The production of honks must not be mean.
If you don't remember using GetRight to make sure your downloads didn't fail and to schedule it to download all your files at night while you were sleeping so you weren't tying up the phone line ... you're blessed
We used to wake up in the middle of the night to check if the modem didn't hang up and the downloads were still going. And if you woke up in the morning and realized that new game mod required credentials to download and you forgot to set it in GetRight... torture. Have to wait another day to play unless nobody notices you're downloading all day while at school ...
https://t.co/OfEDpw6xtl
@tedu "here's how I'm formatting this thread" is the twitter thread equivalent of "how to read this manual"
More PGP links, previously published. Collected in the worst possible format, some sort of nonlinear multidimensional twitter thread. A screenshot of notes scrawled on napkins posted to Instagram would be better than this. Even discussions of PGP lack accessibility.
I currently lack the time and have not yet developed the technology to scrape such abominations. But if you're the daring type, feel free to go it alone.
Honestly, if you care about PGP I suspect you've seen it all before. I'm just posting because I find the grotesque thread structure irresistible.
https://mobile.twitter.com/Natanael_L/status/1148277085447868422
meta
meta
CWs are Vista UAC for social media
You mastodon users clicked through that one without thinking, didn't you?
@tedu My favorite xdg behavior is that it opens .txt files in windows notepad, once you have wine installed.
@opal that was it. unblocked. sorry for that.
@opal after some more consideration, I think I'm blocking your backend server by IP (even though I'm not sure what it is). My post then times out when the backend tries to retrieve my http sig key and times out.
HubZilla is really weird. Objects in the outbox have to and cc fields filled in. Fetching object by id, however, returns same note but with all addresses removed.
Pleroma aesthetic is burning through the last remaining credit on your phone despite having media on click to view because everyone's avatar is a quarter megabyte full size image
“Sudo Mastery, 2nd Edition” open for tech review
https://mwl.io/archives/4378
I should amend this post to mention I'm using dwm, which results in some bonus hilarity. The mupdf window title is only the filename of the jpeg, so I didn't even know what program it was at first, just that it suddenly appeared and ate half my screen. Firefox was already running on a different screen, and so it was even longer until I discovered that's where the folder view had opened.
I've spent the past few years away, using a computer that behaved mostly predictably, but I am now officially back in freedesktop xdg hell.
Open downloads in chrome.
Click on a jpeg. Opens in mupdf.
Click show folder. Opens the folder in firefox.
Absolutely genius.
@rin The encryption key is derived from your password. You enter the same password on two devices, get the same key, decrypt the data.
The account credentials that get sent to mozilla are also derived from the same password, but in a different way, so they don't actually have your password.
@sh everything is working now. I suppose if I reboot again, I will be able to reproduce wifi working halfway through shutdown, but that seems unnecessary. :)
Openssh taking minutes to become available, booting takes half an hour ... because your server waits for a few bytes of randomness https://daniel-lange.com/archives/152-hello-buster.html
The person bowing deeply emoji, 🙇, is not easily recognizable in my console font. Not recommended for email.
Laptop wifi won't connect with AP. I beg. I plead. I threaten. I bargain. Finally, I surrender. I reboot. Halfway through shutdown, wifi connects.
This is absolutely crazy.. nice work from visa@! 🤯
A new bootloader for #OpenBSD/OCTEON machines is implemented on top of a minimal kernel written to interface with the hardware, due to deficient firmware on the platform.
"Inspired by Linux' kexec(2)"
https://marc.info/?l=openbsd-cvs&m=156337421105651&w=2
@devnull depends entirely on application, but 64 bit passwords are not too unwieldy and usually more then enough for most use cases.
https://t.co/vocUGgNgZW
DZ: Here's the process in OpenPGP, straight from the spec because I can't repeat this without being convinced I'm having a stroke
DZ: Here's the process in OpenPGP, straight from the spec because I can't repeat this without being convinced I'm having a stroke
https://news.ycombinator.com/item?id=20456199
@tedu Declare your never-dying love for the PGP setup process.
People on the internet are quoting me again. Quick, do something stupid to shed credibility!
I always felt like 200 hours of Skyrim was really training to improve my cyber skills.
But also main point is restricting talent pool limits outcomes.
https://cybersecpolitics.blogspot.com/2019/07/hermaeus-mora.html
@opal ha, well, it has something that's supposed to catch posts that are misdelivered. Or something. I'm not actually the expert, except I seem to bump into it. All part of the fun.
@opal it'll get retried a few times, but historically pleroma does get fussy about my addressing and delivery at times.
I may have lit up the spam filter with too many unmentioned people in cc.
@opal 504 in my log.
2019/07/16 20:17:53 failed to post json to https://anime.website/inbox: http post status: 504
@wowaname i believe the feature in question is ocap fetches, not nodeinfo. that's what the original thread was about.
A mastodon instance that spins up new sidekiqs on random AWS nodes each day. That'd be a fun one to try IP banning. (Actually observed such behavior, btw, not just speculation.)
Overheard on Jason Scott Talks His Way Out of It:
"Git is terrible! What an embarrassment that thing is! It gives you source control at the price of sanity."
Yeah. Yeah I can get behind that. Anything beyond committing and pulling, I need Google and Stack Exchange.
Today in banned words: hacker news censors the word "your". https://news.ycombinator.com/item?id=20451714
The fun part of the last boost song and dance to emulate quotes is when the boost gets dropped and the previous boost was something entirely unrelated.
@coldacid yeah, that's fine. politicians have to listen to citizens, not the other way around. (legally, whether they do is of course what it is.)
Would it be (US) unconstitutional for an elected official to create an account on a federated instance that blocks other instances?
Honk will not be complete until it implements the full activitystreams vocabulary. Every time I scroll past a post without reading it? Yeah, I'm going to send you an Ignore activity for that.
Today I found the Offer activity in activitystreams. I should start using this. Constantly sending out a stream of "hey, I Created this" activities is a little overbearing at times, no? But what if I simply Offered you a post? For your consideration. No pressure.
When somebody accidentally exploits your program and now you can't read your data after it's fixed...
https://gitlab.com/federicomenaquintero/bzip2/issues/24
I'm gobsmacked in realising that TypeScript doesn't allow multiple variables assigned to the same type per line.
let foo, bar: number;
...is actually shorthand for "let foo: any, bar: number" instead of "both foo and bar are numbers". How does one figure that out? Strange errors regarding "foo" and its members that don't apply to "bar".
"The video is being transcoded, it may not work properly." Premature federation...
Heh, somebody tried to rig a poll by adding fake votes, but then mastodon sent me an update, and it's quite improbable that I voted on it. Another opsec fail brought about by overly complex software.
@lain The real problem is that federated blocks are only half implemented. They should be boostable so you can share your blocks with your friends. And then they can fave it and block the same person. All these block announcement posts require too much copy and paste. Very sloppy.
Unboxing a new old stock IBM CGA graphics card #retrocomputing
Microsoft book refund processed.
At your request, your order placed on Monday, September 11, 2017 has been refunded. You should see $1.05 credited to your account soon.
It wasn't really at my request, but now I've got my lucky dollar back.
https://t.co/1qt65hT69K
Browsers' search feature doesn't look inside collapsed <details> sections. Tested on chrome, firefox, and safari. I guess this is desirable since the content isn't visible, but also means search isn't useful for jumping to a section with known content.
@flussence but also limited to 25fps... so smoother, but also slower. Can't win.
Heh. I also wonder how much time the devs spent trying to optimize the code by hand.
hoot: https://twitter.com/11rcombs/status/1150870873081024512
@11rcombs: it actually upsets me that much of Mario 64's lag is only there because Nintendo forgot to build with -O2 like, the folks who decompiled the game to C that in turn compiles to the original ROM with -O0 have also built it with -O2 and it's substantially faster
@11rcombs: people keep posting the same reply that I've already countered but maybe they'll see it if it's directly threaded: no, higher optimization levels don't cause any known instability, the game built at -O2 with the same compiler syncs perfectly through a 120-star TAS
@11rcombs: everybody makes mistakes in development and some things make it through to release, and especially with games that came out before update patches were a thing, it's hard to blame anyone for them; it's just unfortunate
@11rcombs: and yes this testing was done with the same compiler version the game was originally built with
If it quacks like a goose...
@rin usually that only checks that the handshake is legit. You can cook up ssh over tls and fool it. Maybe.
a probably-wrong feeling about programming that I have
a probably-wrong feeling about programming that I have
I'm learning how to write tests in Ruby with RSpec for the new features in my Mastodon fork.
Whenever I write unit/integration tests I feel like an atheist performing a ritual so that other people will say, "yes, you have correctly appeased our god, we will now take you seriously"
I think I'm coming around to thinking bias in google search results is okay. Or, maybe not the results themselves, but the idea that the results are biased, and that people believe it.
It means I can ask people, what's an example of google bias, and... wow. That's the search you care about most. How enlightening.
#2176 "How Hacking Works"
#2176 "How Hacking Works"
If only somebody had warned them that the world would roll them like this.
https://xkcd.com/2176/
SQL is the all time reigning champion for making simple tasks seem tantalizingly close yet incomprehensibly undoable.
Doesn't accept my follow request. Sends me posts anyway. (Pretty sure the accept message just got dropped somewhere.)
Oof. Two bars with similar names, say Berry and Barry. Different parts of town. Some genius got two entries for Berry Bar into Uber's database, one with Berry's address and one with Barry's. (But both spelled Berry.) Trying to recreate sequence of events that led to this. Somebody looked up wrong spelling, found no entry, added one? Who knows. Big data crowd wisdom cloud is here to save us all!
https://t.co/lzush6vJkl
Another link for your collection of how activitypub actually works.
https://blog.dereferenced.org/federation-what-flows-where-and-why
@AFresh1 @ed1conf @tedu Yes, but "first edition".
I flip-flop back and forth between wanting to create a cozy hidey-hole for myself away from the cancers of The Internet, and wanting to save humanity from the post-cyberpunk world we exist in today.
I do not fully understand what causes me to go from one position to the other, but it is probably something like "exasperation".
Maybe fedi software should just come with a front-and-centre option to block sites hidden behind CloudFlare entirely.
New rule: no complaining about web site slow load times if the site you're using to complain loads slower than the site you're complaining about.
I've never been in a country in the year 1 until now.
@nihl ah, well, worked for me. :) If I recall though, the first try didn't, so I just started over and then it did work. (For reference, I've never gotten ipsec working.)
But I hear you. It could use some more polish. I think the good news is if you get wireguard working, you know it's working and you're not accidentally using something like 40 bit DES. That's the part people are excited about.
This is fine.
@nihl it is quite minimal. I think part of the difficulty is thinking it will be more complex than it really is. But once I tried it, it just worked.
The hardest part wasn't the WireGuard config, but the assorted options to get the openbsd side configured. (Not sure what you're using.) jasper's guide may help.
https://blog.jasper.la/wireguard-on-openbsd.html
@ed1conf @tedu the standard engineer then?
@nihl kinda. if it gets oily, it rarely works. I would always try once, fail, wipe sensor and thumb with shirt, try again. that usually worked.
I keep hearing about "10 ex" engineers and here I'm just a "1 ed" engineer.
XChaCha20 RFC. Extended (192 bit) nonce to allow random nonces.
https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-00
I kinda watched some of this movie on a plane. Would not give it a strong recommendation either. But this thread is great entertainment.
hoot: https://twitter.com/matthew_d_green/status/1149825752126369797
@matthew_d_green: I’m watching The Girl in the Spider’s Web and they just introduced a character as a “cryptographer”. This is either going to go really well or end pretty badly.
@matthew_d_green: And... apparently the “cryptographer” has developed software that can take over Russian tactical nuclear weapons and... he’s giving a TED talk about it.
@matthew_d_green: Because that’s what one does when they’ve developed magical software that can take over nuclear weapons systems.
@matthew_d_green: This is all moving very fast.
@matthew_d_green: There’s a hacking scene. It apparently involves a 56K modem and the user interface from 1999 Napster.
@matthew_d_green: The software is encrypted. The prompt gives the exact number of letters for the correct password, and shows the spacing between the words.
@matthew_d_green: Surely Lispeth Salander is going to break out her GPU but — oh no there are creepy men in her apartment. They’re apparently trying to find the most ineffective way to kill her.
@matthew_d_green: “He’s the only one who can open the software.” — Lady, the password is like four English words.
@matthew_d_green: Come on, one of the words is like two letters long. I can’t take this.
@matthew_d_green: I feel like someone spent a lot of time researching the subject matter behind this movie, and then gave up and worked on something totally different.
@matthew_d_green: The crux of this movie is that Sweden is secretly trying to buy “single-user access to the online nuclear weapons” just so the US won’t have it. Hey folks, I have some questions about this logic.
Spoke too soon... (Concurrency bugs are tough that way) MP file offsets reverted.
https://marc.info/?l=openbsd-cvs&m=156293980006370&w=2
Everybody decided to publish their post mortems the same day...
Firefox plugin outage is perplexing. They knew the cert was expiring, but let it happen because nobody knew what the effect would be? But even if you think that's fine, why not update it anyway?
At a high level, the story seems simple: we let the certificate expire. This seems like a simple failure of planning, but upon further investigation it turns out to be more complicated: the team responsible for the system which generated the signatures knew that the certificate was expiring but thought (incorrectly) that Firefox ignored the expiration dates.
https://hacks.mozilla.org/2019/07/add-ons-outage-post-mortem-result/
Even the detailed report is kinda vague. All the teams knew something about something, but... when? Was there a plan to renew the cert ever?
https://wiki.mozilla.org/Add-ons/Expired-Certificate-Technical-Report
https://t.co/DMLWv8kYjN
#OpenBSD/luna88k on LUNA-88K2 live demo at OSC 2019 Nagoya. nanotodon is working well!
Interesting incident.
[Three months prior to the incident] We upgraded our databases to a new minor version that introduced a subtle, undetected fault in the database’s failover system.
[2019-07-10 16:50 UTC] We determined the cluster was unable to elect a primary.
Oof. Errors in failure recovery are hard to test and predict. When it manifests, hard to track.
https://stripe.com/rcas/2019-07-10
A new Pokemon mode for doas. Prints fun messages after commands.
tedu used doas. It's super effective!
In it's confusion, tedu entered the wrong password.
@worr haha, I have rule about projects I'm willing to use. If there's more than a dozen or so .file and whatfile in the repo, hard pass.
Anything that requires this much tooling to get off the ground is too complicated for me, I'm never going to be able to get it going.
@mwlucas I read that last part as "sudoroleplay" and was suddenly intrigued...
Perhaps an appendix? :)
In my quest to build an #ActivityPub based simple, no-frills bulletin board / forum system, I've gone ahead and pushed up my work-in-progress #golang ActivityPub single server framework: apcore. It has no README (yet) and still has a lot left TODO.
https://github.com/go-fed/apcore
I hope to use it in the future to launch multiple small ActivityPub applications leveraging common serving, storing, and moderation features. But new #ActivityStreams vocabulary can be readily innovated upon.
@foxhkron I think I'm going to start using this for all future "session expired" error messages.
Tried to launch #sway and got this:
"Proprietary Nvidia drivers are NOT supported. Use Nouveau. To launch sway anyway, launch with --my-next-gpu-wont-be-nvidia and DO NOT report issues."
It must be one of the best error message I've seen.
@opal yeah, I really dislike the whole business model, and inserting themselves into everything, but even their technical blogs feel slimy. Guess it's not that surprising, actually.
Petition to remove the ability for JavaScript to manipulate scrolling from all web browsers
I would cut CF just a little more slack if they didn't manage to turn every post mortem into a "humble" brag about how wonderful and vital and glorious their service is.
CF and their never ending mission to prove devops borat right. It would have taken other lesser companies hours or even days to bring down a network like this, but we have built such magnificent tools and systems we can do it in seconds.
(?:(?:\"|'|\]|\}|\\|\d|(?:nan|infinity|true|false|null|undefined|symbol|math)|\`|\-|\+)+[)]*;?((?:\s|-|~|!|{}|\|\||\+)*.*(?:.*=.*)))
https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/
Awhile ago, someone boosted a whine about fediverse documentation and I've gotten fuckall done since. Well, it feels that way
So I wrote a blog post. It's long, rambling, and needs citations. It may contain factual errors. I didn't write for someone who may or may not be contributing somewhere. I wrote it for someone who needed a vent and a little encouragement. It may be useful for the other person all the same
If you read it, I hope it helps you as much as it has me:
https://ehiad.org/blog/000002
I'm this ->||<- close to add
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14931 AcmeClient/23.42
to acme-client(1).
A webdev haiku. I call it The Elements in which Twitter Embeds a Video on a Midsummer Morn.
div.AdaptiveMediaOuterContainer div.AdaptiveMedia div.AdaptiveMedia-container div.AdaptiveMedia-video div.AdaptiveMedia-videoContainer
div.PlayableMedia div.PlayableMedia-container div.PlayableMedia-player div.PlayableMedia-reactWrapper div div div
div div video
I know, it doesn't quite follow the traditional form, but this is art, not programming. The class names are silent.
@mike It's funny. Some parts move really quickly, whereas other parts take an age to stabilise!
Fonts are tough. One particular point from the bug reports is that this was code written to assume it would be used in a safe environment, and then somebody plugged it into the internet. Don't do that. (Either thing, really.)
At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
hoot: https://twitter.com/j00ru/status/1148883124463505408
@j00ru: I've released the reports of 20 bugs found in Microsoft DirectWrite in the handling of OpenType fonts. They are in the P0 tracker as usual: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=finder%3Amjurczyk+reported%3A2019-apr-26. The 10 most important ones were fixed in Patch Tuesday yesterday, the rest were closed as vNext.
@j00ru: The affected code is in fact an open-source AFDKO library (Adobe Font Development Kit for OpenType), hosted at https://github.com/adobe-type-tools/afdko. It's included in DWrite.dll since Windows 10 1709 and reachable with controlled input via Direct2D printing.
@j00ru: It was likely added to support so-called "variable fonts", and the attack surface can be triggered e.g. by printing websites with embedded fonts in Edge. We audited and fuzzed it with ASAN on Linux, then repro'ed the issues on Windows.
@j00ru: I find some of the bugs truly amusing. Enjoy the read and stay tuned for more =)
Article about crappy home routers being vulnerable to drive by CSRF. Not mentioned: every large cloud deployment is similarly vulnerable to some sort of SSRF reflection attack. Stop putting your control plane on the web!
https://arstechnica.com/information-technology/2019/07/website-driveby-attacks-on-routers-are-alive-and-well-heres-what-to-do/
Birdsite.link not linking threads together. :(
@tedu being associated with perl6 around techbro culture is basically the internet equivalent of identifying as LGBTQ in southern US states
@flussence was the perl6 post that bad? I thought it was saying perl6 is good?
A delightful story about the inner workings of twitter.
https://news.ycombinator.com/item?id=20414721
@jeff no, but it's no less true the next release won't either. I've been informed that fediverse developers are required to make more frequent posts about project status and upcoming releases.
Saw Escher's Reptiles used as a slide to illustrate knowledge transfer of best practices between generations of developers. Seems very apt.
We get some book learning. Then we escape into the real world, and grow. But then we try to pass our knowledge down, and it gets flattened in the process, losing all the nuance of reality. And so it goes.
(gdb) print mutex
$7 = 0xdfdfdfdfdfdfdfdf
oh no
@feld have you seen fern? https://github.com/enkiv2/fern
The next release of honk will not support ostatus.
Make it stop! (Probably also a decent alternate subtitle.)
I have arrived.
@cwebber @VyrCossont @astraluma Some might see this as a disadvantage, but the advantage of OCAP comes explicitly *from* the API rework that will be required to adopt it. Since ocaps are (as a first-order approximation and most programmers' perspective) typed opaque values used as pointers or handles typically passed by value to dependencies that use them, it makes explicit a lot of security-related state which is currently implicit in trusted code bases that really ought not be trusted.
@lain it's only bloat if you don't feel bad about it. this is just a pragmatic compromise.
New honk, 0.7.4. Fixes a few bugs. Mostly minor usability improvements (in my mind, anyway). Currently planning to grind out a few more sevens before getting too close 1.0. This release finally breaks the 200K barrier, coming in at 213790 bytes.