1. 4

    I remember getting a world to be decently popular (~1 million visits) back when I was very young in like 2008-2009.

    I’ve always had a soft spot for Lua since Roblox is where I learned to program.

    1. 6

      This reminds me of an infinite-distance teleportation exploit that we found in Minecraft since, for a few updates, Mojang were only checking for NaN values on the X and Y axes, checking the X axis twice.

      You could teleport from [orig_x, orig_y, orig_z] to [orig_x, orig_y, NaN] and then to [desired_x, desired_y, desired_z] and since the Euclidean distance between any two consecutive position vectors would be NaN, dist >= kick_threshold always turned out to be false.

      1. 1

        Which versions were those? Minecraft’s been rather uniquely plagued by this issue, tho I suppose it’s gotten better in more recent versions.

        Due to the difficulty of trusting a JVM without value types to have reasonable performance when allocating vectors at a Mississippian rate, vectors were nearly always passed around decomposed. Doing crap like world.getBlock(x + dx, y + dy, z + dz) gets tiresome very quickly, and expressive power is not a noted property of Java. You might make wrapper types, but then find that you run into an issue akin to function coloring, or C++ viral constness. You’re still going to have to compose or decompose the vectors at some point, and there’s still the performance concerns. A script called xyz, which turns x + max, into x + max, y + max, z + max, allowed me skip past the traditional copy-paste bugs.

      1. 3

        This looks super cool! Thanks for posting it! I’d like to find an alternative to 1Password because they are an evil organization, so going to keep my eyes on this one! :)

        I have a couple questions for anyone who may know and doesn’t mind!

        When I enter the master password, does it go to the server or does it stay on the client? If it stays on the client, does that mean that all someone needs to download my encrypted data is my email address?

        I’d like to use this but also think that the benefit 1Password has is either that the secret key is needed to grab someone’s encrypted data (which could be cracked at any future time) or that the master password is never sent to the server - but trying to figure out which model Bitwarden is taking here!

        Thanks for any responses <3

        1. 6

          When you log in with Bitwarden, the client sends a request to /api/accounts/prelogin, which tells the client which key derivation function to use, and for how many rounds.

          On registration, the Bitwarden server will accept a client-generated asymmetric keypair, with the private key encrypted with the master-password-derived key.

          The client then:

          1. Uses the KDF to derive a key from the master password,
          2. Hashes the master password using this key
          3. Sends the hashed password to the /api/identity/connect/token endpoint.

          The server responds with the previously stored (encrypted!) keypair, which the user can decrypt using their master-password-derived key, and then use this private key to decrypt their passwords. This means that changing the master password only results in re-encrypting the private key, instead of the entire set of password entries that are stored.

          1. 1

            Cool! Thank you for the info! Seems pretty secure, I’m going to make the switch =^.^=

          2. 5

            1password has a very impressive and detailed security design document worth reading for anyone interested in this space. https://1password.com/files/1Password-White-Paper.pdf

            What about 1p is evil btw?

            1. 1

              The organization itself has had questionable layoffs, has been called out by queer people for being a hostile work environment, etc.

              1. 3

                I was considering applying to 1Password, do you have any sources? A cursory web search doesn’t lead me anywhere useful.

                1. 1

                  Hmm… Also can’t find them via search. My guess is that the Twitter feeds I have seen are private followers? If you end up working there, let us know how it goes =^.^=

            2. 1

              With all well known password managers, the master password stays on the client. Anything that did otherwise would be widely ridiculed on the internet.

              Usually servers only give the encrypted data after authenticating (with a different hash of the master password, not the one that derives the encryption key). But IMO if you really trust your password manager, you should explicitly publish the encrypted vault.

              1. 1

                Not LastPass last time that I checked. You give them your password unhashed. It was widely ridiculed and people still use it. Their support team also won’t document their encryption process, saying it’s a “security risk”.

            1. 2

              You know your docs are bad (or nearly nonexistent) when it’s easier to write your own Matrix server than it is to install Synapse. Maybe this project will teach me how to do a “proper” HTTP-based service that my future jobs may involve.

              1. 1

                Did you find the document at https://github.com/matrix-org/synapse/blob/master/INSTALL.md ? I’m curious about what issues you’re having installing the software. I’ve done it a couple of times and it’s been basically fine for me at least – and I’m doing so on OmniOS, which is somewhat off the beaten path already.

                1. 1

                  In terms of alternative homeservers, I am interested in Conduit, but I haven’t used it yet.

                  It seems to support most of the Matrix protocol aside from federation. If all you want out of a Matrix server is a set of internal chat rooms, it’d be cool to give it a try!

                1. 1

                  As an unemployed student:

                  • .config/
                  • .cache/
                  • .dotfiles/
                    • .git/
                    • [various packages managed by GNU stow]
                  • Documents/
                    • Backups/
                      • yyyy-mm-dd-description.tar.zst.age
                    • Development/
                      • Hardware/
                      • Projects/ # Large scale, multi-subproject “Projects”
                      • Miscellaneous/
                      • Web/
                  • Music/
                  • Screenshots/
                    • yyyy/
                      • mm/
                        • dd/
                          • hh-mm-ss(-n).png
                  • Videos/
                    • Projects/
                    • Recordings/
                    • Movies/
                      • Subtitles/

                  Backups are manual: I copy the target folder, throw it in a tar, compress the tarball with zstandard, and encrypt it with a passphrase using age. It wouldn’t be hard to throw this workflow into cron though.

                  1. 0

                    I hate these use-ids & fragments for magical behavior - it messes up my browsing history and it’s annoying. I would expect a JS solution if JS is possible and an optional fallback to ids only when no JS is executed.

                    1. 22

                      This is literally plain HTML. If something is magical here, it is the usage of javascript to emulate a behavior that has been standard in the web since the nineties.

                      1. 5

                        I gave up on the back button roughly a decade ago.

                        1. 3

                          I wanted to ask you what kind of browser would do such a silly thing, but apparently that’s (also?) what Firefox does: fragments do get added to history, and all the “back” button does is dropping the fragment.

                          I still find it peculiar that there’s even a need for such button (on PC I have a Home button, and on mobile providing one should be the browser’s job imo), but seems like there is a good reason why people use JS for this after all.

                          1. 24

                            I like that it gets added to the history. You can press a link to a reference or footnote, and then press back to go to where you were.

                            1. 4

                              There has been a craze for “hash-bang URLs” that abused URL fragments for keeping state and performing navigation. This let JS take over the whole site and make it painfully slow in the name of being a RESTful web application.

                              That was when HTML5 pushState was still too poorly supported and too buggy to be usable. But we’re now stuck with some sites still relying on the hashbang URLs, so removing them from history would be a breaking change.

                              1. 2

                                It’s always crazy to see how people abuse the anchor tag. My favourite personal abuse is I kept finding that SysAdmins and IT were always just emailing cleartext credentials for password resets and during pentests I’d often use this to my advantage (mass watching for password reset emails for example). So I jokingly ended up writing a stupid “password” share system that embedded crypto keys in the hash url and would delete itself on the backend after being viewed once: https://blacknote.aerstone.com/

                                Again, this is stupid for so many reasons, but I did enjoy abusing it for the “doesn’t send server side” use case. EDIT: I originally had much more aggressive don’t use this messages, but corporate gods don’t like that.

                                1. 1

                                  One useful trait of hash-bang URLs is that your path is not sent to the server. This is useful for things like encryption keys. MEGA and others definitely use this as lawful deniability that they cannot reveal the contents of past-requested content. Though, if given a court order I suppose they can be forced to reveal future requests by placing a backdoor in the decryption JS.

                              2. 2

                                Hmmm that’s a good point, and not something I had considered. Thanks for the feedback.

                              1. 1

                                I really enjoyed this post. I love macros and PLT, and rust’s proc_macros have always interested me.

                                Unrelated: I like the typography and general styling on this website. The scroll-behavior took me by suprise, but it’s quite pleasant.

                                1. 5

                                  Fwiw, I think I prefer the abrupt jump.

                                  I’ll take my 200ms of time over the slick experience.

                                  1. 3

                                    In a userstyle:

                                    * {
                                      scroll-behavior: auto !important;
                                    }
                                    
                                  1. 5

                                    I’m wondering what anti-abuse mechanisms are being employed. I’ve had to filter out several disposable email domains in the past (as per business directives). What’s to make this service any different from the rest? Granted, making a disposable gmail address is rather easy, but a counter argument would cite that gmail is more often used by legitimate people for legitimate purposes unlike other simple disposable email address solutions.

                                    1. 5

                                      As far as I know, this is only for receiving emails, which makes anti-abuse a lot easier.

                                      1. 4

                                        Here, you should think of “abuse” as in “making a ton of accounts with one e-mail address”.

                                        Most services ban specific services similar to this one. Some even whitelist domains such as gmail.com, so you can’t even use your own domain.

                                        1. 4

                                          The proposal appears to be a rate limit on new addresses over time

                                    1. 3

                                      I wish there were something like this for phone numbers. Of course, they’re more artificially scarce than email addresses, but still.

                                      1. 5

                                        You can use https://jmp.chat/ for this - it supports short codes so should work for most services.

                                        There is work being done to facilitate this particular use case, but in the meantime you can use a new trial account for each new number. As you alluded to, phone numbers are scarce, so re-use is much more likely after the number has “expired”. Also, phone numbers cost real money, so it’s harder to offer the service.

                                      1. 1

                                        I have two.

                                        https://anthony.som.codes/ which is about general development,

                                        and https://hackery.site/ about game hacking.

                                        1. 3

                                          The whole system is statically linked

                                          I’m curious: What benefits does this have, in practice?

                                          1. 4

                                            The dynamic linking adds a few performance overhead which defeat the disk usage benefits (and memory usage benefits are tiny), but let’s say we do not care about a “tiny” (I don’t really know how much) performance overhead.

                                            This adds complexity to the toolchain, and saying “we got that working anyway” means I am not the one dealing with the problem, not that this is not a problem. :)

                                            • How to update libcurl or libc library while still being sure you will not break your package manager (and therefore, the ability to rollback!),
                                            • How deal with an upgrade of a library that /will/ break the binaries (temporarily) until you also upgrade the binaries (in case of ABI change).
                                            1. 2

                                              Sounds cool. Really great to avoid the problem of partially updating your system, leading to a breakage

                                            2. 1

                                              for me the best thing is portability, and not dealing with versioning of libraries (as josuah cited about painless updates). others benefits may include:

                                              • speed gain (no time to load libraries)
                                              • more secure (no ldd exploits)
                                              • reduce space usage (because you won’t need to keep entire libraries when only a single package depends on them)
                                            1. 4

                                              If you’re in the market for something smaller than a tenkeyless board, I would highly recommend building your own, or at least getting one where you can flash customized firmware. A small board is made so much better when you’ve chosen the keymap to be instantly intuitive to yourself.

                                              1. 1

                                                You should try with Firefox instead of Chromium. For me, Firefox WebRTC support is able to let you select individual screens. However, I am also now using Zoom which just works and is a moderate CPU hog.

                                                1. 2

                                                  Article:

                                                  Both Firefox and Chrome suffer from the same issue when trying to screenshare from a multi-head setup on Linux. They do not have the XRandR integration that allows you to choose an individual monitor, despite having this same functionality on other operating systems.

                                                  1. 1

                                                    Firefox requires pulseaudio, which on my machine means that the audio will randomly cut out 2-3 times a week. I hate using Chromium, but I keep it around specifically for this reason.

                                                    1. 1

                                                      I use sndio on my system. When Firefox is not emitting sound, a “pkill pulseaudio” fixes it right up.

                                                  1. 3

                                                    I don’t often screenshare on Linux, but when I do, I’ve found the average WebRTC video chat service has functional screensharing.

                                                    1. 2

                                                      Do they do separation of multiple monitors? I test Jitsi Meet in this post.

                                                      1. 2

                                                        Ah, admittedly, I haven’t tried that. Only shared a laptop, and a pre-multi-monitor desktop. (I realize that you said you were lamenting multi-monitor not working…)

                                                      2. 2

                                                        I’ve read that there’s basically only one or two WebRTC implementations, and all the various screenshare/video-call programs are just different wrappers around the same tech.

                                                      1. 5

                                                        Maybe not ideal, but isn’t TeamViewer a simple viable option?

                                                        1. 8

                                                          Also Google Hangouts works under Wayland.

                                                          1. 7

                                                            Zoom (not a recommendation really, just what we use at the company) also does screen-sharing with Wayland. If you’re not using the Flatpak packaged version that is.

                                                            1. 3

                                                              Also been using Zoom at two different workplaces for years now on Linux. Works well enough.

                                                              (This is with Void Linux and using EXWM/StumpWM/i3, so no ‘standard’ Linux.)

                                                              edit: this is not totally true: Zoom is kinda wonky with tiling window managers, or at least with StumpWM and EXWM.

                                                              1. 2

                                                                Zoom works fine on X too as far as I’ve seen.

                                                                1. 1

                                                                  I had to use zoom for my last job and it was…. finicky on my Linux box. It’d often work just fine, but it was also liable to pop up a full-screen black window when I attempted to screen share, meaning both me and the other people on the call would only see black.

                                                                  I hypothesized it was trying to do a transparent window to capture clicks or something and since I don’t run a compositor (imo translucent windows are a totally pointless wtf) maybe it ended up black instead.

                                                                  Except it wouldn’t always do it. So I don’t know.

                                                                  I also had a weird experience with my multiple monitors but again it would sometimes just work.

                                                                  What I ended up doing most the time is if I know I had to present on the call, I’d just get out my Windows laptop and do it from there.


                                                                  And before the company switched to zoom (and also sometimes after lol it depended on who was organizing the meeting) it was all about google hangouts. The screen share there for a while didn’t work at all, then google changed from the plugin to the html5 thingy and it actually worked pretty reliably for a while… then it just quit working again later, iirc around the time they rebranded from “hangouts” to “meet” but that could be coincidence since I updated firefox and a few libs too. So I don’t know if it was something I did or mozilla or something google or whatever did that broke it. But again, I would tend to just take calls from Windows when I knew ahead of time I had to present just to avoid taking the risk of the embarrassing delay of it not working.

                                                                  1. 1

                                                                    Compositing isn’t just about clever transparency effects, it actually provides a really nice performance benefit by changing the way that windows are drawn. In a non-composited flow, there’s basically one buffer that all windows draw to, and that buffer is displayed directly on the screen. Whenever you raise a window, it needs to paint itself ASAP to that buffer so that you can see it on the screen. Whenever you move a window, any windows under it need to redraw themselves, because parts of them that were covered up (and weren’t painted before) are now visible. The result is a bunch of processing, a bunch of context switches, and often a bunch of flickering or sluggishness.

                                                                    But with compositing, every window gets its own buffer to draw to, without interference from everything else. The compositor just tells the graphics card how to make them appear on screen, and they do. Yes, this enables effects like transparency, and blur, and window previews in task switchers, but it also means that apps only need to redraw themselves when they actually want to display some new content. There’s no rush to repaint whenever you raise or drag a window, because everything is already there; the compositor just has to update the display list a little bit. The result is a system that does less work and feels a whole lot snappier.

                                                                    1. 1

                                                                      Those performance benefits can be surpassed by older techniques, though the result is slightly different. My system is set up like it is 1995 - there’s no animated effects and window moves/resizes only appear as an outline until you release the click, at which point the move/size is completed. As a result, there’s simply very little work to do at all - for the bulk of the operation, it is just a small rectangle outline getting xored across the existing memory. Since xor is reversable, when it is time to draw the next frame, you just xor the old one again, undoing it, and then xor the new one. No application repaint or extra buffer required.

                                                                      At the end, when the exposed windows do need to be redrawn, it is just one operation and there’s not a huge rush to do it (if it can’t be done in one frame, meh, since it isn’t animated it isn’t that bad). But since there’s very little to do - at the end the windowing system calculates the specific rectangles of the specific windows that need it which can be done very quickly too (or else the application may maintain its own double buffering and thus it reduces to that same operation the compositor would be doing. In fact I suspect many programs end up triple buffering because they still do their own thing AND the compositor keeps a copy!).

                                                                  2. 1

                                                                    I use both Zoom and https://meet.jit.si on xorg; Zoom used to crash and sometimes hide its controls, but some time in the last year or so they’ve gotten it to be pretty reliable. Jitsi has a few more dropped calls, but other than that it is more reliable in the UI and sharing aspects.

                                                                2. 3

                                                                  It depends what compositor you’re using. GNOME and KDE seem to work fine, but I couldn’t get any browser-based display capture working on sway, even with the xdg-portal-wlroots package

                                                                  1. 1

                                                                    Are you sure? https://bbs.archlinux.org/viewtopic.php?id=249421

                                                                    Seems like there is a project called PipeWire that’s supposed to bring screensharing to Wayland.

                                                                1. 9

                                                                  Having Firefox running in the background is not really the same thing as using lynx, links, w3m or whatever…

                                                                  1. 4

                                                                    The idea is that it runs on another machine that’s more powerful / has less battery demand

                                                                  1. 1

                                                                    https://anthony.som.codes/

                                                                    Using my own static site generator, that uses deno. It’s pretty fun to work on.

                                                                    1. 1

                                                                      What’s amazing about this article, is it’s written by a high schooler?

                                                                      bored high school student

                                                                      That’s amazing, to the point where I can hardly believe it!

                                                                      On topic of the actual article: looks like BattlEye is trying to remain efficient while requiring online connectivity.

                                                                      It will be interesting to see this disappear with in-cpu secret handling. It would destroy a lucrative market.

                                                                      1. 1

                                                                        As someone who used to be into videogame reversing, I would say that the vast majority of the community is in the 14-21 age range.

                                                                        1. 1

                                                                          I’ve been into video game reversing since I was 16. I can tell you, the vast majority you speak of are absolutely “wannabe hackers”. Usually it’s the 1 or 2 within the large group that know what is actually happening.

                                                                          And this is beyond game reversing. This is anti-cheat reversing which is a whole category of its own.

                                                                          I apologize coming off as maybe offensive / aggressive, I really don’t mean it. You are not wrong by your statement, but I’m just pointing out it’s not entirely right. It’s like saying 8 year olds can be seen as mathematicians…At least in my mind.