Aussie living in the San Francisco Bay Area.
Coding since 1998.
.NET Foundation member. C# fan
https://d.sb/
Mastodon: @dan@d.sb

  • 0 Posts
  • 188 Comments
Joined 3 years ago
cake
Cake day: June 14th, 2023

help-circle

  • Does it use http or MQTT?

    Home Assistant uses HTTP for this. Realistically, you won’t see much difference between HTTP and MQTT for this use case.

    MQTT is harder to secure than HTTP, and has some limitations (eg it normally only supports username and password auth - no SSO, no 2FA) so I’d avoid it for anything public-facing unless you have a specific reason to use it. Using it via a VPN is fine, but you’d still need to configure a separate MQTT username and password per user.








  • The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.

    Tailscale is mostly open-source. If they do anything bad then someone could fork the project. The coordination server isn’t open-source, but you could self-host Headscale as a replacement.

    If it still doesn’t suit your use cases, there’s some alternatives.

    I personally wouldn’t directly deal with iptables or nftables rules, and instead use some other software to deal with that.





  • businesses not paying their employees enough to make a living.

    The thing I don’t understand is that even in states that have better minimum wages, the same tips are still expected.

    California has the same minimum wage for both tipped and non-tipped jobs, yet one person working a minimum wage job can be paid significantly more than someone else also working a minimum wage job, just because they work in a position that’s customarily tipped.



  • npm is finally going to disable postinstall scripts by default in the next major version at least, copying what other JS package managers like pnpm do. They also added a setting for minimum age (only install package versions that are at least X days old) which is meant to help too - the idea being that malware will have been detected and removed before anyone installs it.

    People use third-party Linux package repos all the time though, and they have similar attack vectors. If I can convince you to add my Debian/RPM/whatever repo, I can create a package with the same name as a common one but with a newer version number, and apt upgrade will happily replace the official package with my malicious one.

    This is intentional for several reasons (e.g. deb.sury.org has PHP packages that replace the official Debian ones) but I’m really surprised we don’t see more supply chain attacks via third party deb/rpm repos.

    Maybe it’s because the barrier to entry is higher? With a custom deb repo (either self-hosted or using something like Packagecloud or Ubuntu PPA), you need to create the repo, create Debian packages, add them to the repo (eg using Aptly), GPG sign the repo, and convince people to add the repo. npm is just one repo with everything in it.






  • All the data gathered by Cambridge Analytica was gathered through the public API though, after users had consented to share it (by logging into a quiz app that requested the permissions). That’s why the API is very locked down now, and the approval process to get any sort of data access is very strict.

    The main issue was that they gathered data from people whose profiles were set to be visible only to friends. If someone logged into the quiz and granted permissions, their friends’ data was also accessible via the API.