Valheim.

Mistlands - Not because “whaaa, Mistalnds hard”, but because the whole area is built around verticality and the game engine most certainly is not. Combat is Valheim is generally pretty good, but after a reasonable amount of playtime, you will experience the frustration of swinging under/over enemies, because of minor variations in terrain height. Mistlands dials this problem up to 11, with the added bonus of enemies which specifically take advantage of this problem.

The Mistlands also turns exploration into a boring, grindy chore. The shorelines are a nightmare to sail around and even with the wisp, the mist is always too close to deal with said shorelines. So, you’re hoofing it through terrain which is designed to be difficult to navigate and move across. The feather cape helps, a bit. But, you’re still going to spend way too long faffing about, jumping up one side of a ridge and floating down the other, only to find that you’re in a gully with nothing useful and need to jump up the other side. Seeing dungeon entrances at any range is impossible. Enemies regularly pop out of nowhere and you’re forced into dealing with the combat verticality problems.

I’ll also throw a bit of shade at “Refined Eitr” as a resource, though I think the problem is less the resource and more the grind to get the parts for it. To start with, you need to make a Black Forge, to make that you need Black Cores, to get Black Cores, you need to spend hours in the mists hoping to stumble across one or more dungeons to get the cores. And inside the dungeons, expect lots of combat where the verticality problem is on prominent display. Now that you have the Black Table, you get to make the Eitr Refinery, which requires more Black Cores. Hope you enjoyed getting them the first time! Ok great, more cores obtained, time to go stumbling about again looking for Soft Tissue. With any luck, you’ve been mining (or at least marking) nodes along the way. Though, expect to spend more time lost in the Mists, you need a shit ton of Soft Tissue. Thankfully, this is a resource you can take through a portal, so that’s nice.

And finally, you get to raid Dverger towns for a required material to extract sap, a Sap Extractor. “What about trade? Vikings were well know traders”, you ask. Nope, fuck trade, all that gold you’ve been collecting, go spend it on some clothes which you will never actually use. You want a Sap Extractor, put on your killing pants and get raiding. Ok fine, we have our Sap Extractor covered in Dverger gore. And that gets us to the least horrible part of our Refined Eitr. Sap extraction is not terrible, find a spot with several roots in close proximity and just rotate a few extractors through them.

Right let’s get our Eitr Refinery built…and why the fuck is one of the input ports on the top? Ok whatever, I’ll build some stairs and…why the fuck is this thing tossing off damaging sparks? Yes, I know you can wrap it in iron bars, but seriously what the fuck? Why is this even a game mechanic? It’s really the perfect metaphor for all of the Mistlands. It’s needlessly annoying and doesn’t really provide anything positive for gameplay or fun. Just another pointless grind tossed in because, “players like hard things, right?”

Mmm, feel that nice astroturf.

The initial access seems to include an Apache CVE from 2019 and a WordPress plugin CVE from 2017. Honestly, UCSD should write a “thank you” letter to Androxgh0st for highlighting their poor patch management, and only using it for C2 in the process. Rather than as a beachhead into the network for a full-blown ransomware attack.

If your patch management is this bad, you shouldn’t be allowed to put stuff on the internet.

For anyone else who asked:
WTF is deepin?

It’s less fun than the first guess I came up with based on the name “deep in”, and it’s really just a Chinese Linux Distro with a bunch of re-packaged and/or proprietary applications. Which, one would expect, to be completely balls “deep in” your private information.

First question which popped into my mind was, “Will they force Defender out as well?”
Or, is Microsoft about to abuse it’s position to stifle competition? Again.

do anticheat count as antivirus?

No. But, from the article:

Microsoft has been speaking with game developers about how to reduce the amount of kernel usage

The CrowdStrike fiasco was finally enough for Microsoft to look at forcing drivers out of the kernel. This is absolutely a good thing and will hopefully lead to a more stable Windows.

I have it on good authority that you currently have a project idea which you can use to pick one (or more) of those paths and start learning. ;-)

For example user management in studio3T

Not sure how I missed this on my first read of your post. But, this looks like a fancy front end to making MongoDB calls. That makes life easier, MongoDB has a well documented API and a driver for C#. As an aside, if you want to get really good at PowerShell, getting a basic working knowledge of C# and .Net in general is really helpful. For the lazy (and I always like lazy), there’s even a pre-built MongoDB module on the PowerShell Galley called Mdbc. There is also the Project’s GitHub Page which has a lot of useful info.

Granted, this path likely means learning enough about MongoDB to create/delete/modify users. But you came here expecting a load of homework, right? Also, this is a good excuse to spin up a docker container running MongoDB and go hog wild breaking the fuck out of it (just call it “research” if management asks). And who doesn’t love breaking stuff?

I’d also note that you may be able to get some help along the way by capturing the network traffic to the server caused by the Studio3T GUI. WireShark can capture the traffic to/from the DB server and you can read that to reverse engineer some of the calls you care about. Just, make sure you talk to your security folks before you download/install WireShark. If they are worth their salt, they’ll understand an engineer installing/running wireshark, it just makes their day easier if they know the alert is coming first. Assuming the GUI isn’t complete shit, it may encrypt traffic. This can be dealt with by using the SSLKEYLOGFILE environmental variable. In most cases, this results in the TLS keys being saved to a file and that can be imported into WireShark.

Good luck, and have fun!

There are a few options:

1. Use AutoIT or some similar automation framework. Generally, this is pretty easy and gets the job done. Your security folks may hate you (AutoIT binary hashes are basically all assumed to be malware IoCs at this point),
2. Depending on how the GUI works, you may be able to reverse engineer the calls made by the application and just make those calls yourself. For a Web UI, you can use something like BurpeSuite or even just the FireFox developer tools to catch the web calls and then modify/replay those as desired. For a console application, it could be trickier, as you may need to either load the software’s libraries (DLLs) or figure out database calls. It all depends on how the user data is stored and updated.
3. Using P/Invoke you can load several functions from the Win32 API, specifically FindWindowEx and EnumChildWindows to locate the GUI application and any specific form items you want to manipulate (e.g. TextBoxes to fill, Buttons to click). You can then modify properties or send clicks. You’ll probably hate yourself at the end of this project, but you’ll learn a lot.

While I don’t doubt that Iranian backed groups are more likely to target US based assets, I’ve been reading these reports for the last couple days and the “guidance” coming out of the US Government (USG) has been incredibly lackluster. CISA is basically saying, “use MFA and don’t use default passwords.” No shit, should I also plug in the power cord? It’d be great if some sector of the USG would publish something useful. Like a rundown of TTPs or even IoCs. The USG no doubt has a ton of SIGINT on these groups, and I understand that they can’t share all of it; but, fuck me could you at least put something more useful out than “use MFA”?

1. I don’t want to use the command window for everything, or really much of anything, at least at the start.

With many of the modern distros, you can get a long way without a lot of command line work. But, some interaction will likely still be inevitable. However, most distros include either flatpak or snap, which lets you download, install and update software via the Graphical User Interface (GUI). So, there shouldn’t be too much command line work required.

2. I currently use Proton VPN and I’d like to use it on this new laptop too.

It looks like Proton officially supports Ubuntu. And I would note that it expects the GNOME desktop, not KDE. So, Kubuntu will likely run into issues (probably the same issues as Mint). That said, they also have a page on installing on Linux Mint which seems to indicate skipping a single step. There are also guides out there for installing Proton VPN, without using the terminal.

As an aside, unless you need a VPN to securely access a remote network, shift your apparent location or for downloading/sharing copyrighted works, consider saving the money and not paying for a VPN. They are mostly just a waste of money for the average user. Sorry, I’ll get off my soapbox now.

So, does this mean I should use Ubuntu? And will Kubuntu work or would I have to use a different version of Ubuntu? And is there no way to get Proton without using the console?

Just going with Ubuntu might be easier and it’s the officially supported distro. If you run into a problem, you may have trouble getting support on an unsupported distro. That said, it looks like getting it running on Mint/Kubuntu seems easy enough and works. I’m personally a fan of the KDE desktop (this is where the “K” in Kubuntu comes from) and think it makes the Windows->Linux transition somewhat better.

if I’m able to change to a custom mouse pointer (I currently use a cute one that I’d like to also use on the new laptop)

Yup, you can change the mouse pointer. Not sure if you can import your current one, but that’s going to depend on the format and where you got it.

if keyboard shortcuts like alt-tabbing work or are easily configurable

You’ll find many of the shortcuts work the same. Even the ones using the “Windows” key are mostly similar, though you’ll see it referred to as the “Meta” key. Alt-Tab as an example works exactly the same. And yes, they are configurable.

I’m kind of confused about how updating things works on linux. Will I be able to easily update to a new version of whatever distro I’m using?

So, edging back onto my soapbox for a sec (you can safely skip this whole paragraph, if you want), the software ecosystem in Linux is a mess at the moment. It’s very much the XKCD Standards situation. First, you will likely have the main OS way to update the OS and software. For Ubuntu, this will be via .deb packages. You’ll update these via a command like sudo apt update && sudo apt upgrade. The you will have one or more other package managers for containerized packages. This will be flatpak or snap. Why do we have one (or both) of these? Well, like a lot of standards fuckery it comes down to some very good technical reasons and nerds thinking that they are going to be the one to provide the “One True Solution”. And of course, that’s why we now have multiple completing standards. And then you get AppImage based software for developers who don’t want to be bothered with package managers and who hate security.

(non-soapbox answer) Yes, updating is usually pretty easy, but it may involve updating in more than one place. At minimum, you’re likely to need to do OS updates via something like the apt commands and also updating via flatpak.

Will I be able to easily update to a new version of whatever distro I’m using? Do I even want to update to the newest version?

Mostly yes and absolutely yes. For the distro upgrade here’s an example (not my blog) for the latest Mint upgrade. Pretty simple stuff. As for “Do I even want to update to the newest version?”, tip number one for keeping your system secure is: install your updates. This is true regardless of what OS you’re on. Please, if you install it, keep it up to date. This is what happens when people neglect updates.

And is there a way to be notified and set auto-updates for some applications?

Yes, and probably best to just turn on automatic updates and forget about it.

I’ve seen quite a few threads and questions about having to manually update things, but if I get an application from the software manager then will it be as easy as a clicking a button?

Yes, if you install from the software manager (behind the fancy name, this will be either flatpak or snap in Mint or Kubuntu) updates will be a one-click affair. Or better yet, automagically handled, if you turn that on. Turn that on.

I know I’ll have to adjust and just learn-by-doing some things no matter which distro I pick

Unfortunately yes, there will be a learning curve. But, I promise it’s not so bad and it’s completely worth it. And there are lots of folks here who will be happy to help (and a few jerks who will scream “RTFM!”, sorry about those, they suck.). If things get too bad, you can always go back to Windows, you have a license and it’s pretty easy to reinstall these days.

uhhh how easy is it to fuck up the process of trying and then installing a linux distro? Like completely-make-the-computer-unusable fuck up?

It’s really, really, really hard to get the computer completely fucked up and unusable, just by changing the OS. Seriously, the most likely way you would do this is by dumping your drink of choice in the keyboard because you got distracted. The great thing about software is that it is very rarely permanent. And nothing you’re doing here would be permanent. Go wild and try try a new distro. If things don’t work out, going back to Windows isn’t hard at all.

So based on all that, should I just go for Linux Mint like most new users? Or would you recommend a completely different distro?

I’m gonna go out on a limb and say that Mint is great choice and the one I’d recommend. While I don’t use it myself (I hate myself, so I use Arch), it’s got a solid reputation, is designed to make the transition from Windows easier and uses KDE for the interface (don’t worry if that last bit doesn’t make sense, just roll with it). There is also a lot of support available here on Lemmy and across the web.

A couple thoughts. Assuming your motherboard is capable of SATA hot-swap and has it enabled (look in your BIOS), you should be able to umount the game drive, and swap it without shutting down. Assuming the game drives are partitioned using GPT, you should be able to add individual entries in /etc/fstab using the partition UUIDs and control mounting and umounting to specific mount points for different drives. Personally, I would add the noauto option to those entries, so that mounting is done manually and can be controlled easily.

OS drive swapping may be simpler, depending on your BIOS. With the system powered off, swap the drives and assuming the BIOS picks up the new boot partition cleanly, you’re off to the races. The only issue would be if the BIOS just doesn’t want to recognize one of the drives’ boot partitions. I had this issue with my Arch install and my MSI motherboard. The motherboard won’t recognize the default install location and I had to move the boot files around to work in a fallback mode. Annoying, but solvable.

Finally, as others have said, this could all be a matter of over-complicating things. Why not just stuff all the drives in the case and always have everything? You can configure the primary drive’s boot loader to let you pick between which OS to boot. And you can have any and all data drives mounted at the same time. Unless you are struggling with physical space or power requirements, it saves on having to muck about with swapping stuff.

do any of you hate how self-hosting services like photo- or document-management systems, or even a simple rss tool, forces you to sort your stuff out, and put your decades old files in order?!

What is this “sort” thing you speak of? I don’t sort anything, I have NextCloud syncing my entire photos, videos and documents folders and they are just as messy as ever. Granted, I do go through my photos and videos once a year and dump them in a folder named for the year they were taken. Occasionally, I’ll go hog wild and try to sort some of a year’s photos/videos into folders named after events. Though, that hasn’t happened in a number of years. I setup NextCloud so I could have everything synced to my own server and just forget, not have to deal with labeling my data.

As for bookmarks. I already keep those in folders; but, I don’t sync those. I use my desktop far more than I use my phone for web browsing. And the types of things I use my phone for (mostly recipes), I just keep bookmarked there.

The first issue with running a coin miner is using company resources for your own profit. Your own system, using your own electricity, go for it. Running it on a company owned laptop, while at a company building, burning electricity the company is paying for. Ya, that starts to get uncomfortably close to fraud or theft. There is also that whole, “running unauthorized software on a company system, doing who knows what else in the background.” There is a very real possibility that the coin miner has unknown vulnerabilities which could allow remote code execution; or, just outright be malicious and contain a remote access trojan. Maybe he was smart enough to audit all the code it was using and be very sure that’s not the case. More likely, he just grabbed a random implementation of XMRIG, put his wallet in the config file and ran it. Either way, he also made a point of refusing to remove it, so we escalated up to management. With the recent ransomware outbreak having been in the multi-million dollar (possibly low tens of millions) damage range, refusing to remove unauthorized software went over about as well as a lead balloon. There may have been other factors at play; but, the unauthorized software and being a dick about removing it was what got him out the door.

If you spin it up, fucking own it. When you’re done with it, shut it down. I have long lost count of the number of times I’ve reached out to a team to ask about the coin miner they are running on some random EC2 instance only to find out that some jackass spun it up for a test, gave it a public IP, set the VPC to allow any inbound traffic, installed all kinds of random crap and then never updated it. Nor did it get shutdown when the test ended. So, a year and a half later, when the software was woefully out of date, someone hacked it and spun up a coin miner. Oh, and the jackass who set it up didn’t bother to enable logging or security monitoring. But, they sure as hell needed the ability to spin stuff up on their own. Because working with IT to get it done right would be too hard for their fragile little ego.

You joke, but I’ve actually been responsible for a coder getting shown the door for running a coin miner on his work laptop.

In his defense, cyber security at that company was crap for a long time. After a ransomware outbreak, they started paying attention and brought some folks like myself in to start digging out. This guy missed the easy out of, “hey that’s not mine!” The logs we had were spotty enough that we would have just nuked the laptop and moved on. But no, he had to fight us and insist that he should be allowed to run a coin miner on his work laptop. Management was not amused.

Same. I had gotten the paid version because the dev deserved something for such a great app. RIF died and I did a hard cutover to Lemmy. Deleted my Reddit account and probably caused some confusion for the cordcutters subreddit. I had a post which was part of the sidebar for about a decade.

Ya, sadly there is still a lot of useful content in the technical subreddits. So I find myself ending up there via search engines on a fairly regular basis. But, I specifically use the Redirector plugin for Firefox to auto-magically force the use of old Reddit. If I hit the site on my work computer, I’m quickly reminded about why I quit the site.

It looks like archive.org is capturing some of lemm.ee. So, it’s possible that most of the images are there and could be referenced.

ChatCCCPT

So, DeepSeek?

As other folks have already covered, most modern websites use TLS (formerly SSL) which will encrypt any thing going to/from those sites. Someone could redirect a page to a server they own and try to get you to enter your credentials into their site for harvesting, though you’d probably notice due to errors related to the security certificate. There is a risk here, but it’s not all that bad. Just pay attention to any security errors and maybe don’t go to high value sites (e.g. banking websites). There are some highly technical attacks (e.g. TLS downgrade) which could pose a risk. But, it’s not all that likely, and you’re probably fine. For the most part, you can ignore the “zomg! you need a VPN” ads clogging up YouTube. Yes, they have a use case. No, that’s probably not you.

The other consideration is the security of your system itself. If you are running and old and vulnerable OS, it’s possible that an attacker could use the greater exposure to attack your system. For example, if you are running a Windows 7 system, there’s a real chance that you don’t have the EternalBlue patch applied or some other remote exploit vulnerability can be used to compromise your system. Even with a newer OS, if you haven’t been installing updates, you could have some holes which would allow an attacker in. Though, for most situations, there’s not going to be an attacker just waiting to pounce on your system. So, you probably don’t need to be worried. But, it’s also a good reminder to keep your system up to date, if you’re going to be using WiFi regularly. Some folks just get bored and start poking at anything around them. Make sure the doors are locked when those folks rattle the handle. It can also be useful to have a host based firewall running, even just setting the network to “Public” in Windows will do a lot to mitigate this risk.

Security is always going to come down to a trade off between risk and convenience. Public WiFi can be very useful, but it does carry some risk. In most situations, you can mitigate that risk by keeping your system up to date, having a host based firewall running (even if its just Windows setting the network to “Public”), watching URLs/Links carefully and watching for certificate errors in your browser.

On the Privacy side, assume someone can track the domains you are visiting (though likely not the full URL). If you use normal DNS, the network owner can look at DNS logs and know all the sites you visited. Even if you use a different DNS server, the network owner could be sniffing the packets on the wire (DNS is not encrypted). Additionally, WiFi is logically a bus topology; so, anyone on the same network could be sniffing packets and also get all your DNS traffic. This is a good use case for DNS over HTTPS (DoH). With DoH, you can stick to a DNS provider of your choice and get TLS encryption to keep things private. Anyone sniffing packets would know that you are using DoH and would likely know what provider you are using, but not see the contents of the DNS queries.

Of course, even with DNS traffic encrypted, most web servers still rely on Server Name Identification (SNI) to determine the host you are connecting to. The end result of this is that the domain you are visiting is sent, unencrypted over the wire and could be sniffed. There are solutions for this (e.g. eSNI), but they are not widely adopted yet. So, assume that anyone sniffing packets can get a list of the domains you are visiting. If this poses a serious risk to your safety (e.g. you are a journalist working in a repressive regime), this is a use case for a VPN. Though, using a VPN may be obvious to anyone monitoring and they could apply Rubber Hose Cryptanalysis to the problem.

The tl;dr of this all is, you’re probably fine. The fact is, it’s more likely that no one gives a shit about you and all the other folks on that public WiFi are too busy looking at cat pictures to try and hack you. A few simple security hygiene things will cover the 99% situation, and the other 1% isn’t worth worrying about.