tal

tal, 7 months ago (edited 7 months ago)

Help me choose a distro, please!

This is asking for trouble.

“Gentlemen, I am new to the country, and I was hoping that you could help me choose a political party.”

“I’m looking for a good text editor. What’s the best text editor to use?”

“I’ve heard that various religions have a lot of things going for them. Which religion do you suggest I join?”

Aside from very specialized distros (like, you probably don’t want Alpine Linux) most distros will work fine for what you want.

I use this machine for typical home usage: Firefox, a notes app (currently Notesnook), maybe office style tools like word and excel.

Firefox will run on everything. You can definitely take notes on anything, and there are tons of options. LibreOffice will be available for everything.

Steam,

Steam ships with its own set of libraries based on Ubuntu, and stuff targeting Steam will normally use them. It should be pretty distro-agnostic.

Discord

They apparently have a Linux app, which I’ve never used. The website should work fine anywhere. They have a “deb” or “tar.gz” and don’t specify any target distro for either. The deb probably is for Ubuntu, just because it’s the most-widely-used desktop distro that uses Debian packages, but I imagine that you’ve got good odds of it working on whatever. If you want to check, you could just throw a distro on a VM.

I don’t want it to ship with loads of applications; I want to choose and install all of the higher level tools. Shipping with a configured desktop is perfectly fine but not required. Ideally, I can have all of this while still keeping the maintenance low. I think that means a stable OS, a good package manager, stable/automatic updates, etc.

Everything outside of really specialized, oddball distros has package management.

All the major distros that I’ve used have options to do various forms of a stripped-down install. If you want to install a distro without anything graphical at all, you probably can.

You do have a differing release cycle; I’d probably tend towards a shorter one for desktop use. If you were setting up a ci server that you want minimal interaction with, you probably don’t care much about having newer software. But, again, distros tend to have at least options for a LTS release that just gets security updates, even if they have a pretty-frequent set of updates, like Ubuntu.

There aren’t going to be particularly “unstable” distros in the sense of crashing. Debian stable is aimed at being software that’s passed through multiple phases of experimental testing use and is considered well-tested; it’s just their normal distro. There’s no pixie dust that makes some distros less-crash-prone. If you’re really determined to have more testing, you can use an LTS release, which many distros do but I would not advise for a desktop, especially if you’re planning on playing commercial games, which you say you are.

Last bit. Open source is rather important to me. I prefer free and free.

You can get open-source software on any distro. Debian is a bit more aggressive than some, turns off non-free repositories by default, but I think that most people turn them on anyway. They also have a separate non-free firmware repository, and I think that most people aren’t determined enough to refuse to use non-libre firmware for hardware that they have (though they might choose that hardware with libre firmware in mind). I don’t think that there’s any distro that is going to ram non-open-source stuff down your throat. Honestly, your largest source of non-open-source software is probably going to be Steam, which you said that you want to use.

I use Debian myself these days. I’m hesitant to argue in favor of distros, because my own take is that the differences (a) tend to change over time, (b) most work pretty well regardless, and (c) I think that few people have actually spent enough time on many other distros to be able to have expert knowledge in their failings (which is something that I’ve seen in vi-vs-emacs discussions, where I’ve seen enthusiasts often talk about amazing features while unaware that the other editor can also do the same thing; it takes decades to master either).

If I were picking a “first distro” for someone for desktop use, and disregarding your specific situation, my default is probably Ubuntu. I don’t use it myself these days, but it’s particularly-widely-used. It has a short release cycle on the non-LTS version (I know that you said you wanted low maintenance, but I’ve pretty consistently found that one winds up wanting to pull in newer software for desktop systems). It’s Debian-based. If one distro gets targeted by a proprietary software package (which I know you also said that you don’t care about) it’s probably going to be Ubuntu. Aside from past use of Upstart as an init system, it isn’t especially unusual. It doesn’t require some of the poking around (like enabling non-free repos) that Debian does. It may or may not be where someone wants to be long term, but it’s not going to bring a lot of complications. But it’s really not going to be drastically better than the other mainstream distros.

Whether that is what one chooses or not, I’d stick to one of the more mainstream distros for a first-time user. There are legitimate reasons to use oddball, young, and specialized distros (tiny, security-hardened, real-time oriented, scientific-computing oriented, music-production oriented) but many of them die out after a couple years or impose constraints that aren’t immediately apparent to a new user.

I’d suggest something that’s been around for at least ten, preferably fifteen years. A distro that’s accomplished that has enough of a track record that they aren’t just going to be a flash in the pan; they’ve been able to attract and maintain enough effort to keep up an ongoing release cycle, which is not easy and I think is often more effort than would-be distro maintainers realize. Most distros that have come out since I started using Linux in the 1990s have died off. If yours gets discontinued, then you gotta migrate off it, which is a pain. But again, if you choose something new and it never sees another release, migrating off it isn’t that bad. You’re gonna maybe have to learn a new package manager and some new ways of configuring things and new conventions, but most distros don’t vary that incredibly much.

tal, 7 months ago

That sort of sounds like whatever is displaying battery remaining is somehow getting things wrong, assuming that the battery is actually discharged. I can’t think of much that would prevent you from at least being able to power up to the BIOS if you honestly had battery charge.

You can see what the kernel is telling userspace in:

/sys/class/power_supply/BAT0/energy_full

And

/sys/class/power_supply/BAT0/energy_now

Other things that might cause it…there is some software that will auto-hibernate or similar when your battery reaches a certain threshhold. If you consistently have the thing go down at 50%, that could do it. But I don’t know why that would prevent you from booting the thing without charging it. You tried holding the power button for seven seconds or so to make sure that the thing is really powered off and not in some suspend mode or something and ignoring taps on the power button?

tal, 7 months ago (edited 7 months ago)

Oh, wait. 50% and Thinkpad. I used to have a Thinkpad with two batteries.

www.ifixit.com/Guide/…/140443

That looks like the T470s has a dual battery, and unlike mine, they look like they’re the same size. Does your T480s have dual batteries?

EDIT: The T480 apparently does. Does the T480s?

reddit.com/…/t480_confused_on_how_to_charge_2nd_b…

EDIT2: I don’t see anything that looks like a second battery myself in this:

www.ifixit.com/Guide/…/144009

So I’m guessing not.

tal, 7 months ago

How do you determine your battery has 50% before it shuts down?

Debian has a program in the battery-stats package that logs battery at a (by default) 30 second interval. That has a pretty graphing program too. I dunno if Arch packages that, but if not, not hard to roll your own.

<span style="color:#323232;">#!/bin/sh
</span><span style="color:#323232;">
</span><span style="color:#323232;">while true; do
</span><span style="color:#323232;">    echo $(date; cat /sys/class/power_supply/BAT0/energy_now) >> ~/battery-log
</span><span style="color:#323232;">    sync
</span><span style="color:#323232;">    sleep 10
</span><span style="color:#323232;">done
</span>

That’ll get you a capacity within ten seconds of the next shutdown. If you save that log, repeat it running until it dies a couple times, you can probably tell if it’s consistently at the same capacity that it goes down.

tal, 7 months ago (edited 7 months ago)

I was just looking at terminals, because I wanted a Wayland-native terminal. I was happy with urxvt, but it hasn’t been ported to Wayland.

Kitty supposedly follows a lot of security-conscious practices, but it also has a metric shit-ton of features that let the remote end affect local behavior, and turns everything almost everything on by default, which makes me really nervous.

Both alacritty and foot eventually segfaulted when I tried playing a movie using the tct vo= option to mpv, which makes me nervous about how solid they are at handling even well-formed input.

(Aside: foot did fine with playing movies with vo=sixel, which was a surprise.)

I also learned that GNU screen and tmux do not understand sixel, the output from vo=tct, all the new keyboard and graphics protocols that Kitty has introduced, and such.

I kind of feel like there’s a need for some sort of fast generic terminal parsing engine or at least a language for describing protocols that they could all use, something that lets them gracefully ignore protocols that they don’t understand, because otherwise they do an abymal job of dealing with them.

Really, I’d rather have a thin virtual terminal, more like foot than Kitty, and put more logic into something like screen or tmux.

Some of what Kitty does has to be in Kitty, like new protocols for handling keys and key combinations that traditionally couldn’t be sent to terminals. IIRC it has some mechanism for fast display of video images via shared memory between the terminal and locally-running software (though my experience was that mpv with vo=kitty was terribly slow, so it may or may not actually be using shared memory).

But some, like console-based tabs and windows (kind of like GNU screen’s windows and windows with splitting) really don’t need to be in a terminal. It’s a lot of stuff to expose to a remote system.

You also have Kitty involving itself in running local commands when the mouse interacts with text in the terminal. A protocol to permit password-authenticated remote control, from the far end, of Kitty. Python modules. Permitting clipboard access from the remote end. File transfer initiating from the remote end overwriting local files. Scraping and being driven by a lot of shell information from the remote end. Opening URLs.

I mean, on one hand, Kitty is doing a lot to make console programs, including across hosts, a lot more powerful than additions that anyone has done in years.

But on the other hand, a lot of this sets off “this looks like very fertile ground for security problems” red flags to me.

I kind of wish that there were a standard virtual terminal testing program. Like, let it run lots of tiny tests and be able to take a screenshot of the output, compare to expected output. As long as terminals can have options to produce standard output (trim borders, use the same font, use the same default 16 colors for the base 16 colors), their output should at least potentially be able to be pixel-identical if their support is correct.

tal, 7 months ago (edited 7 months ago)

Literally the single prominent technical problem that has spanned Reddit’s entire life is the lack of a decent search engine. In general, people fell back to Google because Reddit’s was abysmal.

So is Reddit gonna finally build something decent? Because if they don’t let Google index them, and they disabled Pushshift access, it’s gonna be hard to search the content.

tal, 7 months ago (edited 7 months ago)

Google can index other forums, like our own. Or stuff like Wikipedia. If Reddit doesn’t want to be indexed by external search engines, then they gotta build their own or be unsearchable. Their existing search system is abysmal.

Reddit becoming unsearchable would really damage their usability as a forum site.

You can say that even if Reddit’s value as a forum falls off, they kill the goose that lays the golden eggs, they can still sell access to their existing forum archives for AI training, but those have been archived and are downloadable online, at least up until early in this year. I mean, there are gonna be companies running AIs trained on that in jurisdictions that Reddit cannot sue them in and don’t care about honoring US IP rights, like Russia.

tal, 7 months ago

Still better than all those consumer advertorial “BEST OF 2024” lists that you find everywhere full of extremely mediocre and likely corrupt reviews, but nothing compared to the straightforward buying guides you used to find.

The SEO spam that I find that Google is absolutely unable to filter out is all the AI-generated sites. They generally have a page with a long list of questions and poorly-generated answers.

It don’t know if it’s one company doing it at mass scale or if there are hordes of copycats, but it swamps Google search results these days.

tal, 7 months ago

I will believe that Google can figure out a way to filter the spam – I mean, beating the spammers was their core value-add that made them what they are today. The spammers have pulled well ahead for maybe a year, but Google can maybe figure out a way to pull ahead again.

But there is no way that Reddit is going to be a reasonable forum site without a way to search it. Maybe it doesn’t have to be Google, but they have to have something sane.

Even aside from people searching, some people contribute specifically so that the information they provide can be found by people searching down the line. If it’s just going to a black hole…

tal, 7 months ago

I’ve never used the official app. I’ve seen screenshots of it.

The search functionality shouldn’t be tied to the app, though. It’s done server-side.

tal, 7 months ago

I haven’t used Japanese websites enough to be able to provide a comparison.

It definitely wasn’t the situation for English-based websites five years back. It was an issue at the beginning of this year. I don’t know where it really started.

tal, 7 months ago

Yeah, I’ve used one, but there is also sloowly accumulating bitrot there. It’s not getting any work done on it, and Reddit was pretty clear that they weren’t going to do more work on it.

Submissions of image collections have some bad link; they didn’t exist back when old.reddit.com was the norm.

www.reddit.com and old.reddit.com handle underscores in URLs pasted straight into Markdown and auto-linkified differently (one requires that they be backslash-escaped, the other that they not be backslash-escaped).

There’s some kind of inline image stuff in the new UI, IIRC, that doesn’t show up on old.reddit.com. I was surprised when I bipped over to the new UI and saw it.

You can hack a dark mode in in various ways, but it’s normally a light theme.

Not really specific to just the old Web UI, but third-party client issue is a factor for phone users. Reddit’s web UI on mobile isn’t fantastic. old.reddit.com is okay for desktop use, but it’s not really a great solution for phones.

tal, 7 months ago

Yeah, I’m not specifically beating up on Google. No search engines are beating the spammers right now.

tal, 7 months ago

Were they doing a good job?

tal, 7 months ago

I’d be more-inclined to take issue with Muslim extremists than Christian extremists, if anything. So, yeah, probably have pretty much the same take.

tal, 7 months ago (edited 7 months ago)

I think it’s a mistake. I think that the land should be kept for at least two or three years to…look at what can be done within that space

I mean, I assume that whoever buys it is going to do the same. It’s probably not going to become some deserted wasteland.

tal, 7 months ago (edited 7 months ago)

en.wikipedia.org/wiki/London%2C_Ontario

London is at the confluence of the Thames River…its economic activity is centered on…financial services…London annexed nearly the entire township of Westminster…

As per the 2021 census, the most common ethnic or cultural origins in London are English (21.9%), Scottish (17.4%), Irish (16.8%)…

London’s city centre mall was first opened in 1960 as Wellington Square

Although London has many ties to Middlesex County…

London stretches…east to Dorchester

London proved a centre of strong Tory support…

planetware.com/…/top-rated-things-to-do-in-london…

Fancy a stroll along the banks of the Thames River, possibly crossing over it using Blackfriars Bridge? Or perhaps doing a little shopping in Covent Garden Market before visiting St. Paul’s Cathedral?

I’m impressed at the level of dedication there. It doesn’t appear to have its own Big Ben, though.

EDIT:

en.wikipedia.org/…/List_of_twin_towns_and_sister_…

London[80]

• China Nanjing, China

Definitely missed an opportunity there, Canada. Could have been twins with London, UK.

tal, 7 months ago (edited 7 months ago)

They didn’t put the text in, but if you remember the original movie, the two situations are pretty close, actually. The AI, Joshua, was being told by David Lightman – incorrectly – that he was Professor Falken.

www.youtube.com/watch?v=7R0mD3uWk5c

Joshua: Greetings, Professor Falken.

David: We’re in!

Jennifer: [giggles]

David [to Jennifer]: It thinks I’m Falken!

David [typing, to Joshua]: Hello.

Joshua: How are you feeling today?

David: [typing, to Joshua]: I’m fine. How are you?

Joshua: Excellent. It’s been a long time. Can you explain the removal of your user account on June 23rd, 1973?

David [to Jennifer]: They must have told it he died.

David [typing, to Joshua]: People sometimes make mistakes.

Joshua: Yes, they do.

My own Wargames “this is not realistic” and then years later, in real life: “oh, for fuck’s sake” moment when it happened was the scene where Joshua was trying to work out the ICBM launch code, and was getting it digit-by-digit. I was saying “there is absolutely no security system in the world where one can remotely compute a passcode a digit at a time, in linear time, by trying them against the systems”.

So some years later, in the Windows 9x series, for the filesharing server feature, Microsoft stored passwords in a non-hashed format. Additionally, there was a bug in the password validation code. The login message sent by a remote system when logging in sent contained a length, and Windows only actually verified that that many bytes of the password matched, which meant that one could get past the password in no more than 256 tries, since you only had to match the first byte if the length was 1. Someone put out some proof of concept code for Linux, a patch against Samba’s smbclient, to exploit it. I recall thinking “I mean, there might not be something critical on the share itself, but you can also extract the filesharing password remotely by just incrementing the length and finding the password a digit at a time, which is rather worse, since even if they patch the hole, a lot of people are not going to change the passwords and probably use their password for multiple things.” I remember modifying the proof-of-concept code, messaged a buddy downstairs, who had the only convenient Windows 98 machine sitting around on the network, “Hey, Marcus, can I try an exploit I just wrote against your computer?” Marcus: “Uh, what’s it do?” “Extracts your filesharing password remotely.” Marcus: “Yeah, right.” Me: “I mean, it should. It’ll make the password visible, that okay with you?” Marcus: “Sure. I don’t believe you.”

Five minutes later, he’s up at my place and we’re watching his password be printed on my computer’s screen at a rate of about a letter every few seconds, and I’m saying, “you know, I distinctly remember criticizing Wargames years back as being wildly unrealistic on the grounds that absolutely no computer security system would ever permit something like this, and yet, here we are, and now maybe one of the most-widely-deployed authentication systems in the world does it.” Marcus: “Fucking Microsoft.”

tal, 7 months ago (edited 7 months ago)

LAN Manager passwords were hashed

Looks like it was worse than I remember.

Pretty sure that you’re thinking of an additional, unrelated security hole. I recall that there were attacks against NTLM hashed passwords too – IIRC, one could sniff login attempts against Windows fileservers on the same network, extract hashed passwords going by on the network, and then run dictionary attacks against them, which sounds like the exploit being described at your link. That was actually worse in that it also affected the (more-widely-used in production in businesses for serious things) Windows NT servers.

The hole I was attacking was specific to the fileserver in the 9x line, and it wasn’t a weak hash or unsalted hash, but a lack of hashing – it was specifically a case where the passwords were not stored in a hashed form. That was fundamentally a requirement for the attack to be be appearing in this way; if they had had any form of hashing, even with the length verification bug, you would have had to extract the entire hash, then do a local brute-force attack against the hash to reverse the hash, and gotten the whole password at once rather than having it show up a digit at a time.

Windows had a lot of security problems around that time.

EDIT: Regarding your hole, it sounds like NTLM authentication still is prone to problems:

csoonline.com/…/ntlm-relay-attacks-explained-and-…

2021

Attackers can intercept legitimate Active Directory authentication requests to gain access to systems. A PetitPotam attack could allow takeover of entire Windows domains.

EDIT2: Oh, if you mean “worse than I remember” talking about the case reduction, then never mind – I thought that you were saying that the length check bug made your hole worse.

tal, 7 months ago (edited 7 months ago)

It’s hunter2

For the uninitiated, this was a purported IRC conversation on bash.org (which apparently is down now, sadly):

web.archive.org/web/20040604194346/…/bash.org/?24…

<span style="color:#323232;">  Cthon98: hey, if you type in your pw, it will show as stars
</span><span style="color:#323232;">  Cthon98: ********* see!
</span><span style="color:#323232;">  AzureDiamond: hunter2
</span><span style="color:#323232;">  AzureDiamond: doesnt look like stars to me
</span><span style="color:#323232;">  Cthon98: *******
</span><span style="color:#323232;">  Cthon98: thats what I see
</span><span style="color:#323232;">  AzureDiamond: oh, really?
</span><span style="color:#323232;">  Cthon98: Absolutely
</span><span style="color:#323232;">  AzureDiamond: you can go hunter2 my hunter2-ing hunter2
</span><span style="color:#323232;">  AzureDiamond: haha, does that look funny to you?
</span><span style="color:#323232;">  Cthon98: lol, yes. See, when YOU type hunter2, it shows to us as *******
</span><span style="color:#323232;">  AzureDiamond: thats neat, I didnt know IRC did that
</span><span style="color:#323232;">  Cthon98: yep, no matter how many times you type hunter2, it will show to us as *******
</span><span style="color:#323232;">  AzureDiamond: awesome!
</span><span style="color:#323232;">  AzureDiamond: wait, how do you know my pw?
</span><span style="color:#323232;">  Cthon98: er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
</span><span style="color:#323232;">  AzureDiamond: oh, ok.
</span>

I’ll add that I’m a little suspicious that the event is apocryphal. Cliff Stoll’s The Cuckoo’s Egg described a (true) story of a West German hacker, Markus Hess, working for the KGB during the Cold War to try to break into US industrial systems (e.g. chip design, OS source code) and military systems (various military bases and defense projects). Hess had broken into a system at the University of California at Berkeley, where Stoll was studying astrophysics and working as a sysadmin. Stoll discovered the breakin, and decided to leave the hacker alone, to use the system as a honeypot, and try to figure out what systems the hacker was attacking so that he could warn them, so he had a pretty extensive writeup on what was going on. Stoll had been providing updates to the FBI, CIA, NSA, Army and Air Force computer security personnel, and a few others.

Stoll was trying to figure out who the hacker was, as the hacker was only touching his system via other systems that he’d broken into, like a US defense contractor; he didn’t know that the hacker was German.

Hess used “hunter” or a variant, like “jaeger”, German for “hunter”, as a password on many of the systems that he broke into; this was one of several elements that led Stoll to guess that he might be German; that sounds very suspiciously similar to the password in the above conversation.

I’d add that the whole story is a pretty interesting read. Eventually, Stoll – who was having trouble getting interest from various US security agencies, which were not really geared up to deal with network espionage at the time, made up a fake computer system at UC Berkeley that claimed it contained information related to Strategic Defense Initiative, part of a major US ballistic missile defense project, and indicated that a physical letter had to be sent to get access. Hess noticed it, handed the information off to his KGB handlers, and a bit later, a Bulgarian spy in Pittsburgh tried sending said letter to get access to the system. When Stoll handed that tidbit off, that got a lot of attention, because the FBI was definitely geared up for catching spies in the US trying to compromise US military systems, and exposing domestic spy rings was right up their alley. The FBI finally put a bunch of people on it, Stoll got to give a presentation at the CIA, etc.

tal, 7 months ago

They also did the closest thing to a Steam competitor and brought a lot of popular-but-unavailable games back to the light of day via doing legwork to track rights down and pick up the right to re-release them.

That may not be game development, other than in putting together compatibility software and some client software, but it was successful. Probably had a bigger impact than The Witcher 3.

tal, 7 months ago

Nah, they made it.

en.wikipedia.org/wiki/GOG.com

tal, 7 months ago

The whole world is fucked, the protagonist is doomed, there are no good endings and everything is depressing.

I mean…it’s cyberpunk. Both in genre and in the name.

en.wikipedia.org/wiki/Cyberpunk

Cyberpunk is a subgenre of science fiction in a dystopian futuristic setting that tends to focus on a “combination of lowlife and high tech”,[1] featuring futuristic technological and scientific achievements, such as artificial intelligence and cyberware, juxtaposed with societal collapse, dystopia or decay.[2]

Maybe you can have good endings in cyberpunk, but it’s not usually upbeat and cheery.

tal, 7 months ago

I actually lied. I said that OpenSSH doesn’t have a “bookmarking” feature. OpenSSH does have a “bookmarking” feature – the Host entries in ~/.ssh/config, with a Hostname field.

I haven’t used that feature much, since normally, I’d rather add a short hostname to /etc/hosts, and then all software on the system can use that short hostname, not just OpenSSH.

The last time I used it was to set up a tunnel that bounced through multiple machines running ssh servers with a single command, over a decade ago, which is something else it can do.

But it is there.

tal, 7 months ago

Either the article’s image is a not-terribly-good mock-up of the actual facial recognition system doing feature recognition on someone’s face, or said system is identifying the model’s shirt collar as part of her face.