter what you’ve been waffling about before - it’s always right. Can we stop calling random things AI slop and telling to be careful bEcAuSe iTs Ai sLoP, and back to being cautious until something has been reviewed properly? Being careful with random stuff from GitHub you install and run in your private network?

Your whole comment may have been AI slop as well. “From a quick glance at the repo”, you should be careful! Thanks, Sherlock.

My interpretation was OP isn’t necessarily the target here, but a victim of some Windows hack spreading around their shared network. It’s possible the whole network was “worth” such attention.

Yeah, it might be that another system in the network was the initially compromised system, but I’m questioning whether Windows malware would be able to spread over wine to a unix machine to actually cause damage there. But that’s an attack vector I literally have zero idea about, just kinda seems suspicious.

And yeah, everything in OPs story is absolutely plausible, but it’s more of a gut feeling given the provided information that it just feels off. I might be fully in the wrong here, and they’re the unluckiest random person to ever have touched a unix machine, I don’t know. Definitely curious how this will develop though.

Something about this post is weird as fuck and some part of this story is missing for sure.

First of all, routine scans with ClamAV. Why are you routinely scanning your system, and what’s your expectation here? In most cases system compromise happens by executing something malicious or by exploiting something on your system, For the former, an active background scanner would help, but not a routine scan, and it’s easier to just not execute suspicious stuff. For the latter, your routine scanning is worthless.

Then the compromise over a WINE DLL seems something between borderline impossible on one hand, and like a very targeted and handcrafted attack on the other hand. Sure, wine is not a sandbox, but seeing this as the point of entry for a full blown persistent RAT is weirding me out massively.

Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen. Why that effort? Either set yourself up for the long run and hide, or when detected just say “eh, whatever”. This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.

Lastly, you. You seem like a pretty confident user while getting hit like that. It just feels off.

I’m not claiming you’re lying, and I couldn’t blame you for leaving information out because of opsec. But everything about this story feels off. I kinda assume that you’ve been actively targeted, and you should ask yourself why. What information or access do you have? How have you been pwned that “easily” and where did that DLL come from? How was it placed and executed?

The easiest way would be to set up caddy to use acme on the servers, and never care about certificates again. See https://caddyserver.com/docs/automatic-https.

If you insist on your centralized solution, which is perfectly fine imo, just place the certificates to a directory properly accessible to caddy, and make sure to keep the permissions minimal, so that the keys are only accessible by authorized users.

If the certificates are only for caddy, there’s no reason to mess around in system folders.

In all honesty, the constant rambling against any service provider when something goes wrong is tiring. as. fuck.

“I’m not using anything, I’m self-hosting everything and no cloudflare can take ME down!” - hot stuff buddy, let’s talk again when at some point you’ll have something interesting and get hugged to death. Or when something of your diy self hosted stack breaks or gets taken down by an attack.

“I’m not using (big company name) but (small startup name), and I’m not having any issues!” - wow, great, obviously the goal of the company is to stay as small as they are and supply your service. Let’s talk again too, when at some point your friendly startup gets sold, or grows more. Oh btw, smaller company usually also means less resources.

“That’s all because they are using centralized services, we need to federate everything to not have a single point of failure” - federation alone won’t help if the centralized service has several magnitudes of resources more. Any single cloudflare exit node can probably handle several times the load of the fediverse. We’ve seen lemmy instances go down all the same, and this will happen with any infrastructure.

I’m not supporting big companies having that much market share and the amount of control over the Internet as a whole that they have. But, have at least some respect from a technical standpoint for the things they’ve built. I’d say way over 80% here haven’t seen infrastructure, traffic and software on a scale that’s even remotely close to the big players, but are waffling about how this or that is better and how those problems should be solved and handled. Sit the fuck down.

No matter how well reasoned, allegedly fit for purpose or how much something pretends to be it, we shouldn’t be trusting those promises, especially not from people we don’t know. That does not end well neither for the free candy van nor for cybersecurity. Trust like that has been responsible for a lot of attacks over varying vectors and for projects going wrong.

On the other hand, detrimental reliance is a tort and if someone is relying on an app for a specific safety function, the app could be civilly liable if it fails it’s function in some way.

Yes, if the app would be any kind of official tool.

Imagine if you had this attitude about an insulin use tracker/calculator, that sometimes gave wildly wrong insulin dose numbers.

Yes, and that’s why regulations for those kinds of things exist, that prevent those things. There is no regulation for the ice tracker.

Maybe down the road, it’s decided that aiding and abetting ICE is a crime, and providing misinformation intentionally or unintentionally is a criminal act. App developer dude could be criminally liable if he knew or ought to have known he had vulnerabilities. You know, in your New Nuremberg trials that you are going to get sometime in the next decade or so.

If down the road a regulation would happen for, app developer dude would be forced to either comply or to stop operations.

So fucking what? He is not being paid in any kind, and anything he does on that project is volunteer work. If he was not able to do anything on that project due to regular work, vacation, personal issues, or the simple fact that he didn’t want to?

If you don’t pay for a service, you don’t get to decide what people do, deal with it

Honestly, apart from the report being potentially wrong, the researcher seems pretty entitled as well. Like good intentions and all that, but he’s given him a week to fix the issue, usual practice in responsible disclosure are 90 days. We’re not talking about a company here, it’s some single random dude providing the app.

This really sounds like some personal issue written down for public drama, while making himself ridiculous for not knowing his own shit properly.

Unless there are those who need certain words for their jobs, I can kinda understand why Microsoft wouldn’t want emails from work addresses to go out with political agendas… for either side.

Sure. Then block both sides, and not only the one not bringing you money.

Work emails should just be about work. Too many people use their work emails like a personal email… with their banking, shopping, etc. That’s what personal email addresses are for.

No one uses their company email for their personal banking, simply for the reason because if you’d leave, you’d lose your access, and since most companies run behind firewalls, vpns, 2fa tokens and similar additional credentials, it’s simply harder to use.

This policy should go for many non-work related topics too. IT can unblock the words for certain users who need to use them for their job.

Of course, let’s waste resources to maintain idiotic blocklists that are out of date the moment they are rolled out, and additional resources to make the blocklist actually work. Palestine, p4lestine, pale s tine, p a l e s t i n e, paleztine. Need more?

You’re not at work for someone with this kind of unhinged mentality watching you working for 8 hours a day straight with no breaks and no distractions. You’re there to get your work done. In my current team, we’ve had the best ideas talking about our problems at the coffee machine. I personally focus best when I have music on. We’re doing sports together once a week on a company fitness incentive, which boosted our team dynamic massively. None of this would be possible in such a controlled environment.

Take the following with a grain of salt, it depends on your specific setup, environment and preference, but might help you:

Regarding system backups, and depending whether you need to run fedora, check out nixos, which takes a declarative file and builds your system based on that. Declarative immutable system, no moving parts, no breakage. If your system breaks, revert to a prior version and keep using what you’ve had before before retrying. Your backup is a git repo or whatever is keeping your handful of config files. Has been an absolute game changer for me, and the community and ecosystem around it is far beyond the point of quirky esoteric immutable distro.

VSCode has a powerful feature that I’ve yet to see in another editor/IDE - remote development, and it works really, really well. Spin up a VM however you like (I’d recommend checking out Vagrant), and depending on how much you need to do in windows either use the windows box as a remote run target (just running your built artifact in windows), or as a remote development box (running everything in windows and using your Linux VSCode as a “Frontend” for everything else happening in windows). Both methods can be made to work seamlessly in vsc.

Excel - again depending on your usage, you can try wine, you can use a VM, dual boot, M365 in browser, or a remote VM.

You probably just should let an AI generate that.

It’s not about being dumb and expecting stuff for free but a general anger towards subscription based models. Fair models exist and are possible, but are a collateral of the general hate.

Then, free alternatives exist, and believe it or not, some people do not have a tiny monthly fee they could spare or do not want to pay for something that a free alternative exists.

Threema tried exactly that, and failed comically.

Just as AI will replace developers, and then we have Devin. Also don’t forget the artists that will be replaced, that’ll happen just when it learns that humans have 5 fingers per hand.

It’s all marketing for AI, by the afaik currently biggest supplier of AI hardware.

The whole hype will implode when AI itself implodes, not as the AGI singularity, but when the resource costs spiral out of control, and its keeps getting its own generated glop spoonfed

So, you mean using a proprietary vendor to operate something binds you to that vendor? Congratulations, you’ve just discovered vendor lock-in.

“Obfuscating the environment” is also an absolutely unhinged claim, what even is that supposed to mean?

And again, Automattic is NOT in the right. What Automattic did was break license terms, attempt to extort, steal code, and light their whole brand, company, ecosystem and community on fire. Matt spit in the faces of his open source community (and open source in general), and every single person dependent on WordPress losing their job because of the shift he’s causing will be blood on his hands personally. Even if WP Engine was questionably morally or ethically, they did play by the laws and the license terms. Matt went on a mental breakdown and additionally to his unethical behavior broke several laws on that journey, which is exactly why he is losing the lawsuit. Matt and Automattic are NOT in the right.

To be fair, Matt is providing meltdowns regularly and totally free of charge. 😂

I’d laugh my ass off if WP Engine would lead a hard fork called WP Core. If any WP Engine folks read this, feel free to use the name, I won’t sue, I promise.