ocdtrekkie

twtxt.net

a ferret

Recent twts from ocdtrekkie
In-reply-to » Tim Berners-Lee Wants Us To 'Ignore' Web3, It's 'Not the Web at All' Tim Berners-Lee, the British computer scientist credited with inventing the World Wide Web in 1989, said Friday that he doesn't view blockchain as a viable solution for building the next iteration of the internet. From a report: He has his own web decentralization project called Solid. "It's important to clarify in order to discuss the impacts ... ⌘ Read more

@prologic@twtxt.net Kinda. As per usual, Tim Berners-Lee is in the media here to promote Solid, a bad self-hosting idea that only gets coverage because Tim’s famous.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.

And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.

Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn’t justify browser behavior.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

@abucci@anthony.buc.ci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.

⤋ Read More
In-reply-to » Learned a cute little trick on github today and figured I'd share in case there are others like me who didn't know this.

Unfortunately, I feel that right now the people who decide on how to run PKI are so far removed from the real world and practical concerns, it’s straight up comical. 81% of organizations have had outages caused by expired certificates, something that has almost no real world security benefit. https://betanews.com/2022/03/22/81-percent-of-organizations-have-outages-caused-by-expired-certificates/

⤋ Read More
In-reply-to » Twitter Is Now an Elon Musk Company Elon Musk has "added [Twitter] to his business empire after months of legal skirmishes," writes The Verge's Elizabeth Lopatto, citing reports from CNBC, The Washington Post and Insider. From the report: Musk's first move on Thursday was to oust Parag Agrawal, who was Twitter's last CEO as a public company. Chief financial officer Ned Segal and Vijaya Gadde, the company's policy chief whom Musk had publi ... ⌘ Read more

@prologic@twtxt.net Yep, it’s the land of Musk. The Fediverse is seeing it’s standard huge population uptick on the news, that will disappear again in a month or two as usual.

⤋ Read More
In-reply-to » Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and “hoping” for a redirect.

@prologic@twtxt.net It does, but EV was already just prohibitively expensive. It’s very hard for corporations to distinguish between malware authors and hobbyist developers, unfortunately.

⤋ Read More
In-reply-to » Almost a year ago, a committed a patch to my browser that made it default to HTTPS. So when I enter foo.com, goes directly to https://foo.com, instead of going to http://foo.com and “hoping” for a redirect.

@prologic@twtxt.net @abucci@anthony.buc.ci The entire public key infrastructure is kinda a joke, tbh. Let’s Encrypt made HTTPS free, but in practice that mostly just means malware can be delivered securely to your PC. EV certs made a lot more sense, but Google had to deprecate those, VMC appears to be a potentially worthy replacement though.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net The official lingo is ocap for object capabilities. And FWIW that is still IMHO just a need for better implementation by Sandstorm: Capabilities done right actually cause a lot less friction than ACLs!

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net True, though it becomes less of a problem once people realize writing apps with traditional security models is bad and everyone does it our way. ;)

The challenge with changing the world is overcoming momentum.

⤋ Read More
In-reply-to » @prologic To be fair, that both predates Sandstorm (circa 2014), and considering you've tried it recently and still spun up your own corporate infrastructure, demonstrates it's not ready to meet your needs even today.

@prologic@twtxt.net I mean I wrote https://github.com/sandstorm-io/sandstorm-error-collector in an evening, but I’m pretty well-versed in working within vagrant-spk at this point, and I knew where to pull most examples of what I was building quickly. (Also with PHP I don’t have to write my own web server…)

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@abucci@anthony.buc.ci What I’ve learned in production is the apps need to be built or heavily modified to truly support object capabilities. We’ve packaged numerous apps for Sandstorm, but the best experience is still apps written to work in that environment, even if they aren’t as feature-heavy.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@prologic@twtxt.net I really like Active Directory still. Mostly for Group Policy though, which only works on Windows.

⤋ Read More
In-reply-to » Speaking of SSO and a draft blog post I'm writing that I think I'll call Protecting Internal Web Resources (comments, feedback welcome before I publish 🙏) -- I've been thinking for a while now about building a new project based around Indie Auth that provides a full solution to managing a set of users that you could use in place of the more traditional approach of LDAP or Active Directory (shudder 🙄). The use-case I have in mind is to (for example) have auth.example.com that runs this software, lets me manage users, users can manage their credentials, information, etc. Then other software like Gitea, Authelia, or basically anything you want could use it as an "Authentication backend" / "Identity Provider".

@abucci@anthony.buc.ci As a fun fact, Sandstorm is neither RBAC or ACL, it uses object capabilities, which is a superior but niche model also seen in Google’s Fuchsia and a very limited number of random things since the 1980’s.

⤋ Read More
In-reply-to » Authelia - The Single Sign-On Multi-Factor portal for web apps -- Well I spent all day on standing up some new "internal" infra (file hosting/management, task/project management, etc) and I have to say, Authelia is pretty fucking great 👌 highly recommend

@prologic@twtxt.net To be fair, that both predates Sandstorm (circa 2014), and considering you’ve tried it recently and still spun up your own corporate infrastructure, demonstrates it’s not ready to meet your needs even today.

I would probably love your top bullet points on what Sandstorm would’ve needed to have or do to meet your business infra needs.

⤋ Read More
In-reply-to » Authelia - The Single Sign-On Multi-Factor portal for web apps -- Well I spent all day on standing up some new "internal" infra (file hosting/management, task/project management, etc) and I have to say, Authelia is pretty fucking great 👌 highly recommend

@abucci@anthony.buc.ci - Sandstorm.io hopefully someday ;) Though I admit we are probably not quite at the polish today for someone to replace their existing self-hosting stack (yet)

⤋ Read More
In-reply-to » @prologic hmmm, I feel you are angry so I won't play as devil's advocate. What I can add, something controversial, is that those huge companies like power and controlling who can access to the info is a source of power.

@prologic@twtxt.net I think the OSI positions are paid positions via memberships/donations. Which is to say, the status quo is perfectly sustainable… for the OSI.

I had recent conversations with both the OSI’s Executive Director and Standards Director, and both conversations convinced me the OSI does not remotely care about sustainable open source.

⤋ Read More
In-reply-to » How GitHub Copilot Could Steer Microsoft Into a Copyright Storm An anonymous reader quotes a report from the Register: GitHub Copilot -- a programming auto-suggestion tool trained from public source code on the internet -- has been caught generating what appears to be copyrighted code, prompting an attorney to look into a possible copyright infringement claim. On Monday, Matthew Butterick, a lawyer, desig ... ⌘ Read more

@kt84@twtxt.net More than likely if a class action settlement happens, anyone who can allege they had their code on GitHub during the span of time Microsoft was training Copilot will be eligible, which would include anyone who deleted their repos when Microsoft first showed it off.

⤋ Read More
In-reply-to » How GitHub Copilot Could Steer Microsoft Into a Copyright Storm An anonymous reader quotes a report from the Register: GitHub Copilot -- a programming auto-suggestion tool trained from public source code on the internet -- has been caught generating what appears to be copyrighted code, prompting an attorney to look into a possible copyright infringement claim. On Monday, Matthew Butterick, a lawyer, desig ... ⌘ Read more

@prologic@twtxt.net The problem is that if I fork your code (which I can do), and then post it on GitHub (which I can do), then Copilot still trains on it, whether you like it or not.

The answer here, is what’s happening: Litigation.

⤋ Read More
In-reply-to » @prologic hmmm, I feel you are angry so I won't play as devil's advocate. What I can add, something controversial, is that those huge companies like power and controlling who can access to the info is a source of power.

The problem is the OSI considers this working-as-intended.

⤋ Read More
In-reply-to » @prologic idk I tend to think that "reading something on some random person's web site" and "telling some random person where I live to within a mile or two" ought to be distinct things I get to choose independently....

@prologic@twtxt.net I find the top purpose for corporate VPN providers is low-impact legal offenses involving torrenting: It’s not necessarily about the VPN provider not ratting you out, but about being enough of a hassle to uncloak you that by the time the legal process to do so has ramped up, the VPN provider has dumped their logs anyways. Serious crimes, governments are going to act a lot faster, and get the response they need quickly, but for the low level stuff it’s more civil law nonsense a VPN company in the middle will befuddle the process.

⤋ Read More
In-reply-to » @abucci Do you happen to use Signal btw? 🤔 If you do, it would be great if you could join the Yarn.social Signal Group (_at least until we have Group support and better apps for Salty.im 😅)

@abucci@anthony.buc.ci Interestingly enough, Signal has announced plans to deprecate SMS/MMS support entirely. So even if I had a phone which could tamper with my text messages, Signal soon won’t anyways.

Since I’ve solely installed Signal to talk to the Yarn social Signal group, and that’s not a sensitive communication, it doesn’t bother me if it’s compromised very much.

⤋ Read More
In-reply-to » @abucci Do you happen to use Signal btw? 🤔 If you do, it would be great if you could join the Yarn.social Signal Group (_at least until we have Group support and better apps for Salty.im 😅)

@mckinley@twtxt.net FWIW, spam on IRC is really, really prevalent, and IRC has limited systems to handle it. I know they’ll let you cloak your info with regards to other users seeing it, but trusting them with it is somewhat important to them managing the server.

⤋ Read More