Hierarchal filesystems are nice and all, but we should consider the possibility that other means of organizing information may be useful. When "I can efficiently drive around the filesystem with cd and ls" morphs from a skill into a fetish, that interferes with objective consideration of alternatives.

Retro albums: https://www.instagram.com/toddalcott/

Reminder that the <b> tag stands for Bring Attention To.

unspecified horror

https://t.co/QAYkacWFus

unspecified horror

https://t.co/mWSmhqk2ZF

If Apple cares so much about privacy, why don't they make an iPhone that doesn't have an IP?

Just a snippet.

var flightdeck = make(map[string][]chan JunkError)

@tedu @trwnh oh, I think I've got it
there might be a race condition if there are multiple reasons your account may be discovered or refreshed at around the same time (e.g. multiple boosts)
we have a lock to prevent data corruption and errors, but it may still perform more fetches than needed. I will have a look into fixing that!

Jortage looks like a cool project. Might be interesting to support, but probably not this week.

We've hadooped the big data and the results are in. My trendiest hashtag is openbsd.

sparc64 ASM and self-harm

Gaaaah! Kicked in the nards by the delay-slot!

(Debugging sparc64 ASM code and finally realized it wasn't working because I had moved a use of %o7 into a 'call' delay-slot ...which the 'call' instruction of course alters before the delay-slot is executed.)

CS 201 level format string here: "CPU%0*d: %*s"

Sigh. Mastodon can't cache for shit. Everytime an elephant that doesn't follow me sees one of my posts, it fetches the full profile data (plus followers, webfinger, outbox, avatar, etc.). It does this even if it fetched this info one minute ago. Repeatedly. Note the timestamps. Now multiple by 5x for all the other endpoints.

185.208.169.86:35930 - - [12/Oct/2019:23:01:23 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"
185.208.169.86:36290 - - [12/Oct/2019:23:02:19 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"
185.208.169.86:36474 - - [12/Oct/2019:23:03:11 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"
185.208.169.86:37120 - - [12/Oct/2019:23:05:20 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"
185.208.169.86:38604 - - [12/Oct/2019:23:11:43 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"
185.208.169.86:42606 - - [12/Oct/2019:23:25:05 -0400] "GET /u/tedu HTTP/1.1" 200 0 "" "http.rb/3.3.0 (Mastodon/3.0.0; +host)"

DZ: imminent wetness

There's some sort of after dark ghost ship aqua art installation here this month, but about the only thing to see during the day is the warning sign.

Some fanciful breakfast #tacos. #food

I released a snapshot of honk. The actual 0.8 release should some shortly after the end of Mastober, but there's a lot of changes bottled up that probably make life easier. Not to mention fun new toys!

Should be in the honk downloads directory.

Also upgraded honk.best to the snapshot.

People dropping unfree binaries on github with nothing more than a readme in the repo is peak disappointment.

shame mastodon doesn't have a website like nitter

Philly skyline at night.

Location: 39.9595 -75.1688

Some tootles about captchas and stopgaps.

https://twitter.com/mattblaze/status/1182730107359846402

@mattblaze: CAPTCHAs were originally conceived as a stopgap; an inconvenience imposed on legitimate users until we find better solutions to automated bots. But now that they're being used to train commercial ML systems, we're likely stuck with them for a lot longer.

@mattblaze: The original idea was that CAPTCHAs force the adversary to do AI-hard research that would be useful on its own. But now they're giving the adversary the option to do something much more insidious: research how to automatically fool life-critical ML into being falsely trained.

@mattblaze: Are there safeguards against this? Maybe. Maybe not. But all the incentives are completely different from what the original CAPTCHA idea envisioned, with potentially much higher stakes.

@mattblaze: Anyway, leave it to the Internet to find creative ways to make bad ideas worse.

"negative latency" is a phrase amongst my people that translates to the more common phrase "ABSOLUTE TOTAL MADE UP CRAZYPANTS HORSESHIT"

Oh, I say, I'll just go overboard and get a 24 port switch for home, then I'll never have to worry about running out.

Narrator: he was so very naive

Es gibt unerwartet viel thinkpadwifitechsprachen im Zuführung.

This is unfortunate. #openbsd ppt(6) doesn't support utf-8 except with the -b flag.

Today's science word: eutectic frigorific mixture

I've discovered the cause of the missing Mastodon star icons on toots (the "Fav" control): I'd disabled sites setting their own fonts in Firefox.

Re-enabling that and ... It's full of stars!

#MastoTips #Firefox #fonts

I've been working on having 3-way (instead of 2-way) merge conflict markers in #gameoftrees and the results are quite nice so far.

Example (as posted to the mailing list today): https://stsp.name/3way-conflict.txt

The idea is copied from #svn which also does 3-way conflict markers by default nowadays.

Just got Giacomo Vernoni’s VIC 20 book “Commodore VIC 20 A Visual History” and it’s stunning #retrocomputing

Tomohiro Kusumi ported a lot of msdos file system fixes to #DragonFlyBSD, both from #FreeBSD and #NetBSD.

https://www.dragonflydigest.com/2019/10/11/23605.html

So I'm supposed to tap refresh but my options are start fresh or redownload. Which is it? #bezosware

Bringing the pride crossing back to life.

Location: 39.948 -75.1623

Configuring my editor to use emacs bindings for the left hand and vi bindings for the right hand.

What really sparks joy about the goose poem is they managed to incorporate honking, bonking, and zonking, which are of course the three primary verbs in honk.

A colleague showed this Untitled Goose Game-inspired poem to us (made by his wife)

@tedu FYI, German spelling of this would be "Ungemach" and this word has a dedicated page in German Wikipedia

Ongemak sounds like a good name for my next project.

Planet Earth at Blue Hour

Image Credit & Copyright: Matthias Ciprian

https://apod.nasa.gov/apod/ap191011.html #APoD

Hey there friends, PC Elephant here to remind you if somebody posts stuff you like and they're not running pleroma, you can "follow" them to see more. #justatip

We're sorry but Funkwhale doesn't work properly without JavaScript enabled.

I’m making Jalapeño Poppers… the most important ingredient is, contrary to popular opinion, latex gloves.

Random note: I was living in California during "the" "electricity crisis".

https://en.wikipedia.org/wiki/California_electricity_crisis

i've always pronounced "ntsc" in my head as "netsync" but i've decided from now on it is "nut suck"

The Cutest Oscilloscope Ever Made

If you thought your handheld digital oscilloscope was the most transportable of your signal analyzing tools, then you’re in for a surprise. This oscilloscope made by [Mark Omo] measures only one square inch, with the ma… https://hackaday.com/2019/10/10/the-cutest-oscilloscope-ever-made/

Original tweet : https://twitter.com/hackaday/status/1182433939534864384

fun fact

Demystifying Bearer Capability URIs

Historically, there has been a practice of combining URIs with access tokens containing sufficient entropy to make them difficult to brute force. A few different techniques have been implemented to do this, but those techniques can be considered implementation specific. One of the earliest and most notable uses of this technique can be observed in the Second Life backend APIs.

An example of a capability URL being used in the fediverse today would be in the way that Pleroma refers to ActivityPub objects and activities: https://socially.whimsic.al/objects/b05e883b-b66f-421b-ac46-c6018f539533 is a capability URL that allows access to a specific object.

However, while it is difficult for capability URLs to be brute forced due to containing tokens that have sufficient entropy to make guessing them expensive, they are have a serious flaw — since the access token is part of the resource being accessed, they tend to leak the access token in two ways:

• Browser Referer headers
• Server access and error logs

Since the usage of capability URLs has become widespread, a wonderful specification has been released by the IETF: OAuth 2.0. OAuth provides a possible solution in the form of bearer tokens, which can be passed around using an Authorization header.

Bearer Capability URIs (aka bearcaps) are essentially a construct which combines a resource with an access token that happens to grant some form of access to that resource, while keeping that access token out of band. Since the access token is out of band, it cannot be leaked in a Referer header or in a server log.

But what does a bearcap URI look like? It's actually quite simple. Let's build on the example URL I gave above — it's bearcap URI would be something like: bearcap:?u=https://socially.whimsic.al/notice/9nnmWVszgTY13FduAS&t=b05e883b-b66f-421b-ac46-c6018f539533.

Let's break this down into parts.

bearcap is the name of the URI scheme, and then that is further broken down into a pair of URI query parameters:

• u is the URI that the supplied token happens to be able to access in some way
• t is the access token itself

In this case, a client which wanted to consume this bearcap (say to fetch the object behind it) would make a GET request to the URI specified, with the token specified:

GET /notice/9nnmWVszgTY13FduAS HTTP/1.1
Host: socially.whimsic.al
Authorization: Bearer b05e883b-b66f-421b-ac46-c6018f539533
HTTP/1.1 200 OK
[...]

In a future post, we will go into how bearcap URIs can help to bring some aspects of capability-based security to ActivityPub.

I added an events page to #honk to accommodate all the paparazzi in the audience.

Real World Crypto 2020.

I (tentatively) expect to be there.

https://rwc.iacr.org/2020/index.html

Time: 08:00AM EDT Wed Jan 08

Location: Alfred Lerner Hall Columbia University 40.8069717 -73.9647039

@write_as @matt I noticed some writefreely instances are federating with rather shortened object ids. At first I thought this was one instance misconfiguration, but reviewing some logs it seems to be happening quite a bit.

https://pencil.writefree.ly/api/posts/oz4isl4vah has only "id": "/api/posts/oz4isl4vah". This is of course not globally unique.

(There's some wiggle room in the spec regarding relative URIs, but in general I'd say they aren't very useful. I think this is a bug?)

"id": "/api/posts/dddbu2ti0h"

So, yeah, that's not a great global identifiter.

OpenBSD on SPARC64 (6.0 to 6.5) https://eerielinux.wordpress.com/2019/10/10/openbsd-on-sparc64-6-0-to-6-5/ #OpenBSD

I haven't used a Mac desktop machine in eight or nine years, but this does not sound like easy to use.

On the other hand, my openbsd desktop experience has been almost strictly monotonic improvements.

https://tyler.io/broken/

@jj Here is Dead Cells running on #OpenBSD: https://www.youtube.com/watch?v=K_MXG1GM6gk

#PlayOnBSD

DZ: hole for men in a hole

Location: 39.9496 -75.1662

I added a page to the #honk manual documenting the recognized #activitypub vocabulary.

https://humungus.tedunangst.com/r/honk/m/activitypub.7

DZ: doas main

This is the doas main function. You may not like it, but this is what syntax highlighting looks like. (Exact styling still TBD.)

int
main(int argc, char **argv)
{
        const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
            "/usr/local/bin:/usr/local/sbin";
        const char *confpath = NULL;
        char *shargv[] = { NULL, NULL };
        char *sh;
        const char *p;
        const char *cmd;
        char cmdline[LINE_MAX];
        char mypwbuf[_PW_BUF_LEN], targpwbuf[_PW_BUF_LEN];
        struct passwd mypwstore, targpwstore;
        struct passwd *mypw, *targpw;
        const struct rule *rule;
        uid_t uid;
        uid_t target = 0;
        gid_t groups[NGROUPS_MAX + 1];
        int ngroups;
        int i, ch, rv;
        int sflag = 0;
        int nflag = 0;
        char cwdpath[PATH_MAX];
        const char *cwd;
        char *login_style = NULL;
        char **envp;

        setprogname("doas");

        closefrom(STDERR_FILENO + 1);

        uid = getuid();

        while ((ch = getopt(argc, argv, "a:C:Lnsu:")) != -1) {
                switch (ch) {
                case 'a':
                        login_style = optarg;
                        break;
                case 'C':
                        confpath = optarg;
                        break;
                case 'L':
                        i = open("/dev/tty", O_RDWR);
                        if (i != -1)
                                ioctl(i, TIOCCLRVERAUTH);
                        exit(i == -1);
                case 'u':
                        if (parseuid(optarg, &target) != 0)
                                errx(1, "unknown user");
                        break;
                case 'n':
                        nflag = 1;
                        break;
                case 's':
                        sflag = 1;
                        break;
                default:
                        usage();
                        break;
                }
        }
        argv += optind;
        argc -= optind;

        if (confpath) {
                if (sflag)
                        usage();
        } else if ((!sflag && !argc) || (sflag && argc))
                usage();

        rv = getpwuid_r(uid, &mypwstore, mypwbuf, sizeof(mypwbuf), &mypw);
        if (rv != 0)
                err(1, "getpwuid_r failed");
        if (mypw == NULL)
                errx(1, "no passwd entry for self");
        ngroups = getgroups(NGROUPS_MAX, groups);
        if (ngroups == -1)
                err(1, "can't get groups");
        groups[ngroups++] = getgid();
        if (sflag) {
                sh = getenv("SHELL");
                if (sh == NULL || *sh == '\0') {
                        shargv[0] = mypw->pw_shell;
                } else
                        shargv[0] = sh;
                argv = shargv;
                argc = 1;
        }

        if (confpath) {
                checkconfig(confpath, argc, argv, uid, groups, ngroups,
                    target);
                exit(1);        /* fail safe */
        }

        if (geteuid())
                errx(1, "not installed setuid");

        parseconfig("/etc/doas.conf", 1);

        /* cmdline is used only for logging, no need to abort on truncate */
        (void)strlcpy(cmdline, argv[0], sizeof(cmdline));
        for (i = 1; i < argc; i++) {
                if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline))
                        break;
                if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))
                        break;
        }

        cmd = argv[0];
        if (!permit(uid, groups, ngroups, &rule, target, cmd,
            (const char **)argv + 1)) {
                syslog(LOG_AUTHPRIV | LOG_NOTICE,
                    "failed command for %s: %s", mypw->pw_name, cmdline);
                errc(1, EPERM, NULL);
        }

        if (!(rule->options & NOPASS)) {
                if (nflag)
                        errx(1, "Authorization required");

                authuser(mypw->pw_name, login_style, rule->options & PERSIST);
        }

        if ((p = getenv("PATH")) != NULL)
                formerpath = strdup(p);
        if (formerpath == NULL)
                formerpath = "";

        if (unveil(_PATH_LOGIN_CONF, "r") == -1)
                err(1, "unveil");
        if (rule->cmd) {
                if (setenv("PATH", safepath, 1) == -1)
                        err(1, "failed to set PATH '%s'", safepath);
        }
        if (unveilcommands(getenv("PATH"), cmd) == 0)
                goto fail;

        if (pledge("stdio rpath getpw exec id", NULL) == -1)
                err(1, "pledge");

        rv = getpwuid_r(target, &targpwstore, targpwbuf, sizeof(targpwbuf), &targpw);
        if (rv != 0)
                err(1, "getpwuid_r failed");
        if (targpw == NULL)
                errx(1, "no passwd entry for target");

        if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
            LOGIN_SETPATH |
            LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
            LOGIN_SETUSER) != 0)
                errx(1, "failed to set user context for target");

        if (pledge("stdio rpath exec", NULL) == -1)
                err(1, "pledge");

        if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
                cwd = "(failed)";
        else
                cwd = cwdpath;

        if (pledge("stdio exec", NULL) == -1)
                err(1, "pledge");

        syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
            mypw->pw_name, cmdline, targpw->pw_name, cwd);

        envp = prepenv(rule, mypw, targpw);

        /* setusercontext set path for the next process, so reset it for us */
        if (rule->cmd) {
                if (setenv("PATH", safepath, 1) == -1)
                        err(1, "failed to set PATH '%s'", safepath);
        } else {
                if (setenv("PATH", formerpath, 1) == -1)
                        err(1, "failed to set PATH '%s'", formerpath);
        }
        execvpe(cmd, argv, envp);
fail:
        if (errno == ENOENT)
                errx(1, "%s: command not found", cmd);
        err(1, "%s", cmd);
}

Interesting side effect. I implemented a post collapser if the post length is too long, but it's based on total size of html bytes, not text. Since mentions expand like 10x, it indirectly serves as a hellthread filter too.

I just saw on reddit that the opposite of “easy peasy lemon squeezy” is “stressed depressed lemon zest” and now I’m using that all the time.

(stolen from ​ https://twitter.com/kieranmch/status/1181485098023174144 )

I'm not sure that a "Free HK" poster at a Sixers game being a reference to Phillies announcer Harry Kalas passes the plausible deniability bar, but nice try.

https://whyy.org/articles/a-sixers-fan-brought-a-free-hong-kong-sign-to-tuesdays-game-heres-what-happened-next/

I saw this on twitter a few days ago, and thought it was some dumb ironic joke (fraudster: is this you? me: no. click. haha, great lulz) because threads are stupid (it's 2019 people, you don't need to pay by the byte to blog), but having seen it multiple times now and reading the rest of it, I guess it's kinda interesting.

https://twitter.com/DigitalLawyer/status/1181348690683760642

@DigitalLawyer: Oooof. Was just subjected to the most credible phishing attempt I've experienced to date. Here were the steps: 1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?" Me: no.

@DigitalLawyer: 2) "Ok. We've blocked the transaction. To verify that I am speaking to Pieter, what is your member number?" Me: <gives member number> (that number, by itself, is useless).

@DigitalLawyer: 3) "We've sent a verification pin to your phone." ~ Gets verification pin text from bank's regular number ~ Me: <reads out the pin>

@DigitalLawyer: 4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~" Me: Yes. These are all legitimate transactions I made

@DigitalLawyer: 5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?" Me: Are you effing kidding me, no way.

@DigitalLawyer: 6) Ok! But than we can't block your card Me: that is bs. ~ hangs up, calls the fraud department of bank ~

@DigitalLawyer: --> Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank. --> They used this to gain access to the account. --> Then read some of my transactions to give the call more credibility

@DigitalLawyer: --> Needed the pin to send money, failed at that step. --> Everything before the "what is your pin" seemed totally legitimate. English was perfect. The bank verification code, sent by the expected number, tricked me. --> The asking for my pin over the phone... not so much.

@DigitalLawyer: Stay safe out there people. And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place. Never a dull moment!

Real World New York 2020!

https://rwc.iacr.org/2020/index.html

Native pleroma client written in WxErlang when?

Hippos
Tusky_1570652003828_ET32G4IDS2.…

"Troubles with Bro"

mood

I like using a tiling window manager so I can splitscreen my browser and read one medium article eviscerating facebook for not censoring enough and another medium article eviscerating facebook for censoring too much at the same time.

It's 2019 and I keep forgetting that CLI tools can now and regularly do have spying ("analytics") built in.

Enjoy: Ken Thompson's Unix password
https://leahneukirchen.org/blog/archive/2019/10/ken-thompson-s-unix-password.html

400,000 commits! Theo's right, that is a awful lot of commits by a lot of really amazing people! Congrats everyone! ​ ​

Nice milestone to hit just before the 6.6 release! ​

https://marc.info/?l=openbsd-tech&m=157059352620659&w=2

#OpenBSD #OpenSSH #OpenSMTPD #OpenNTPD #LibreSSL #OpenBGPD #tmux

me working with iptables after maintaining a pf router for 2 months
kizuna-disgusting.jpg

Hey there friends, PC Elephant here to remind you if there's a post in your feed you don't like, you can scroll past it, but keep your eyes closed if you scroll back up or refresh the page so you don't see it again. #justatip

It's been five and a half years since Dropbox announced pyston.

https://blogs.dropbox.com/tech/2014/04/introducing-pyston-an-upcoming-jit-based-python-implementation/

There's a lot of noise here because omg top posters are the very worst, but somewhere at the bottom is an email from bill gates saying windows blows.

https://blog.seattlepi.com/microsoft/files/library/2003Jangatesmoviemaker.pdf

unspecified horror

https://t.co/QbXfZ7EvVO

OH @ work: load average: 1645.50, 1597.72, 1407.9

amazing

@grainloom I haven't liked rocket.chat since that time I visited their homepage and their background animation ate all my RAM and/or CPU. That was possibly the first time I heard my 2013 MBP's fans go at full power.

https://mickens.seas.harvard.edu/tenure-announcement

James Mickens is a treasure

RT @mjg59@birdsite.link
The answer is always "use getrandom()". getrandom() blocks? Your system doesn't have enough entropy to seed the rng. Fix that, don't come up with other ways to make yourself believe you're generating random numbers.

https://twitter.com/mjg59/status/1181423056268349441

19.2oz white claw spotted in the wild. #drink

Woah, hot off the #freedomball news wire, the double doinker is back in the NFL.

DZ: chronolarceny

Hello from #Firefox on #OpenBSD #arm64!

Hrmm, something in pleroma's css makes it display inline img as display: block? And not default inline? But I can't find it.

Me: My eyes hurt every time I look at a pleroma sql query.

Ophthalmologist: Don't do that.

unspecified horror

https://t.co/ymrT52rqF5

We have some people on Friend Camp who *almost never* post federated, and that's okay. Their presence here helps keep other people who *do* federate engaged and enjoying their time on Friend Camp!

So that was a weird one... social.firc.de just bombed me with a bunch of messages signed with the wrong keys...

@tedu @sean manuskript? http://www.theologeek.ch/manuskript/

ostorybook: https://ostorybook.tuxfamily.org/?lng=en

possibly a few others

Does anyone know of a good FOSS alternative to Scrivener? I've heard Scrivener itself is a great tool for writers that are concerned about managing multiple chapters and narratives, but I was curious about whether there were any good alternatives out there.

Six months ago I'd never even heard of wasabi. Halcyon days of yore.

https://bugs.gentoo.org/560346

GNOME 3 breaks "s" key for multiple users. Resolved by not using GNOME any more

For example, although the pattern ‘^(.*)\1{14}(.*)\2{13}$’ matches only lines whose lengths can be written as a sum 15x + 14y for nonnegative integers x and y, the pattern matcher does not perform linear Diophantine analysis and instead backtracks through all possible matching strings, using an algorithm that is exponential in the worst case.

hahahahaaaa what
絵.png

I guess "you need to distress" is something you would say to somebody taking things too easy.

What the hell did I just read?

https://marc.info/?l=openbsd-misc&m=157047644820644&w=2

Not sure how I achieved this, but the #honk menu is now precisely sized to fit my browser window. Every item added after this means an item must be removed.

what if we build the houses out of the avocados

Hey there friends, PC Elephant here to remind you we've got a plan and everything is coming together just the way we envisioned it. #justatip