cross-posted from: https://lemmings.world/post/41792313

Screenshot of this question was making the rounds last week. But this article covers testing against all the well-known models out there.

Also includes outtakes on the 'reasoning' models.

Yeah, I'm just another one of those who has recently switched to Linux. And, as many, what I did was to go for a distro catered for beginners. I chose Ubuntu at first because I had briefly used it like eleven years ago at high school as part of computer class, and actually liked it back then, and, all in all, I do like Ubuntu's current GNOME adaption.

However, I decided after a few days to move on to a community-based distro as it aligns more with my way of thinking (as well as for a couple of issues which were Ubuntu/GNOME related), and the obvious choice, having tried Ubuntu, was Mint. And I do like Mint, even more than Ubuntu; I especially like Mint's adaption of the Xfce DE and I would definitely use it if I had a low-powered computer.

What didn't quite convince me, though, was the limited DE selection available. While learning about all the Linux stuff I came to know about desktops, and I felt like, if I wanted to ever use a different one, yes, it could be installed the hard way, but I would rather have a distro that can be installed with my desired desktop by default, and the one that got my attention was KDE.

And that's how I've ended up on Debian. Yeah, not your usual recommendation for beginners but... I don't see anything bad about it? Like, yeah, I have Nvidia, but I honestly wouldn't mind going through the hassle of installing the GPU's driver through the terminal (and I haven't even bothered yet cause I don't really game much anymore). But, apart from that, I'm delighted with what I see. I could've gone with Fedora, which was my next choice, but I actually like Debian's slow update cycle, as I don't want to be bothered often with setting up my system again. I want something as close as "set it and forget it" as possible. Plus, it is also the one I have felt the most at ease with thanks to KDE indeed.

So that's my story! It's been an intense few days of learning, installing, deleting, and reinstalling OSes on my system, but I now feel at ease and will be installing my favourite programmes or searching alternatives for the ones I used on Windows.

Thank you for reading and have a nice evening!

https://old.reddit.com/r/selfhosted/comments/1rckopd/huntarr_your_passwords_and_your_entire_arr_stacks/

Today, after raising security concerns in a post on r/huntarr regarding the lack of development standards in what looks like a 100% vibe-coded project, I was banned. This made my spidey senses tingle, so I decided to do a security review of the codebase. What I found was... not good. TLDR: If you have Huntarr exposed on your stack, anyone can pull your API keys for Sonarr, Radarr, Prowlarr, and every other connected app without logging in, gaining full control over your media stack.

The process

I did a security review of Huntarr.io (v9.4.2) and found critical auth bypass vulnerabilities. I'm posting this here because Huntarr sits on top of (and is now trying to replace them as well!) Sonarr, Radarr, Prowlarr, and other *arr apps that have years of security hardening behind them. If you install Huntarr, you're adding an app with zero authentication on its most sensitive endpoints, and that punches a hole through whatever network security you've set up for the rest of your stack.

The worst one: POST /api/settings/general requires no login, no session, no API key. Nothing. Anyone who can reach your Huntarr instance can rewrite your entire configuration and the response comes back with every setting for every integrated application in cleartext. Not just Huntarr's own proxy credentials - the response includes API keys and instance URLs for Sonarr, Radarr, Prowlarr, Lidarr, Readarr, Whisparr, and every other connected app. One curl command and an attacker has direct API access to your entire media stack:

curl -X POST http://your-huntarr:9705/api/settings/general \  
  -H "Content-Type: application/json" \  
  -d '{"proxy_enabled": true}'  

Full config dump with passwords and API keys for every connected application. If your instance is internet-facing - and it often is, Huntarr incorporates features like Requestarr designed for external access - anyone on the internet can pull your credentials without logging in.

Other findings (21 total across critical/high/medium):

• Unauthenticated 2FA enrollment on the owner account (Critical, proven in CI): POST /api/user/2fa/setup with no session returned the actual TOTP secret and QR code for the owner account. An attacker generates a code, calls /api/user/2fa/verify, enrolls their own authenticator. Full account takeover, no password needed.
• Unauthenticated setup clear enables full account takeover (Critical, proven in CI): POST /api/setup/clear requires no auth. Returns 200 "Setup progress cleared." An attacker re-arms the setup flow, creates a new owner account, replaces the legitimate owner entirely.
• Unauthenticated recovery key generation (Critical, proven in CI): POST /auth/recovery-key/generate with {"setup_mode": true} reaches business logic with no auth check (returns 400, not 401/403). The endpoint is unauthenticated.
• Full cross-app credential exposure (Critical, proven in CI): Writing a single setting returns configuration for 10+ integrated apps. One call, your entire stack's API keys.
• Unauthenticated Plex account unlink - anyone can disconnect your Plex from Huntarr
• Auth bypass on Plex account linking via client-controlled setup_mode flag - the server skips session checks if you send {"setup_mode": true}
• Zip Slip arbitrary file write (High): zipfile.extractall() on user-uploaded ZIPs without filename sanitization. The container runs as root.
• Path traversal in backup restore/delete (High): backup_id from user input goes straight into filesystem paths. shutil.rmtree() makes it a directory deletion primitive.
• local_access_bypass trusts X-Forwarded-For headers, which are trivially spoofable - combine with the unauth settings write and you get full access to protected endpoints

How I found this: Basic code review and standard automated tools (bandit, pip-audit). The kind of stuff any maintainer should be running. The auth bypass isn't a subtle bug - auth.py has an explicit whitelist that skips auth for /api/settings/general. It's just not there.

About the maintainer and the codebase:

The maintainer says they have "a series of steering documents I generated that does cybersecurity checks and provides additional hardening" and "Note I also work in cybersecurity." They say they've put in "120+ hours in the last 4 weeks" using "steering documents to advise along the way from cybersecurity, to hardening, and standards". If that's true, it's not showing in the code.

If you work in cybersecurity, you should know not to whitelist your most sensitive endpoint as unauthenticated. You should know that returning TOTP secrets to unauthenticated callers is account takeover. You should know zipfile.extractall() on untrusted input is textbook Zip Slip. This is introductory stuff. The "cybersecurity steering documents" aren't catching what a basic security scan flags in seconds.

Look at the commit history: dozens of commits with messages like "Update", "update", "Patch", "change", "Bug Patch" - hundreds of changed files in commits separated by a few minutes. No PR process, no code review, no second pair of eyes - just raw trunk-based development where 50 features get pushed in a day with zero review. Normal OSS projects are slower for a reason: multiple people look at changes before they go in. Huntarr has none of that.

When called out on this, the maintainer said budget constraints: "With a limited budget, you can only go so far unless you want to spend $1000+. I allot $40 a month in the heaviest of tasks." That's just not true - you can use AI-assisted development 8 hours a day for $20/month. The real problem isn't the budget. It's that the maintainer doesn't understand the security architecture they're building and doesn't understand the tools they're using to build it. You can't guide an AI to implement auth if you don't recognize what's wrong when it doesn't.

They also censor security reports and ban people who raise concerns. A user posted security concerns on r/huntarr and it was removed by the moderator - the maintainer controls the subreddit. I was banned from r/huntarr after pointing out these issues in this thread where the maintainer was claiming to work in cybersecurity (which they now deleted).

One more thing - the project's README has a "Support - Building My Daughter's Future" section soliciting donations. That's a red flag for me. You're asking people to fund your development while shipping code with 21 unpatched security vulnerabilities, no code review process, and banning people who point out the problems, while doing an appeal to emotion about your daughter. If you need money, that's fine - but you should be transparent about what you're spending it on and you should be shipping code that doesn't put your users at risk.

Proof repo with automated CI: https://github.com/rfsbraz/huntarr-security-review

Docker Compose setup that pulls the published Huntarr image and runs a Python script proving each vulnerability. GitHub Actions runs it on every push - check the workflow results yourself or run it locally with docker compose up -d && python3 scripts/prove_vulns.py.

For what it's worth, and to prove I'm not an AI hater, the prove_vulns script itself was vibe coded - I identified the vulnerabilities through code review, wrote up the repro steps, and had AI generate the proof script.

Full security review (21 findings): https://github.com/rfsbraz/huntarr-security-review/blob/main/Huntarr.io_SECURITY_REVIEW.md

What happens next: The maintainer will most likely prompt these problems away - feed the findings to an AI and ship a patch. But fixing 21 specific findings doesn't fix the process that created them. No code review, no PR process, no automated testing, no one who understands security reviewing what ships. The next batch of features will have the next batch of vulnerabilities. This is only the start. If the community doesn't push for better coding standards, controlled development, and a sensible roadmap, people will keep running code that nobody has reviewed.

If you're running Huntarr, keep it off any network you don't fully trust until this is sorted. The *arr apps it wraps have their own API key auth - Huntarr bypasses that entirely.

Please let others know about this. If you have a Huntarr instance, share this with your community. If you know someone who runs one, share it with them. The more people know about the risks, the more pressure there will be on the maintainer to fix them and improve their development process.

Edit: Looks like r/huntarr went private and the repo got deleted or privated https://github.com/plexguide/Huntarr.io . I'm sorry for everyone that donated to this guy's "Daughter College Fund".

Edit 2: Thanks for all the love on the comments, I'll do my best to reach out to everyone I can. People asking me for help on security reviews, believe me when I say I did little more than the basics - the project was terrible.

This is a digital tabletop game called Dobbel Dungeon, that comes from a two-person team out of the Netherlands. This light fantasy romp has you assembling a party of three before you venture out armed with your dice. At the start of a turn you roll the dice, and then power up your abilities. There are no chances to hit or misses in Dobbel Dungeon - as long as you have the numbers you can perform your abilities and defeat your foes. 

Looks like a cute fun game. I’m a big tabletop fan but rarely get games to the table anymore so this could be a good one for me personally.

Developing new catalysts requires large-scale, repetitive experiments with frequent changes to catalyst composition and reaction conditions. Manual experiments are time-consuming and error prone. A team has automated this process and significantly increased reproducibility by employing robots to manage reagent compositions and run the repeated tests.

I suddenly need a wired connection for a job starting very soon but it won't be hooked up for quite some time. I have my neighborswifi password though. Iknow this is a longshot, but would I be able to use my laptop to change a wireless connection into a wired connection?

It's an older desktop Mac managed by the company. My laptop is an HP omen 15 with arch Linux on it

Hey y'all, this actually isn't self hosting related, but who have you had good luck with for paid matrix hosting?

Right now, I do enough tinkering with everything that I would be willing to just pay to host a matrix server for my friends.

Unless it really is easy enough to do it on a synology nas for text/voice/screen share...but do I need to pay for a domain still?

We are (like everyone) on matrix.org now but realize we need to move eventually.

Last week’s surprise departure of Phil Spencer from Microsoft led to the promotion of Asha Sharma, who comes to head Microsoft’s gaming division after two years as president of the company’s CoreAI Product group. Despite that recent history, Sharma says in a new interview that she has “no tolerance for bad AI” in game development.

...

Meanwhile the head of another Soulless Tech Corporation Hellbent On Dehumanizing Game Development In Every Sense Of The Word "Dehumanize" Possible reminds us...

CEO Tim Sweeney says requiring developers to disclose their use of AI tools is as relevant as disclosing “what shampoo brand the developer uses,”

Objectification, hate, rape threats: the politicians debating online abuse mean well, but to truly understand, they need to see what I see

cross-posted from: https://thebrainbin.org/m/news@lemmy.world/t/1440476

Kim says his party is focused on the tasks of 'boosting economic construction and the people's standard of living'.

Hacker News.

Social media is going the way of alcohol, gambling, and other social sins: societies are deciding it’s no longer kids’ stuff. Lawmakers point to compulsive use, exposure to harmful content, and mounting concerns about adolescent mental health. So, many propose to set a minimum age, usually 13 or 16.

In cases when regulators demand real enforcement rather than symbolic rules, platforms run into a basic technical problem. The only way to prove that someone is old enough to use a site is to collect personal data about who they are. And the only way to prove that you checked is to keep the data indefinitely. Age-restriction laws push platforms toward intrusive verification systems that often directly conflict with modern data-privacy law.

This is the age-verification trap. Strong enforcement of age rules undermines data privacy.

Defense Secretary Pete Hegseth jokingly said any surge in takeout deliveries to the Pentagon — a phenomenon that has accurately predicted the start of major geopolitical events — could be him ordering pizza “just to throw everybody off.”

Asked about the “Pentagon Pizza Report,” an account on X that tracks activity at local pizza joints near the U.S. military hub, Hegseth said he was aware of the account.

“I’ve thought of just ordering lots of pizza on random nights just to throw everybody off,” he said Sunday on Fox News. “Some Friday night when you see a bunch of Dominos orders, it might just be me on an app, throwing the whole system off so we keep everybody off balance. We look at every indicator.”

I have CasaOS and I installed this https://hub.docker.com/r/linuxserver/overseerr

Is there an easy way to simply upgrade it like a normal update and keep the settings?

This is a necessary Reddit repost - stay safe folks!

source

Today, after raising security concerns in a post on r/huntarr regarding the lack of development standards in what looks like a 100% vibe-coded project, I was banned. This made my spidey senses tingle, so I decided to do a security review of the codebase. What I found was... not good. TLDR: If you have Huntarr exposed on your stack, anyone can pull your API keys for Sonarr, Radarr, Prowlarr, and every other connected app without logging in, gaining full control over your media stack. The process

I did a security review of Huntarr.io (v9.4.2) and found critical auth bypass vulnerabilities. I'm posting this here because Huntarr sits on top of (and is now trying to replace them as well!) Sonarr, Radarr, Prowlarr, and other *arr apps that have years of security hardening behind them. If you install Huntarr, you're adding an app with zero authentication on its most sensitive endpoints, and that punches a hole through whatever network security you've set up for the rest of your stack.

The worst one: POST /api/settings/general requires no login, no session, no API key. Nothing. Anyone who can reach your Huntarr instance can rewrite your entire configuration and the response comes back with every setting for every integrated application in cleartext. Not just Huntarr's own proxy credentials - the response includes API keys and instance URLs for Sonarr, Radarr, Prowlarr, Lidarr, Readarr, Whisparr, and every other connected app. One curl command and an attacker has direct API access to your entire media stack:

curl -X POST http://your-huntarr:9705/api/settings/general \
  -H "Content-Type: application/json" \
  -d '{"proxy_enabled": true}'

Full config dump with passwords and API keys for every connected application. If your instance is internet-facing - and it often is, Huntarr incorporates features like Requestarr designed for external access - anyone on the internet can pull your credentials without logging in.

Other findings (21 total across critical/high/medium):

• Unauthenticated 2FA enrollment on the owner account (Critical, proven in CI): POST /api/user/2fa/setup with no session returned the actual TOTP secret and QR code for the owner account. An attacker generates a code, calls /api/user/2fa/verify, enrolls their own authenticator. Full account takeover, no password needed.

• Unauthenticated setup clear enables full account takeover (Critical, proven in CI): POST /api/setup/clear requires no auth. Returns 200 "Setup progress cleared." An attacker re-arms the setup flow, creates a new owner account, replaces the legitimate owner entirely.curl -X POST http://your-huntarr:9705/api/settings/general
  -H "Content-Type: application/json"
  -d '{"proxy_enabled": true}'

• Unauthenticated recovery key generation (Critical, proven in CI): POST /auth/recovery-key/generate with {"setup_mode": true} reaches business logic with no auth check (returns 400, not 401/403). The endpoint is unauthenticated.

• Full cross-app credential exposure (Critical, proven in CI): Writing a single setting returns configuration for 10+ integrated apps. One call, your entire stack's API keys.

• Unauthenticated Plex account unlink - anyone can disconnect your Plex from Huntarr

• Auth bypass on Plex account linking via client-controlled setup_mode flag - the server skips session checks if you send {"setup_mode": true}

• Zip Slip arbitrary file write (High): zipfile.extractall() on user-uploaded ZIPs without filename sanitization. The container runs as root.

• Path traversal in backup restore/delete (High): backup_id from user input goes straight into filesystem paths. shutil.rmtree() makes it a directory deletion primitive.

• local_access_bypass trusts X-Forwarded-For headers, which are trivially spoofable - combine with the unauth settings write and you get full access to protected endpoints

How I found this: Basic code review and standard automated tools (bandit, pip-audit). The kind of stuff any maintainer should be running. The auth bypass isn't a subtle bug - auth.py has an explicit whitelist that skips auth for /api/settings/general. It's just not there.

About the maintainer and the codebase:

The maintainer says they have "a series of steering documents I generated that does cybersecurity checks and provides additional hardening" and "Note I also work in cybersecurity." They say they've put in "120+ hours in the last 4 weeks" using "steering documents to advise along the way from cybersecurity, to hardening, and standards". If that's true, it's not showing in the code.

If you work in cybersecurity, you should know not to whitelist your most sensitive endpoint as unauthenticated. You should know that returning TOTP secrets to unauthenticated callers is account takeover. You should know zipfile.extractall() on untrusted input is textbook Zip Slip. This is introductory stuff. The "cybersecurity steering documents" aren't catching what a basic security scan flags in seconds.

Look at the commit history: dozens of commits with messages like "Update", "update", "Patch", "change", "Bug Patch" - hundreds of changed files in commits separated by a few minutes. No PR process, no code review, no second pair of eyes - just raw trunk-based development where 50 features get pushed in a day with zero review. Normal OSS projects are slower for a reason: multiple people look at changes before they go in. Huntarr has none of that.

When called out on this, the maintainer said budget constraints: "With a limited budget, you can only go so far unless you want to spend $1000+. I allot $40 a month in the heaviest of tasks." That's just not true - you can use AI-assisted development 8 hours a day for $20/month. The real problem isn't the budget. It's that the maintainer doesn't understand the security architecture they're building and doesn't understand the tools they're using to build it. You can't guide an AI to implement auth if you don't recognize what's wrong when it doesn't.

They also censor security reports and ban people who raise concerns. A user posted security concerns on r/huntarr and it was removed by the moderator - the maintainer controls the subreddit. I was banned from r/huntarr after pointing out these issues in this thread where the maintainer was claiming to work in cybersecurity (which they now deleted).

One more thing - the project's README has a "Support - Building My Daughter's Future" section soliciting donations. That's a red flag for me. You're asking people to fund your development while shipping code with 21 unpatched security vulnerabilities, no code review process, and banning people who point out the problems, while doing an appeal to emotion about your daughter. If you need money, that's fine - but you should be transparent about what you're spending it on and you should be shipping code that doesn't put your users at risk.

Proof repo with automated CI: https://github.com/rfsbraz/huntarr-security-review

Docker Compose setup that pulls the published Huntarr image and runs a Python script proving each vulnerability. GitHub Actions runs it on every push - check the workflow results yourself or run it locally with docker compose up -d && python3 scripts/prove_vulns.py.

For what it's worth, and to prove I'm not an AI hater, the prove_vulns script itself was vibe coded - I identified the vulnerabilities through code review, wrote up the repro steps, and had AI generate the proof script.

Full security review (21 findings): https://github.com/rfsbraz/huntarr-security-review/blob/main/Huntarr.io_SECURITY_REVIEW.md

What happens next: The maintainer will most likely prompt these problems away - feed the findings to an AI and ship a patch. But fixing 21 specific findings doesn't fix the process that created them. No code review, no PR process, no automated testing, no one who understands security reviewing what ships. The next batch of features will have the next batch of vulnerabilities. This is only the start. If the community doesn't push for better coding standards, controlled development, and a sensible roadmap, people will keep running code that nobody has reviewed.

If you're running Huntarr, keep it off any network you don't fully trust until this is sorted. The *arr apps it wraps have their own API key auth - Huntarr bypasses that entirely.

Please let others know about this. If you have a Huntarr instance, share this with your community. If you know someone who runs one, share it with them. The more people know about the risks, the more pressure there will be on the maintainer to fix them and improve their development process.

Edit: Looks like r/huntarr went private and the repo got deleted or privated https://github.com/plexguide/Huntarr.io . I'm sorry for everyone that donated to this guy's "Daughter College Fund".

Edit 2: Thanks for all the love on the comments, I'll do my best to reach out to everyone I can. People asking me for help on security reviews, believe me when I say I did little more than the basics - the project was terrible.

Israeli political commentator Rachel Gur said her son is refusing to study for his math test as he's certain that the exam is going to get canceled due to an Iran attack or counterattack.

"I told him a strike is unlikely before Wednesday," Gur said, adding that Wednesday is also the exam day.