Threads for Helithumper

  1. 6

    Somehow I missed the whole passkeys thing that’s been in dev preview for a year. Yeah, so it’s their soft WebAuthn token. The FIDO alliance now endorses those, calling them “multi-device FIDO credentials” But the interesting part is the whole usage on random PCs thing. According to FIDO FAQ,

    An update to the Client to Authenticator Protocol (CTAP) called “caBLE” will leverage Bluetooth LE (BLE) to enable cross-device, cross-ecosystem credential usage.

    Turns out work on this has been going for a couple years now. It’s still oddly difficult to find info about caBLE. What’s especially interesting is that they showed some QR code thing on stage. Apparently both QR codes and BLE are involved?? Somehow?

    1. 2

      I don’t think it’s their soft WebAuthn token, but their hard WebAuthn token using the TPM on the mac. They’ve had it for a few years now I just don’t think many people used it.

      1. 2

        Not few years, one year of developer preview.

        Well.. it’s sort of “hard-ish” in that the Secure Enclave might be used for the operations. But the private keys are synced via iCloud (again, multi-device credential), so they’re not locked in the Enclave.

        1. 2

          Presumably they’re synced via standard keychain mechanisms which would mean they’re never exposed in an unencrypted form

          1. 1

            I’d say 2 years since it was released at least before July 1, 2020 and that definitely wasn’t a “developer preview”.

            1. 3

              You are talking about different things. Support for device-specific WebAuthn tokens has been around for several years (I have used this functionality for a while now). Experimental support for ‘Passkey’ (WebAuthn tokens that sync through iCloud Keychain to multiple devices) has been added to macOS 12 and iOS 15. But you have to enable support through the Develop option in Safari on macOS and something similar on iPhone. This functionality was announced last year in a WWDC session:

              https://developer.apple.com/videos/play/wwdc2021/10106/

      1. 0

        Can we avoid posting this author’s blog posts? Without going into details, his presence in C++ community spaces has caused problems.

        1. 7

          I think you would need to go into details or at least provide some links. Otherwise we will be banning posts left and right just because someone found the author problematic, don’t you think?

          1. 2

            I’m guessing this is in relation to his criminal history. I understand the reason of why not wanting to discuss details and in this case I do understand your concerns. Could we avoid posting this author’s comments?

            1. -2

              Can we avoid posting this author’s blog posts? Without going into details, his presence in C++ community spaces has caused problems.

              Can we avoid posting this author’s comments? Without going into details, his presence in C++ community spaces has caused problems.

            1. 26

              Subdomains as identity leaks information about the requested path via DNS.

              https://example.com/saysbadthingsaboutbadpeopleinpower - DNS request is for example.com, TLS connection prevents request information from leaking

              https://saysbadthingsaboutbadpeopleinpower.example.com - DNS gets the requested user

              I am fortunate to live in a country where the latter is extraordinarily unlikely to be immediately actionable by law enforcement and my action is protected by well-established law.

              Moreover, a path-based identity is better for marketing. Put the company name first so people know “Oh, right, Example, that social media platform,” and not “SomethingIdontreallycarethatmuchabout on Example.”

              1. 15

                Given that this user is also providing each subdomain a certificate, you could enumerate the entire userbase by looking at the CT Logs with a tool like crt.sh

                1. 4

                  Given that this user is also providing each subdomain a certificate, you could enumerate the entire userbase by looking at the CT Logs with a tool like crt.sh

                  Even if they use wildcard certs?

                  1. 3

                    Obviously that will not work in such case.

                  2. 2

                    Oh wow that’s a big one

                  3. 5

                    I’m definitely not an expert, just a curious observer. But if everyone used DNS over HTTPS, would this no longer be an issue? DoH does have some problems though (centralization, can be blocked, SNI leaks, etc), and I’m not sure how widespread it is.

                    1. 4

                      Even with DNS over HTTPS you’d still be leaking the domain name to a third party, so it is less private than putting the same info in the path. Obviously for many use cases that is fine.

                      1. 2

                        DoH to a third-party would help but then there’s a SPOF for resolution.

                        1. 1

                          Or DoT or DNS over Tor or any other privacy solution.

                          Breaking websites is not the solution.

                      1. 22

                        I’m always wary of these “always” and “never” essays.

                        Instead of going down that route, why not set up a code budget before you begin and stick to it? After all, it’s one thing to spend a couple of coins on some bubblegum on your way to work. It’s something else entirely to invest in condominiums. There are lots of examples in life where we have limited resources and expect a limited return. We use budgets to allocate limited resources to return limited value. Why don’t we treat code the same way?

                        For my personal work, I budget 50 lines or so of bash to any project. If it goes beyond that, I’m coding in a higher-level language (which I also budget to as a way of keeping track of whether I’m compartmentalizing enough) If I were coding commercially, I’d drop that budget by half or more.

                        You run into problems with any programming language when the amount of complexity you’ve grasped outreaches your ability to understand it. With signals, string mangling, and the rest, that happens pretty quickly in bash. That doesn’t mean it’s a bad language. These are just risks that need to be managed.

                        Instead of shunning or loving some language, find a way to guide you to know when enough is enough, ie, it’s time to refactor or move to a different platform. Then stick to it. It’s the people who can’t help themselves but keep taking on more and more complexity in their code over time that are the ones to worry about, no matter what tech they’re using.

                        1. 2

                          I believe that this isn’t an “always” and “never” essay, but rather a list of bad and good practices. In the last section the author covers the scenario you describe (50 line bash budget).

                          I don’t think any reasonable author would say “never” use bash, however the article points out how it may not be the best choice to use bash in many scenarios, thus “Please stop writing shell scripts” instead of “Do not write shell scripts”. It’s a persuasive essay, not an authoritative, commanding essay.

                        1. 19

                          https://gchq.github.io/CyberChef/ Run mutations on inputs in your browser. Lots of useful little operations.

                          1. 3

                            I find that even when I’m not thoroughly developing tests for my code, I’ll usually have at least a handful of general tests running fairly often just for a sanity check. Having a one-click “Does this run in a semi-reasonable manner” is really useful.

                            1. 2

                              Not sure if this is newsworthy. Looks like a fairly standard medium/low security patch. Am I missing something?

                              1. 2

                                I’m trying an implementation of this out and I don’t know how performant this was for the author. Nowhere in the article details execution time, but adding (most of) the english language as ORs to a Z3 solver is not very performant. I would be interested in a follow up to the article detailing performance issues / improvements.

                                1. 3

                                  Screenshots would be pretty boring, it’s just stock Windows 10 with auto-hiding taskbar and no desktop icons on the desktop, XMonad with a very basic config on one laptop and stock Gnome on the other (we don’t talk about the third laptop), so here’s my battlestation. We have:

                                  • Two LG monitors, the big one’s new and it’s 1440p and 144hz. Behind them there’s a two-arm monitor stand. The LG monitor on the side is not VESA compatible so I had to get a bit creative to mount it like that.
                                  • Three mice: the big trackball is a Kensington Expert and it’s for normal use on the desktop, the most normal one is a Razer Deathadder is for videogames and the small trackball is a Logitech Ergo M575, which I normally use at work with the laptop.
                                  • A 90x40cm mousepad, very nice and comfy.
                                  • On the ground, a cheap foot pedal with three buttons that I mostly use for push-to-talk and to take screenshots. I’ve tried using it more actively but it’s a bit awkward.
                                  • A mic arm with a very hacky hook for hanging the headphones (just out of the picture).
                                  • A Raspberry Pi with a passive cooling case under the desktop tower.

                                  I’m planning on moving and getting a new desk, so hopefully there will be some big changes next year. Bonus points for recognizing all the characters :)

                                  1. 1

                                    How is Kensington compared to Logi Ergo? I am thinking about changing mine.

                                    1. 1

                                      I used to use the Kensington and switched to the logitech ergo, tempted to switch back b/c the ergo causes my thumb to ache whereas the kensington did not.

                                      I wish they would make the new kensingtons with the bearings / wheels from the older models (Kensington Turbo Mouse Pro) where you could spin the ball like you were playing goldentee on your desk.

                                      1. 1

                                        It’s kind of unwieldy, honestly. I thought the big orb was gonna be nicer than the Ergo but it’s the other way around, if I had to choose only one of them I’d go with the Ergo.

                                        1. 1

                                          Have to second you on that one. I have the Kensington and the M570 and would take the M570 if I had to choose. However, I also purchased a Ploopy Classic last year and it is wonderful. It really knocks both of the others out of the fight for stationary use. It’s the rollers (vs. the bearings on the other two) that really make a huge difference for me.

                                    1. 3

                                      Throwing mine on the pile: https://imgur.com/a/as7fPJe

                                      Built a desk into my shop when we all started WFH. No screen shot because there’s not much to see: swaywm on Fedora with Alacritty+tmux+NeoVim fullscreen on workspace 1 and Vivaldi fullscreen on workspace 2. Workspace 3 is for Zoom. All of it’s been themed with Dracula.

                                      Hardware is a maxed out System76 Meerkat, Dygma Raise keyboard, old (2010) Logitec MX mouse, and LG 27UD68-P monitor. Hanging on the all behind the monitor is an Intel NUC w/ RTX 2060 for gaming. The display stuck on the ceiling is for the WS-2902C weather station mounted outside the shop.

                                      1. 4

                                        Coworkers: “Where are you located”

                                        sprsquish: Pulls out Banjo

                                        1. 2

                                          It’s impressive how much those air filters pull out of the air when they’re strapped onto a box fan like that. I tried it a few years ago out of curiosity and was appalled by how quickly the filter had to be changed. Been using them pretty much continuously ever since.

                                          1. 2

                                            Absolutely. I was originally looking for a way to get dust collection that wasn’t going to cost a small fortune. The wood working community is a clever and thrifty bunch. These things cost a tenth what a “real” solution would have.

                                            1. 1

                                              lul

                                            2. 4

                                              I don’t know what you’re talking about. It’s still April 2020. I’ll be back in the office in no time!

                                            1. 5

                                              IMHO, this is one of the critical parts of an install script that I see missing constantly. Homebrew doesn’t by default do any signature checks on what it’s downloading. Docker’s install used to be a curl | sh as well.

                                              I first thought about this when seeing people’s (especially Golang) NixOS files which included a statement like the following:

                                              src = fetchgit {
                                                url = "git://github.com/NixOS/nix.git";
                                                rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae";
                                                sha256 = "1cw5fszffl5pkpa6s6wjnkiv6lm5k618s32sp60kvmvpy7a2v9kg";
                                              }
                                              

                                              I may be wrong here and there may be signature checks under the hood, but I feel like building this mechanism into the curl | bash would be a huge bonus. I wish more programs (and especially homebrew) did this, but would like to hear if there’s a solid reason why not (there probably is).

                                              IMHO: curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh?version=X.X.X | inline-md5sum MD5SUM | sh -" would be a much more robust curl to bash as it would include the current version (fully reproducible curl | bash-es) as well as a quick signature check. Heck, you could even have the signatures posted elsewhere or tied to PGP/AGE.

                                              1. 5

                                                Just to clarify, Homebrew formulas do have signature checks, which is more parallel to your NixOS example.

                                                1. 1

                                                  Yes, that’s correct, however unlike NixOS, Homebrew does not provide a signature for itself in an easy manner to perform a signature check. With NixOS it’s either a.) provided right next to the download button or b.) you can perform your own because you are building the ISO yourself.

                                                  If you cannot verify the Homebrew installation itself, then it doesn’t really matter if the posted dependencies have signatures because an invalid homebrew installation could do whatever it wants re: Reflections on Trusting Trust.

                                                2. 2

                                                  IMHO, this is one of the critical parts of an install script that I see missing constantly.

                                                  md5 is not, and should not be used as, a meaningful “signature” for authenticity. it might be useful for verifying if the download was not corrupted, but it won’t give any indication of whether the file was tampered with in transit, etc.

                                                1. 5

                                                  This is good, but it, IMO, should be SHA256 or Blake2 instead, which are considered cryptographically strong unlike MD5.

                                                  1. 2

                                                    Since this is just a validation script you could theoretically make it generic enough to process a handful of different hash types so that it’s more compatible.

                                                    1. 2

                                                      I was just thinking about this, and had two thoughts:

                                                      • Generalize it by adding a CLI flag to indicate which hashing function is being used. (Something like, -n md5, -n sha256, etc)
                                                      • And/or also supporting the Multihash format
                                                      1. 2

                                                        Thought about adding other formats, but considering I was nerd-sniped, I had other things I intended to do today 😅

                                                        Definitely gonna read up on Multihash, as this is the first time I’ve heard of it.

                                                      2. 1

                                                        Feature creep 😁

                                                        But adding that into the script wouldn’t be too much of an excercise.

                                                      3. 1

                                                        You’re absolutely right, but most sites that I’ve come across that use the pattern only provide MD5.

                                                        I thought about adding a flag to specify the type of sum, but feature creep 😁

                                                        1. 1

                                                          Yeah, but how would that help you run a script where the MD5 was provided :)

                                                        1. 3

                                                          This is always very delightful to read. I really enjoyed the “proof” in 20:09 on page 68 why RSA is the devil’s work. :)

                                                          1. 3

                                                            I’m not sure what the origin of this is, but I originally saw this almost word for word in 2019: https://www.youtube.com/watch?v=lElHzac8DDI.

                                                            Edit: Just realized the author is the same, it’s basically a text form of the linked youtube presentation.

                                                            1. 4

                                                              While the triggering event is the same (log4j CVE), I think that the content differs enough to be an independent post.

                                                            1. 2

                                                              This post confused me initially b/c I could swear Filippo worked at Google now. Turns out the article is from 2016. Could the title be edited to match that to clear up any confusion?

                                                              1. 2

                                                                Edited.

                                                              1. 7

                                                                Scrolling with the mouse wheel in KDE’s volume mixer applet scrolls through both devices and levels of devices.

                                                                I wonder what’s the good way to solve that one on the UI level. I really like that KDE allows you to scroll both on the volume bars and on the volume icon itself. (Which other systems don’t do)

                                                                I guess at least “don’t change volume until position scrolling has finished” check could work… But that may feel as clunky as the typing-timeout-based touchpad disabling.

                                                                I like the list and the challenge. I’m sure it will cause more pressure on some long-standing papercut issues. Apart from some really frustrating parts where Linus knows just enough to overcomplicate things and self-sabotage (like the GitHub part), it’s a fun UX study. I’ve had to start using Windows recently for the first time since w2k and I’m making my own list of WTF issues.

                                                                1. 3

                                                                  I need to go back and double check what his issue was, but maybe a modifier key (ctrl perhaps) or a middle mouse click to switch between the two options?

                                                                  1. 4

                                                                    It’s basically: if you scroll the list of volume and your mouse goes over a volume slider, you’ll start scroll-adjusting that volume slider instead. You learn to scroll with the mouse on the side of the window quickly.

                                                                    https://bugs.kde.org/show_bug.cgi?id=385270

                                                                  2. 1

                                                                    I really like that KDE allows you to scroll both on the volume bars and on the volume icon itself. (Which other systems don’t do)

                                                                    yes, this is something that I really miss on Windows. to whoever thought of adding this feature to KDE – thank you!

                                                                  1. 3

                                                                    Does anyone else find it a bit funny that a post about Hugo themes is hosted on SaaS Wordpress?

                                                                    1. 2

                                                                      I will say that dogfooding my own Hugo theme has helped me find bugs / edge cases / missing features, and I highly recommend it for anyone developing a theme. I have three websites running my theme and the slightly different use cases have highlighted different problems.

                                                                      One problem is that, until I’m happy with my theme’s support for basic things like images and video embeds (no, I’m not satisfied with the out-of-the-box Hugo behavior), it’s difficult to write even self-referential posts where you might want to include screenshots of e.g. results of your theme code in different browsers. (The OP is a simple text post with code blocks that my theme currently handles fine, I’m just pointing out an example of the difficulties with dogfooding a work-in-progress theme.)

                                                                    1. 3

                                                                      Cool idea. I look forward to our annual Battlestations / Screenshots thread for this exact content. So far only thing I’d say is I hope that it gains some diversity of setups as the base seems very BSD-heavy. Hope this inspires people to customize their working environments for the better.

                                                                      1. 2

                                                                        Not sure if it’s been posted elsewhere, but I would be interested in seeing a /r/unixporn-like post from jcs. Rare to see an openbsd rice and this one looks cool from the shown pictures.