ocdtrekkie

twtxt.net

a ferret

Recent twts from ocdtrekkie
In-reply-to » The Arc browser is the Chrome replacement I’ve been waiting for Good overview of the new Chrome based browser project that's been in development over the last year. I haven't tried it yet and in fact this is the first I've heard about it, but I'm always interested in browser projects that have a new approach to the web so I signed up to try the service.

@mckinley@twtxt.net The fact that nothing on their website even mentions a business model and that their company’s values page is entirely about vision and not at all about privacy or user rights at all should drive everyone far, far, far away from this thing.

⤋ Read More
In-reply-to » Wrote a new Sandstorm.io app tonight in less than an hour called Sum: https://apps.sandstorm.io/app/uw6vkwgwkeqv9fdkh94hqwt6nh4jfm02hzf3mkth1qfntkfx8cjh?experimental=true

A point of pride to me is that in a single file of less than 50 lines of code: Dark mode is supported without a whole stylesheet and input is validated without JavaScript.

⤋ Read More
In-reply-to » Tim Berners-Lee Wants Us To 'Ignore' Web3, It's 'Not the Web at All' Tim Berners-Lee, the British computer scientist credited with inventing the World Wide Web in 1989, said Friday that he doesn't view blockchain as a viable solution for building the next iteration of the internet. From a report: He has his own web decentralization project called Solid. "It's important to clarify in order to discuss the impacts ... ⌘ Read more

@prologic@twtxt.net Not quite that bad, but imagine a system that let you keep all your Word docs. But could remove your Microsoft Office install at any time. You might be able to recover your data and use them with another app, but it won’t really be the same. And also Microsoft Office was a cloud service?

⤋ Read More
In-reply-to » Tim Berners-Lee Wants Us To 'Ignore' Web3, It's 'Not the Web at All' Tim Berners-Lee, the British computer scientist credited with inventing the World Wide Web in 1989, said Friday that he doesn't view blockchain as a viable solution for building the next iteration of the internet. From a report: He has his own web decentralization project called Solid. "It's important to clarify in order to discuss the impacts ... ⌘ Read more

@prologic@twtxt.net So the problem with Solid is that the concept is to control your data, and merely allow apps to access that data. Aka, a significant downgrade from any selfhosting, because your apps can still disappear at any time.

The only reason this would make sense is if you really really were focused on enabling proprietary services while still giving lip service to owning your data.

⤋ Read More
In-reply-to » Tim Berners-Lee Wants Us To 'Ignore' Web3, It's 'Not the Web at All' Tim Berners-Lee, the British computer scientist credited with inventing the World Wide Web in 1989, said Friday that he doesn't view blockchain as a viable solution for building the next iteration of the internet. From a report: He has his own web decentralization project called Solid. "It's important to clarify in order to discuss the impacts ... ⌘ Read more

@prologic@twtxt.net Kinda. As per usual, Tim Berners-Lee is in the media here to promote Solid, a bad self-hosting idea that only gets coverage because Tim’s famous.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.

And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.

Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn’t justify browser behavior.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

Unfortunately, I feel that right now the people who decide on how to run PKI are so far removed from the real world and practical concerns, it’s straight up comical. 81% of organizations have had outages caused by expired certificates, something that has almost no real world security benefit. https://betanews.com/2022/03/22/81-percent-of-organizations-have-outages-caused-by-expired-certificates/

⤋ Read More
In-reply-to » Twitter Is Now an Elon Musk Company Elon Musk has "added [Twitter] to his business empire after months of legal skirmishes," writes The Verge's Elizabeth Lopatto, citing reports from CNBC, The Washington Post and Insider. From the report: Musk's first move on Thursday was to oust Parag Agrawal, who was Twitter's last CEO as a public company. Chief financial officer Ned Segal and Vijaya Gadde, the company's policy chief whom Musk had publi ... ⌘ Read more

@prologic@twtxt.net Yep, it’s the land of Musk. The Fediverse is seeing it’s standard huge population uptick on the news, that will disappear again in a month or two as usual.

⤋ Read More
In-reply-to » Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and “hoping” for a redirect.

@abucci@anthony.buc.ci Well in this case the problem is that corporations tend to make and control all the web browsers.

⤋ Read More
In-reply-to » Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and “hoping” for a redirect.

@prologic@twtxt.net It does, but EV was already just prohibitively expensive. It’s very hard for corporations to distinguish between malware authors and hobbyist developers, unfortunately.

⤋ Read More
In-reply-to » Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and “hoping” for a redirect.

@prologic@twtxt.net @abucci@anthony.buc.ci The entire public key infrastructure is kinda a joke, tbh. Let’s Encrypt made HTTPS free, but in practice that mostly just means malware can be delivered securely to your PC. EV certs made a lot more sense, but Google had to deprecate those, VMC appears to be a potentially worthy replacement though.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net The official lingo is ocap for object capabilities. And FWIW that is still IMHO just a need for better implementation by Sandstorm: Capabilities done right actually cause a lot less friction than ACLs!

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net True, though it becomes less of a problem once people realize writing apps with traditional security models is bad and everyone does it our way. ;)

The challenge with changing the world is overcoming momentum.

⤋ Read More
In-reply-to » @prologic To be fair, that both predates Sandstorm (circa 2014), and considering you've tried it recently and still spun up your own corporate infrastructure, demonstrates it's not ready to meet your needs even today.

@prologic@twtxt.net I mean I wrote https://github.com/sandstorm-io/sandstorm-error-collector in an evening, but I’m pretty well-versed in working within vagrant-spk at this point, and I knew where to pull most examples of what I was building quickly. (Also with PHP I don’t have to write my own web server…)

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@abucci@anthony.buc.ci What I’ve learned in production is the apps need to be built or heavily modified to truly support object capabilities. We’ve packaged numerous apps for Sandstorm, but the best experience is still apps written to work in that environment, even if they aren’t as feature-heavy.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net I really like Active Directory still. Mostly for Group Policy though, which only works on Windows.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@abucci@anthony.buc.ci As a fun fact, Sandstorm is neither RBAC or ACL, it uses object capabilities, which is a superior but niche model also seen in Google’s Fuchsia and a very limited number of random things since the 1980’s.

⤋ Read More
In-reply-to » Authelia - The Single Sign-On Multi-Factor portal for web apps -- Well I spent all day on standing up some new "internal" infra (file hosting/management, task/project management, etc) and I have to say, Authelia is pretty fucking great 👌 highly recommend

@prologic@twtxt.net To be fair, that both predates Sandstorm (circa 2014), and considering you’ve tried it recently and still spun up your own corporate infrastructure, demonstrates it’s not ready to meet your needs even today.

I would probably love your top bullet points on what Sandstorm would’ve needed to have or do to meet your business infra needs.

⤋ Read More
In-reply-to » Authelia - The Single Sign-On Multi-Factor portal for web apps -- Well I spent all day on standing up some new "internal" infra (file hosting/management, task/project management, etc) and I have to say, Authelia is pretty fucking great 👌 highly recommend

@abucci@anthony.buc.ci - Sandstorm.io hopefully someday ;) Though I admit we are probably not quite at the polish today for someone to replace their existing self-hosting stack (yet)

⤋ Read More
In-reply-to » @prologic hmmm, I feel you are angry so I won't play as devil's advocate. What I can add, something controversial, is that those huge companies like power and controlling who can access to the info is a source of power.

@prologic@twtxt.net I think the OSI positions are paid positions via memberships/donations. Which is to say, the status quo is perfectly sustainable… for the OSI.

I had recent conversations with both the OSI’s Executive Director and Standards Director, and both conversations convinced me the OSI does not remotely care about sustainable open source.

⤋ Read More
In-reply-to » How GitHub Copilot Could Steer Microsoft Into a Copyright Storm An anonymous reader quotes a report from the Register: GitHub Copilot -- a programming auto-suggestion tool trained from public source code on the internet -- has been caught generating what appears to be copyrighted code, prompting an attorney to look into a possible copyright infringement claim. On Monday, Matthew Butterick, a lawyer, desig ... ⌘ Read more

@kt84@twtxt.net More than likely if a class action settlement happens, anyone who can allege they had their code on GitHub during the span of time Microsoft was training Copilot will be eligible, which would include anyone who deleted their repos when Microsoft first showed it off.

⤋ Read More
In-reply-to » How GitHub Copilot Could Steer Microsoft Into a Copyright Storm An anonymous reader quotes a report from the Register: GitHub Copilot -- a programming auto-suggestion tool trained from public source code on the internet -- has been caught generating what appears to be copyrighted code, prompting an attorney to look into a possible copyright infringement claim. On Monday, Matthew Butterick, a lawyer, desig ... ⌘ Read more

@prologic@twtxt.net The problem is that if I fork your code (which I can do), and then post it on GitHub (which I can do), then Copilot still trains on it, whether you like it or not.

The answer here, is what’s happening: Litigation.

⤋ Read More
In-reply-to » @prologic hmmm, I feel you are angry so I won't play as devil's advocate. What I can add, something controversial, is that those huge companies like power and controlling who can access to the info is a source of power.

The problem is the OSI considers this working-as-intended.

⤋ Read More