That is unfortunate there's so many Redis instances out there that not only are exposed to the public internet (330,000) and don't have authentication configured (60,000). I'm guessing those folks probably didn't even realize their Redis was public.
There are so many tutorials out there for things like Docker Compose that cause people to bind a service to 0.0.0.0 with a port open to the public internet.
In hindsight, making the default listening address for port forwards in docker(-compose) 0.0.0.0 instead of 127.0.0.1 was/is such a pain point for me. Every time I work with it for servers as almost always it should not be directly exposed (usually services are behind a host-side NGINX rev proxy).
It also likely has yielded far too many (unintentionally) open services, especially considering dockers known firewall woes with bypassing of existing rules.
Yes, that is also what I apply to compose manifests.
The problem is rather that it is always a deviation from defaults and ime can be easily forgotten/ overlooked.
It also was at the beginning a bit surprising (listening on 0.0.0.0 and inserting an iptables rule that bypassed my ufw ruleset). Many services listen on on 0.0.0.0 by default but they rarely do it while bypassing the normal host firewall mechanisms.
I think my text highlighting habit started in the late 90s when the prominent N64 website (what was the name of it??) would have text intentionally "hidden" on the page in the same color as the background, so you had to highlight to see it.
Snapcast is really good. I use it too. And on a recent Ask HN thread, I saw that someone had implemented it for ESP32 chips, so now I will try that out too.
To be fair, we (myself included) look at you weird because the ZFS folks haven’t done a great job at extolling its virtues in a way that the average consumer can comprehend. It’s important to acknowledge that the vast majority of consumers simply don’t care about the underlying file system or its capabilities, even if they would benefit immensely from the features of something like ZFS.
It’s a problem of communications as much as it is vendor support. If you get the consumers wanting it, vendors will switch to it. Instead, right now we get companies like Apple reinventing the wheel via their own proprietary FS just to adopt some features of ZFS, rather than _just supporting and contributing to ZFS_.
Which means I get to anxiously eye the Synology with btrfs instead of resting easy with ZFS. It’s better than ext4, but I also know I’m the exception rather than the rule.
It really is an incredible resource, and Picard is a wonderful app. Very satisfying getting a library properly tagged! Takes a while, but totally worth it. Shoutout to ListenBrainz as well, their scrobbling service: https://listenbrainz.org/
If linux people are interested in using listenbrainz and can't find a player with plugin for it (usually media players ignore it in favour of last.fm) I developed a generic scrobbler daemon that works well with it (also with libre.fm and last.fm): https://github.com/mariusor/mpris-scrobbler#authenticate-to-...
MPRIS is an under-appreciated standard and a great example of how different technologies on the open desktop should integrate with one another.
For example, there's <https://github.com/altdesktop/playerctl>, which can control any MPRIS-compatible client: VLC, web browsers, different music players, mpd (with a plugin), etc.
MPRIS can also be used to e.g. allow controlling playback without unlocking the screen - the screen locker itself doesn't need elaborate support, something as simple as slock could be hacked to recognise a key combo and call out to playerctl; more fancy login managers/lockers could talk DBUS/MPRIS directly and even e.g. display album artwork.
Unfortunately, the standard doesn't seem to specify a simple way to indicate whether video is being played back, which could be a saner way to inform the screen locker; the actual protocol to directly inhibit locking is unfortunately a little bit insane.
Funny you mentioned playerctl. Due to the fact that over time its scope expanded from a simple MPRIS based control application, into a full blown library with various unneeded (by me) features. Therefore as a starting point for the scrobbler daemon I wrote the simpler mpris-ctl: https://github.com/mariusor/mpris-ctl, which does just the control and meta-data output parts that playerctl has, and only depends on libdbus.
And concerning your last point, are you advising someone that built at least one MPRIS tool to read the spec? :P
> And concerning your last point, are you advising someone that built at least one MPRIS tool to read the spec? :P
The whole comment was for the general HN audience who might not be aware of MPRIS.
The general problem I keep seeing is silos; we've had the XDG standards/specs for decades, yet keep reinventing new, stupid, and broken ways to do things. Under X11 it was normal that every window got a border; under Wayland, GNOME doesn't want to adopt a protocol where a window can ask the compositor to paint a basic border, instead tells SDL to link against libadwaita. XScreenSaver has been telling apps to do "while sleep 60; do xscreensaver-command --deactivate; done" which worked well enough for decades; to "modernise" that, we have a DBus protocol which makes an app grab a cookie, and if it fails to return it (e.g. because it crashed) - the screensaver remains inhibited forever. Trying to use (or improve upon) a FOSS desktop is death by a thousand papercuts.
Cheating in online gaming is such a blight on the industry. Such a waste of time & money for every legitimate participant in the market, except for the groups making and profiting of the cheats of course.
I still like my idea for a third-party reputation service that has consequences for not just one game but every multiplayer game participating in the program: https://news.ycombinator.com/item?id=28634784
I really do think it would make cheating non-existent, and allow developers to focus on building cool games instead of building invasive & ineffective rootkits we have to install just to play games online fairly.
At first I was optimistic that AI would greatly alleviate the issue here, but no dice.
As someone who was super competitive about the games they played (reformed, no longer play), I can tell you online cheating is completely out of hand.
There are cheats nowadays that don't even require software to be on your computer. You just put up a camera on your screen and an AI bot helps you by manipulating your controller (e.g., aim) - it really is a cat and mouse game and I don't think the issue in general will be resolved anytime soon.
I know there is an entire industry built around gaming and custom PCs so this is a pipe dream, but I'd love it if instead of all the time and effort that goes into supporting these rigs, the business models for consoles were optimized such that consoles could be top of the line rigs with very strict upgrade paths. This is really the only way I can see us actually putting a dent into this problem
You can now upgrade storage, perhepharals, monitor and usually have at least a generation of backwards compatability the lines are blurring.
I can also get more then twice as many headshots if I plug in a mouse inplace of a controller when dose that become cheating for people wanting to play from the couch?
Not sure if any vendor verified hardware program can avoid lockin due to economics, but it would certainly be nice.
> There are cheats nowadays that don't even require software to be on your computer. You just put up a camera on your screen and an AI bot helps you by manipulating your controller (e.g., aim)
I haven't paid much attention to that scene in a few years, but I'd be a bit surprised if things had advanced this far already. Do you have any names/links I might search about this?
> I still like my idea for a third-party reputation service that has consequences for not just one game but every multiplayer game participating in the program: https://news.ycombinator.com/item?id=28634784
So, essentially China's Social Credit Score, just for gaming... a bad idea IMHO, a really bad one.
For one, that centralized reputation service that actually has data linked back to government-issued credentials (ID cards, passports, ...) must be ridiculously secured, because it will be among the juiciest targets on the planet - be it trolls or deranged stalkers of either gender (although most tend to be male [3]), people are willing to go to ridiculous lengths to abuse fellow gamers, especially (large) streamers. Ordering pizza, SWATting, or even cases of rape and murder [1][2], all of that has happened. Give 4chan enough incentive and they will crack open anything. Or they'll just outright infiltrate the company, someone has to run it after all, and whoever has admin access, no matter the audits and internal controls, will find a way to exfiltrate stuff.
And even assuming the reputation service doesn't get hacked, the participant games are another target - this time, not for the data that's held by the reputation service, but for reporting "cheating" by the target person. Either technical bugs or infiltrating the customer service, both can yield results - game companies largely crap on code quality, even the biggest ones (remember Rockstar's GTA JSON bug lol), and customer service jobs are low paid and have high attrition, easy targets for infiltrators.
And then gamers themselves are also valid targets. Manage to get a piece of malware onto a streamer's computer that gets detected as a cheat, boom. And that's easy to do, RCE vulnerabilities crop up every now and then for major games (Minecraft for example had BleedingPipe and log4j, GTA had one in 2024 and in 2023).
Perhaps in one case you are getting a slice of a machine that is already running, versus AWS powering up a machine that was offline and getting a slice of that one?
There are so many tutorials out there for things like Docker Compose that cause people to bind a service to 0.0.0.0 with a port open to the public internet.
reply