@prologic@twtxt.net hey, nice!

I’m watching that he uses a twtxt format with the newest twts at the start of the txt file.
Besides being easier to read for a human and ‘harder’ to write for a script, does it have any benefit you’ve seen?

@xuu@txt.sour.is Well, it took me like 4 hours to set up, implement and test the PHP library, with all the setup combinations, devices and such.

So I’ll say that using a password with a simple function like https://www.php.net/manual/en/function.password-verify.php
is much easier than a whole library requiring communication between the server, the browser and the auth device… There is a security reason for that (mainly to avoid phishing, which is something I like compared to other solutions like SQRL)

You can take a look at the library I’m using, here:
https://eapl.mx/webauthn/_test/client.html

And the implementation there:
https://eapl.mx/twtxt/login.html

What’s missing in the examples is having an identity tied to your Auth device (Hardware token or OS service like Microsoft Hello, Apple Keychain, Android Fingerprint). The explanation is long, but the abstraction is there. Your identity and private certificates are held for you by some ‘magic’ device.

@justamoment@twtxt.net that said, WebAuthn/FIDO 2/PassKeys are not that easy to implement but I think they have many improvements for the Authentication problem

@justamoment@twtxt.net sure! I’m working on a proof of concept (in PHP) if you want to take a look on how it works

@movq@www.uninformativ.de Great movie! even if it’s ‘old’ by now is very valid in the term of living for the expected transparency and the public spectacle. it makes you think a lot

@prologic@twtxt.net there is, the issue is making those 3 to work together in a semi-cooperative environment. It’s possible with the right incentives

@movq@uninformativ.de is it perhaps a Hacker mindset of breaking things?

I was reading on Hacker News the other day about the collide of different personalities in the same space. Those wanting to give maintenance to existing systems (the stereotype of IT guy), the hackers (breaking stuff because why not) and the developers (building thinks to solve problems).

And in an environment of earning money to make a living. Everything together sounds like a recipe for a very ‘fun’ place to work.

Yep, so you can recover your password, I think. About the real IP address, no idea who’s receiving it.

@prologic@twtxt.net

@prologic@twtxt.net I’d like to have a 2FA alternative, at least TOTP (what Google Authenticator uses).
And if you have support for WebAuthn, even better.
Both are self-hostable.

@walves@twtxt.net hey walves!

I assume you have created an account on twtxt.net and you can see this message.

What have you used on Windows? The twtxt client on Python? (it’s broken on newest versions of python), if you want your .txt file to be available publicly you could host it in some server or running the twtxt client from some tilde or VPS.

Or use Twtxt.net (which is a Yarn.social server) to manage following other users, receiving mentions, replying to other twts, and such. It creates and serves the text file for you, from a web and mobile interface.

Or you can use various clients (from a terminal) to insert net lines (twts) to the file, and also to read other users’ files. Newest versions have extended the protocol to allow replies, hashtags and such.

I use both, in English I like twtxt.net/yarn.social since it’s easy to talk as a community. In Spanish I use the traditional approach of hosting a file, more like a micro log.

@abucci@anthony.buc.ci Nice!

I didn’t know about https://indieauth.net which seems to be based on OAuth 2.0 (that I have used before), I’ll take a look!

@prologic@twtxt.net well, not 100% right but it’s a valid assumption.

If you are able to reset your password by email, it’s a pretty similar level of security than receiving an access token by email. Anyone with access to your mail could get access to your accounts.
Adding a second factor of authentication could help, or using something with Public/Private cripto would be better, like Client Certs, Fido2 or even hipster things.

And also giving alerts that someone else is connected in your behalf is great (like is done for some banks or Google) , but that’s a UX compromise between convenience and security.

@prologic@twtxt.net I think the Warning is misleading then…
So it’s not disabled, but not setup correctly and for that reason doesn’t send mails?

Sure! Here? https://git.mills.io/yarnsocial/yarn/issues

@prologic@twtxt.net Nice!

@prologic@twtxt.net likely the root cause 🙃

@justamoment@twtxt.net @prologic@twtxt.net sorry for the typos, stupid phone keyboard (and myself not paying attention, ha)

@justamoment@twtxt.net thanks for sharing! magic links have a few problems, although it’s a useful way to avoid passwords. I like it for some kind of users.

I wrote a bit about different approaches for Dynamic passwords and passwordless systems if anyone here is interested

https://text.eapl.mx/promoting-the-use-of-dynamic-passwords

@prologic@twtxt.net @justamoment@twtxt.net Same! It’s not arriving to my Proton.me/Protonmail inbox, nor Spam.

@justamoment@twtxt.net @prologic@twtxt.net hey, didn’t know that! , as a fan of magic links, I like that it’s available, but “Login with you Email Address” doesn’t make obvious you are going to receive a Dynamic token to your email, in my mind is like “Instead of your Username and Pwd, user your Email and Pwd”

I’d suggest something line “Send an access to your email”, “Send a Magic link”, etc.

@akoizumi@social.kyoko-project.wer.ee I like it, buuut I think it’s not so easy to implement from the server side, and to setup for most users.

That said, it’s a classic alternative

@prologic@twtxt.net 😮

Today I found this passwordless alternative by Steve Gibson
https://sqrl.grc.com/pages/what_is_sqrl/

@~eaplmx@texto-plano.xyz I forgot to add, in the Sign up you don’t need a password currently, that will be used later to avoid that anyone could register their device as a valid login.

Also, this is a sandbox, don’t take this workflow as an inspiration for any production ready site.

@~eaplmx@eapl.mx If any of you reading this wants to try a stupidly simple WebAuthn/Passkey workflow, go here:
https://eapl.mx/twtxt/signup.html
And then:
https://eapl.mx/twtxt/

If you did that correctly, you’ll reach the ‘Write your twtxt here’ part, (but you’ll have to guess the password, muahaha)

That’s my progress for today, it took longer than expected, I haven’t developed in PHP, and forgot the details on file permissions, binary data for cryptography and such. Besides that, it has been a cool exercise.

@mckinley@twtxt.net does it happen? 😮 Didn’t know

The main issue I’m currently having with the implementation of WebAuthn in my personal service is the concept that a user only has 1 password but 1..N auth devices 🤔

#firstWorldProblems

@prologic@twtxt.net Could it work in the Southern USA called Mexico 🇲🇽? 😁

Just joking, I think it could be used for some digital services, Amazon, Digital Ocean, or similar 🤔

@prologic@twtxt.net that’s why I’m asking that many questions.

Another one, when a resource is available in multiple places, like Gopher, HTTP and Gemini (and IPFS, why not?), are there going to be N registries?

Wild idea, how about using the HTTP response codes https://developer.mozilla.org/en-US/docs/Web/HTTP/Status or from Gemini https://gemini.circumlunar.space/docs/specification.gmi

Like 308/31 for redirections, 410/52 for Gone and such

@lyse@lyse.isobeef.org Interesting, let me see…

1. I’m out of context, why do we need this? (As a community of users and developers, I think)

2. I’m reading:

The goal is to provide a database that can be fetched periodically to receive a
list of twtxt feed URLs that are known to be wrong for whatever reason.

‘Wrong for whatever reason’ is too vague in my mind, doesn’t help me to understand how it’s useful, I think specific reasons would be better like ‘File name changed’, ‘Domain changed’, ‘URL not available anymore/Gone forever’ and such could be easier to understand.

1. What would happen if two URLs have changes, you take the most recent one?

2. Who’s gonna be the main user? Systems like Yarnd checking for changes to auto-correct broken links?

These are my first impressions, and not wanting to say something wrong, it looks appealing. Kudos for the initiative!

@abucci@anthony.buc.ci you’ll be surprised how many people spend on things we don’t understand…

@prologic@twtxt.net this one https://adarkroom.doublespeakgames.com/mobileWarning.html

I think this is a better link https://github.com/amirrajan/survivingtheappstore/blob/master/manuscript/dev-logs-part-2.md#day-246—feb-7-2014-a-hail-mary-to-editors

@prologic@twtxt.net I don’t have any blind friend, so I haven’t experienced firsthand how is to play a game like that.

But I’d like to recommend one of my favorite text based games, pehaps it’s something appealing to you

https://github.com/amirrajan/survivingtheappstore/blob/master/manuscript/blind.md

@justamoment@twtxt.net the Readme needs work but you can see the current PHP file here https://github.com/eapl-gemugami/phpub2twtxt

Disclaimer: It’s the first playable, ha, and I haven’t touched PHP in months

@darch@neotxt.dk Hey, I recognized a known name among the forks, it’s simple and it works! Thanks

@prologic@twtxt.net Mario, the plumber!
What have you been doing for the last 5 years? 😛

@prologic@twtxt.net it’s a nice one, similar to Mario Odyssey

@justamoment@twtxt.net +1

@rob@twtxt.net the game ? wow!, 5 years already

Yeah, it’s working!

As with the example of the gun, designed to kill people, vs the knife to cook, that could be used to kill someone. Money is not moral, but the monetary systems are. That’s the tricky part.

As a scientist, I always have to remind: “Scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”
That’s where ‘good’ intentions like Google with the “don’t be evil” motto, suddenly, get evil. A search engine is cool. A whole company designed to sell users’ data, not so much. The same thing with anything to store value, it’s tightly connected with power, and that may show the worst part of humans.

@prologic@twtxt.net, I’ll only add that Bitcoin as the ‘first’ massive cryptocurrency is a vast social experiment, appealing to me as a hacker.

But as with many ‘successful’ experiments it’s going out of control. Currently, there are 9k+ different cryptocurrencies, each one trying to improve over the previous, or at least promising new things, and that’s where the promises are not going to be fulfilled. It’s easiest to promise a nicer future than to actually achieve it.

I can’t say every crypto + currency system is evil or good. That’s ideology, oversimplification appealing to our emotions. ‘Money is the root of all evil’ is BS, the real quote is ‘the love of money is the root of all evil’. I’ll say it’s the same for Cryptocurrencies. Fanaticism and cult behaviour is the bad part IMO.

@prologic@twtxt.net Nevermind, it was a case of RTFM https://docs.flutter.dev/deployment/android

@tkanos@twtxt.net haha, I think it’s a Layer 8 error

@prologic@twtxt.net I’m typing from the Goryon app right now.