During some work with Tess, I'd notice that my test instance was running horribly slow. The CPU was spiking, Postgres was not happy and using pretty much all the available compute.

Investigating, I found the culprit to be some crawler or possibly malicious actor sending a massive number of unscoped requests to /api/v3/comment/list. What I mean by "unscoped" is without limiting it to a post ID. I'm not sure if this is a bug in Lemmy or there's a legit use for just fetching only comments outside of a post, but I digress as that's another discussion.

After disallowing unscoped requests to the comment list endpoint (see mitigation further down), no more issue.

The kicker seemed to be that this bot / jackass was searching by "Old" and was requesting thousands of pages deep.

Requests looked like this: GET /api/v3/comment/list?limit=50&sort=Old&page=16413

Since I shutdown Dubvee officially, I'm not keeping logs as long as I used to, but I saw other page numbers in the access log, but they were all above 10,000. From the logs I have available, the requests seem to be coming from these 3 IP addresses, but I have insufficient data to confirm this is all of them (probably isn't).

• 134.19.178.167
• 213.152.162.5
• 134.19.179.211

Log Excerpt

Note that I log the query string as well as the URI. I've run a custom Nginx setup for so long, I actually don't recall if the query string is logged by default or not. If you're not logging the query string, you can still look for the 3 (known) IPs above making requests to /api/v3/comment/list and see if entries similar to these show up.

2025-09-21T14:31:59-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:00-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:01-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:01-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:12-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:13-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:13-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"
2025-09-21T14:32:13-04:00 {LB_NAME}: dubvee.org, https, {LB_IP}, 134.19.179.211, - , NL, Amsterdam, North Holland, 52.37590, 4.89750, TLSv1.3, TLS_AES_256_GCM_SHA384, "GET", "/api/v3/comment/list", "limit=50&sort=Old&page=16413"

Mitigation:

First, I blocked the IPs making these requests, but they would come back from a different one. Finally, I implemented a more robust solution.

My final mitigation was to simply reject requests to /api/v3/comment/list that did not have a post ID in the query parameters. I did this by creating a dedicated location block in Nginx that is an exact match for /api/v3/comment/list and doing the checks there.

I could probably add another check to see if the page number is beyond a reasonable number, but since I'm not sure what, if any, clients utilize this, I'm content just blocking unscoped comment list requests entirely. If you have more info / better suggestion, leave it in the comments.

location = /api/v3/comment/list {

  # You'll need the standard proxy_pass headers such as Host, etc. I load those from an include file.
  include conf.d/includes/http/server/location/proxy.conf;

  # Create a variable to hold a 0/1 state
  set $has_post_id 0;

  # If the URL query string contains 'post_id' set the variable to 1
  if ($arg_post_id) {
    set $has_post_id  1;
  }

  # If the variable is not 1 (i.e. does not have post_id in the arguments), return 444
  # 444 is an Nginx-specific return code that immediately closes the connection 
  # and wastes no further resources on the request
  if ($has_post_id != 1) {
    return 444;
  }

  # Otherwise, proxy pass to the API as normal 
  # (replace this with whatever your upstream name is for the Lemmy API
  proxy_pass "http://lemmy-be/";
}

When I moved to Coreboot, I also elected to encrypt my /boot partition, which is decrypted by the GRUB payload of Coreboot. I mostly worked on this by trial-and-error, which resulted in the workflow:

1. GRUB unlocks /boot
2. Keyfile in /boot opens /
3. Partition for /boot is listed in /etc/crypttab, with another keyfile to unlock /boot again from within Linux
4. /boot is mounted via /etc/fstab

Steps 3 and 4 always seemed inelegant to me, but after doing systemd-analyze, I realized how much those steps consume when booting (9 sec).

My questions:

• After GRUB unlocks /boot and boots into Linux proper, is there any way to access /boot without unlocking again?
• Are the keys discarded when initramfs hands off to the main Linux system?
• If GRUB supports encrypted /boot, was there a 'correct' way to set it up?
• Or am I left with mounting /boot manually for kernel updates if I want to avoid steps 3 and 4?

cross-posted from: https://scribe.disroot.org/post/4735415

Archived version

...

The country is pushing lithium extraction and refining, active cathode materials and recycling plants, aiming to close the loop and reduce reliance on imported inputs.

...

The bet combines competitively priced, low-carbon electricity, public support (subsidies, credit lines and streamlined permitting), European financing and a critical mass of industry that lowers transaction costs across the chain.

The co-location of gigafactories, active material suppliers, R&D centres and recyclers creates network effects and accelerates manufacturing learning curves.

...

cross-posted from: https://sh.itjust.works/post/46665701

Today's screenshot is some more Final Fantasy 7 Remake. I did 2 chapters today (that's how you know it's a special occasion) and finally caught up to where i did when i first borrowed this game from my public library.

I went ahead and gave Barret Cactuar as a summoning Materia. I had the Carbuncle on Cloud originally and just didn't think i could equip a second one, turns out i could though. I gave it to Barret because with his whole earth thing it seemed appropriate. I absolutely love this little guy. I want one on my desk. And he's saved a battle quite a few times since introducing him.

On the subject of Barret, i love having him along for the party too. I like his personality. They make you think he's going to be this big tough guy, and then he's just a big ol' dorkus. I especially like when he does his own version of the Battle Complete theme.

Moving back a bit, When i was on the Catwalk over Sector 5, it really gave me major Wet Dry world vibes. I think it's because the ground down there looks like one solid flat texture, or at least that's my assumption.

Anyways, after cloud got tossed down there was when i stopped. That was 2 chapters worth of content and it was getting late, so i can pick it up some more tomorrow hopefully.

cross-posted from: https://piefed.world/post/496594

I have a lot of tar and disk image backups, as well as raw photos, that I want to squeeze onto a hard drive for long term offline archival, but I want to make the most of the drive's capacity so I want to compress them at the highest ratio supported by standard tools. I've zeroed out the free space in my disk images so I can save the entire image while only having it take up as much space as there are actual files on them, and raw images in my experience can have their size reduced by a third or even half with max compression (and I would assume it's lossless since file level compression can regenerate the original file in its entirety?)

I've heard horror stories of compressed files being made completely unextractable by a single corrupted bit but I don't know how much a risk that still is in 2025, though since I plan to leave the hard drive unplugged for long periods, I want the best chance of recovery if something does go wrong.

I also want the files to be extractable with just the Linux/Unix standard binutils since this is my disaster recovery plan and I want to be able to work with it through a Linux live image without installing any extra packages when my server dies, hence I'm only looking at gz, xz, or bz2.

So out of the three, which is generally considered more stable and corruption resistant when the compression ratio is turned all the way up? Do any of them have the ability to recover from a bit flip or at the very least detect with certainty whether the data is corrupted or not when extracting? Additionally, should I be generating separate checksum files for the original data or do the compressed formats include checksumming themselves?

Hi there, In my search to learn a bit more about Linux, i came across this website called "OverTheWire", which teaches basic and some advanced concepts over SSH. It seems like a fun and engaging way to learn.

However, as a bit of a paranoid beginner when it comes to Linux and networking, i find myself worrying about the potential dangers of connecting to an untrusted network.

So, my questions are:

1. Does anyone have any experience with the website?

2. In the hypothetical case that I open an SSH connection to a compromised network, could that expose me to attacks? (Aside from obvious risks like downloading malicious files myself.)

3. Should I use a virtual machine (VM) for this?

I sincerely appreciate any responses. Thank you!

https://thehill.com/homenews/campaign/5517232-kamala-harris-donald-trump-tyrant-private-sector/

Students at West Florence High School, around 80 miles east of the state capital, Columbia, had been complaining about a bizarre odor since August 25, with many reporting that it was making them feel unwell.

The school launched an urgent investigation into the smell, spending $55,000 on inspections and air conditioning repairs. Even the high school's gas lines, propane systems, and air quality had been inspected.

However, the source of the odor remained a mystery.

Eventually, students began experiencing nausea, dizziness, and migraines with some seeking medical attention for respiratory issues connected to the smell.

https://archive.is/nElxG

They knew China had raced ahead in sectors like batteries and “everything around energy,” but seeing how big the gap was firsthand left them wondering how European and North American competitors can even survive, Talia Rafaeli, a former investment banker at both Goldman Sachs Group Inc. and Barclays Plc who’s now a partner at Kompas VC.

Planet A Ventures, a Berlin-based VC, has decided that investments in Western startups spanning battery manufacturing and recycling, electrolysers, solar and hardware for wind are no longer viable, says Nick de la Forge, general partner and co-founder of the firm. He says before the trip he’d suspected China was way ahead; but after going there, those sectors are now “strictly off the list.”

Yair Reem, a partner at Extantia Capital, says the trip has already led his firm to halt investments in Western battery cell manufacturers. Instead, they’ll look for ways to collaborate with Chinese firms across supply chains. When it comes to battery manufacturing in the West, China’s dominance means it’s now “game over,” according to Reem.

Ashwin Shashindranath, a former Macquarie Group managing director who’s now a partner at Energy Impact Partners, says what he saw on the trip made it “very clear” that Western investors live “in a bubble” in their misconceptions about China.