I make and sell BusKill laptop kill cords. Monero is accepted.

https://michaelaltfield.net/

  • 39 Posts
  • 31 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle











  • The fines usually are a percent of revenue or millions of Euros, whichever is higher.

    So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases – billions of Euros for a single GDPR violation).


  • The fines usually are a percent of revenue or millions of Euros, whichever is higher.

    So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases – billions of Euros for a single GDPR violation).


  • That would be true if their instance wasn’t federating. If the instance is federating, then it’s downloading content from other users, even if the user isn’t registered on the instance. And that content is publicly available.

    So if someone discovers their content on their instance and sends them a GDPR request (eg Erasure), then they are legally required to process it.


  • It’s definitely not impossible to contact all instances; it’s a finite list. But we should have a tool to make this easier. Something that can take a given username or post, do a search, find out all the instances that it federated-to, get the contact for all of those instances, and then send-out a formal “GDPR Erasure Request” to all of the relevant admins.









  • This is a big problem. At the time of writing:

    1. Users cannot delete their images on Lemmy
    2. If a user deletes their account, their images don’t get deleted
    3. There is no WUI for admins to delete images on Lemmy
    4. It is very difficult for admins to find & delete images on Lemmy (via the CLI)
    5. The Lemmy team didn’t bother documenting how admins can delete images on Lemmy

    How to purge images in Lemmy

    pict-rs is a third-party simple image hosting service that runs along-side Lemmy for instances that allow users to upload media.

    At the time of writing, there is no WUI for admins to find and delete images. You have to manually query the pict-rs database and execute an API call from the command-line. Worse: Lemmy has no documentation telling instance admins how to delete images 🤦

    For the purposes of this example, let's assume you're trying to delete the following image

    https://monero.town/pictrs/image/001665df-3b25-415f-8a59-3d836bb68dd1.webp
    

    There are two API endpoints in pict-rs that can be used to delete an image

    Method One: /image/delete/{delete_token}/{alias}

    This API call is publicly-accessible, but it first requires you to obtain the image's `delete_token`

    The `delete_token` is first returned by Lemmy when POSTing to the `/pictrs/image` endpoint

    {
       "msg":"ok",
       "files":[
          {
             "file":"001665df-3b25-415f-8a59-3d836bb68dd1.webp",
             "delete_token":"d88b7f32-a56f-4679-bd93-4f334764d381"
          }
       ]
    }
    

    Two pieces of information are returned here:

    1. file (aka the "alias") is the server filename of the uploaded image
    2. delete_token is the token needed to delete the image

    Of course, if you didn't capture this image's `delete_token` at upload-time, then you must fetch it from the postgres DB.

    First, open a shell on your running postgres container. If you installed Lemmy with docker compose, use `docker compose ps` to get the "SERVICE" name of your postgres host, and then enter it with `docker exec`

    docker compose ps --format "table {{.Service}}\t{{.Image}}\t{{.Name}}"
    docker compose exec <docker_service_name> /bin/bash
    

    For example:

    user@host:/home/user/lemmy# docker compose ps --format "table {{.Service}}\t{{.Image}}\t{{.Name}}"
    SERVICE    IMAGE                            NAME
    lemmy      dessalines/lemmy:0.19.3          lemmy-lemmy-1
    lemmy-ui   dessalines/lemmy-ui:0.19.3       lemmy-lemmy-ui-1
    pictrs     docker.io/asonix/pictrs:0.5.4    lemmy-pictrs-1
    postfix    docker.io/mwader/postfix-relay   lemmy-postfix-1
    postgres   docker.io/postgres:15-alpine     lemmy-postgres-1
    proxy      docker.io/library/nginx          lemmy-proxy-1
    user@host:/home/user/lemmy# 
    
    user@host:/home/user/lemmy# docker compose exec postgres /bin/bash
    postgres:/# 
    

    Connect to the database as the `lemmy` user

    psql -U lemmy
    

    For example

    postgres:/# psql -U lemmy
    psql (15.5)
    Type "help" for help.
    
    lemmy=# 
    

    Query for the image by the "alias" (the filename)

    select * from image_upload where pictrs_alias = '<image_filename>';
    

    For example

    lemmy=# select * from image_upload where pictrs_alias = '001665df-3b25-415f-8a59-3d836bb68dd1.webp';
     local_user_id | pictrs_alias | pictrs_delete_token | published 
    ---------------+--------------+---------------------+-----------
    1149 | 001665df-3b25-415f-8a59-3d836bb68dd1.webp | d88b7f32-a56f-4679-bd93-4f334764d381 | 2024-02-07 11:10:17.158741+00
    (1 row)
    
    lemmy=# 
    

    Now, take the `pictrs_delete_token` from the above output, and use it to delete the image.

    The following command should be able to be run on any computer connected to the internet.

    curl -i "https://<instance_domain>/pictrs/image/delete/<pictrs_delete_token>/<image_filename>"
    

    For example:

    user@disp9140:~$ curl -i "https://monero.town/pictrs/image/delete/d88b7f32-a56f-4679-bd93-4f334764d381/001665df-3b25-415f-8a59-3d836bb68dd1.webp"
    
    HTTP/2 204 No Content
    server: nginx
    date: Fri, 09 Feb 2024 15:37:48 GMT
    vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
    cache-control: private
    referrer-policy: same-origin
    x-content-type-options: nosniff
    x-frame-options: DENY
    x-xss-protection: 1; mode=block
    X-Firefox-Spdy: h2
    user@disp9140:~$ 
    

    ⓘ Note: If you get an `incorrect_login` error, then try [a] logging into the instance in your web browser and then [b] pasting the "https://<instance_domain>/pictrs/image/delete/<pictrs_delete_token>/<image_filename>" URL into your web browser.

    The image should be deleted.

    Method Two: /internal/purge?alias={alias}

    Alternatively, you could execute the deletion directly inside the pictrs container. This eliminates the need to fetch the `delete_token`.

    First, open a shell on your running `pictrs` container. If you installed Lemmy with docker compose, use `docker compose ps` to get the "SERVICE" name of your postgres host, and then enter it with `docker exec`

    docker compose ps --format "table {{.Service}}\t{{.Image}}\t{{.Name}}"
    docker compose exec <docker_service_name> /bin/sh
    

    For example:

    user@host:/home/user/lemmy# docker compose ps --format "table {{.Service}}\t{{.Image}}\t{{.Name}}"
    SERVICE    IMAGE                            NAME
    lemmy      dessalines/lemmy:0.19.3          lemmy-lemmy-1
    lemmy-ui   dessalines/lemmy-ui:0.19.3       lemmy-lemmy-ui-1
    pictrs     docker.io/asonix/pictrs:0.5.4    lemmy-pictrs-1
    postfix    docker.io/mwader/postfix-relay   lemmy-postfix-1
    postgres   docker.io/postgres:15-alpine     lemmy-postgres-1
    proxy      docker.io/library/nginx          lemmy-proxy-1
    user@host:/home/user/lemmy# 
    
    user@host:/home/user/lemmy# docker compose exec pictrs /bin/sh
    ~ $ 
    

    Execute the following command inside the `pictrs` container.

    wget --server-response --post-data "" --header "X-Api-Token: ${PICTRS__SERVER__API_KEY}" "http://127.0.0.1:8080/internal/purge?alias=<image_filename>"
    

    For example:

    ~ $ wget --server-response --post-data "" --header "X-Api-Token: ${PICTRS__SERVER__API_KEY}" "http://127.0.0.1:8080/internal/purge?alias=001665df-3b25-415f-8a59-3d836bb68dd1.webp"
    Connecting to 127.0.0.1:8080 (127.0.0.1:8080)
    HTTP/1.1 200 OK
    content-length: 67
    connection: close
    content-type: application/json
    date: Wed, 14 Feb 2024 12:56:24 GMT
    
    saving to 'purge?alias=001665df-3b25-415f-8a59-3d836bb68dd1.webp'
    purge?alias=001665df 100% |*****************************************************************************************************************************************************************************************************************************| 67 0:00:00 ETA
    'purge?alias=001665df-3b25-415f-8a59-3d836bb68dd1.webp' saved
    
    ~ $ 
    

    ⓘ Note: There's an error in the pict-rs reference documentation. It says you can POST to `/internal/delete`, but that just returns 404 Not Found.

    The image should be deleted

    Further Reading

    Unfortunately, it seems that the Lemmy develoeprs are not taking these moral and legal (GDPR) risks seriously (they said it may take years before they address them), and they threatened to ban me for trying to highlight the severity of this risk, get them to tag GDPR-related bugs, and to prioritize them.

    If GDPR-compliance is important to you on the fediverse, then please provide feedback to the Lemmy developers in the GitHub links above.

    Attribution

    This comment was copied from the following article: Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

    Nightmare on Lemmy St - A GDPR Horror Story
    Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)








  • You definitely can do that, but if you’re afraid that you might stand-up and forget you’re using it, then you probably shouldn’t.

    It’s probably enough to just use the default trigger that locks your screen. Or, once you get comfortable with it, set it to shut down your computer. Most people don’t need to shred their FDE keys, unless they’re facing torture.

    In fact, we make it difficult to use “destructive” triggers (like the LUKS Header Shredder that wipes the FDE header) and intentionally do not include the ability to switch to it in the app. To use it, you have to do a lot of extra work. So most users don’t have this issue.






  • Thank you for your input, but I think it’s worth mentioning that that’s absolutely not true.

    To be clear: I’m not asking for a no-KYC solution. I’m happy to auth with my company’s official government-issued registration records, with my personal government-issued ID, etc.

    I’m not aware of any regulations that require a phone number. There are regulations (eg UK’s PSD2) that effectively require 2FA – and many banks chose to implement this requirement via phone numbers.

    Hopefully one day the regulations will explicitly prohibit 2FA OTPs from being transmitted at all (ie so banks are forced to use secure 2FA methods like TOTP or U2F instead of insecure methods like SMS, email, etc). But currently I’m not aware of any KYC regulations that require a phone number from the customer.





  • Yes, it’s clearly disclosed in my profile that I am the founder of the BusKill project.

    This is a PSA that our sale has started. I’ve had inquiries from members of our community asking about Black Friday sales.

    10% off is barely any discount anyway.

    Sorry, we’re a very small open-source shop. I’ve paid myself nothing so-far. The price just barely breaks-even for the business.

    All of this is explained in-detail in “The Finances” section here.

    Prices would drop dramatically if we could do production runs (and actually sell) >10,000 units at a time. Currently we only sell a few cables per month. If you want to help, please tell all your security-conscious friends about BusKill :)