Skip to main content



The hardest part of being the only Security person in my org is that it's really hard to document "this is common knowledge in my field, but arcane knowledge outside it", because everyone is really worried that they don't understand the context, but anyone in the intended audience would understand it without the documentation.


I am slowly going mad

I am trying to report to Simplii Financial that they don't have SSL on simplii.com and they just keep telling me that they have SSL on www.simplii.com

This is one of those "type it into SSL labs and see what pops out situations", incredibly boring, and it just breaks my HSTS and it's annoying and bad.

Their support team needs a screenshot of my browser not connecting , and a version number of a browser and the model number of my computer, and it needs to be running Windows or Mac in order to report this. But they did finally send me to BugCrowd.

BugCrowd tells me that it's a false positive, and that this means SSL is working fine ssllabs.com/ssltest/analyze.ht…

I am definitely moving my money, but also - is BugCrowd usually this dumb?! Is there anywhere where you can report a (admittedly incredibly minor) security issue to a Canadian bank where someone who knows what SSL is will read it?

in reply to silverwizard

This is their proof that the bareword domain has SSL on it. Whicjh uh, I am glad BugCrowd hires the best.




The theme of this week has been
"damn we made a mistake 2 years ago, I guess we can't ever fix it"

and then me stubbornly deciding to force people to fix it

fun fact: the security team can't get a ticket in the sprint. but they can get a high priority issue to override sprint priorities as part of an incident postmortem.

in reply to silverwizard

A couple years ago I was delighted to be in “code freeze” because the exception process was faster than the normal workflow, so we pushed more code than ever. 😀


‎silverwizard‎: One of my skills is giving the *wrong* right answer
becky‎: It is a skill
‎‎becky‎: I don't know how you do it so effectively so often
‎‎EmeraldMagus‎: That is in fact the category this answer falls under...


Fun fact - working as a tech worker for Meta is very rarely ethical
in reply to silverwizard

@silverwizard Microsoft went a step further and made sure of it: dair-community.social/@emilymb…


MSFT lays off its responsible AI team

The thing that strikes me most about this story from @zoeschiffer and @caseynewton is the way in which the MSFT execs describe the urgency to move "AI models into the hands of customers"

platformer.news/p/microsoft-ju…

>>


in reply to Hypolite Petovan

@Hypolite Petovan I was mostly thinking of people telling me to me empathetic to laid off Meta employees

But yeah - Microsoft and Google employees also don't seem very ethical.

And at least Microsoft seems to be doing it because they outsource all their AI (hopefully they are thinking this) and because they have decided it's layoff season. But at least they aren't Google who fired their best AI ethics person because she was like "Maybe we should not burn the environment for bad AI?"



I wish the RSS Aggregator Without Delusions of Grandeur had a less embarrassing name so I could recommend it to more people
in reply to Spencer

@Spencer The thing is, it's just a really good way to make a stupid simple HTML page out of an RSS feeds group and get a very boring RSS


I just realized that the thing I want most in terms of clothes is "bondage pants designed by Rob Liefeld"
This entry was edited (1 year ago)
in reply to silverwizard

Gimme lots of loops and hooks and dozens of little pouches and pockets!


I am "whenever I see What's New I add With Phil and Dixie" years old


My son has decided he wants to make balloons so wants:
Liquid latex and paraffin for the balloon
A star for the helium

I... Am bad at 3 year olds


in reply to silverwizard

You keep getting in fights about things without understanding why they are in place


RFC:
File named README.not-github.md

This file contains something that you should read and isn't your project's secret GitHub website



I just switched the live database underneath an application with 0 downtime - holy crap
in reply to silverwizard

No like, new hardware - switched from MySQL to Amazon Aurora MySQL

my life choices that lead me here are bad and mercenary - but it feels way more impressive



I just want some bespoke and rugged cargo pants

Lemme pay a few thousand for a pair of nice canvas pants that will last for years, but make them not suck




People often talk about the barriers to entry of the fediverse and IRC

and uh - what if we called those barriers to entry "culture"

This entry was edited (1 year ago)

Eva Winterschön reshared this.

in reply to silverwizard

it's true. the mastodon onboarding problem had basically no technical hurdles and one big "ah shit, what room full of strangers do I walk into?"

(I still don't understand why people act like gambling on which interoperable fediverse instance to join is worse than gambling on which of several mutually incompatible services to join)

in reply to ⛅ w chance of bears

I mean - i get that the problem is:
If I go to Post.News I am done making choices
If I go to the Fediverse, now I need to make a second choice

And I mean - from my end it's a question of wanting to give up on the model (which I've wanted to do for as long as the model has existed)

I also have a weird relationship with the "room full of strangers" question, as I started with "I want a single panel for all my social stuff which can also use the federated stuff" rather than "I want to join this network" (I already had a disused GNUSocial, and a Diaspora account)



As the final embers of the blockchain burn, it turns out that Crypto meant Cryptofascist the whole time


Can people *never* use the term Cleave when trying to make a point?!

Social Cleavage - does this mean people sticking together or being split apart?!

I have no idea! The word cleave is an auto-antonym and both the best and worst word in English!



My brain just thought "Castlevania Burning Wheel" and that sounds great
in reply to silverwizard

Set it in one of the cities ravaged by Night Beasts, whole army of monsters, some leftover. Wolves, both were and mortal roam the town, fresh water must be secured, alliances, the old government and new social structures. Room to flesh out literally hundreds of NPCs if you wish, while still focusing on a band.

Lots of available combat, but with it considered a horrible idea.



Trying to go sledding with the cousins

3L of hot chocolate, bag of marshmallows, little thing of butter, couple knives, and candied orange buns

I am bad at sledding but a good companion

in reply to silverwizard

My nephew made a North American Ticket To Ride that he calls North North America rather than Canadian and added an Airport mechanic

Proud of him (he's 9)



Just had to take candy from a baby, and let me tell you, it was as easy as they say it is


They called the religion Anglican but they didn't call the language Anglicant


Ok, my motto that "JavaScript is excel for webdevs" can now be extended to "WASM is the JVM for JavaScript"
in reply to silverwizard

This is 100% shade at Zellij

If you wanna use WASM as a compilation target, why not use Excel? It's used in more places and serious workflows!




My company has three ways of doing basic WebRTC stuff - and all of them are bad - but the best one is the one we don't pay for and therefore no one uses and I hate it


Keyboard made from a mechanical typewriter with a camera that fires when the striker hits the lens (well, ok, a pad in front of the lens), and OCRs the character printed on the striker


Using BitBucket is a pain in the ass for normal life

But how the fuck does one ever manage schedules? Terraform used to do it - but the provider is archived?!




@EmeraldMagus : "Mind sending me some your Burning Wheel stuff for formatting?"
Me: *sends over 6000 words of tables...*


I am starting to think that I might have the only actual copy of my favourite song...



Markdown is a tool specifically designed to harm the brain of a programmer

It's 100% syntax and valuable syntactic data - but it's also it's supposed to be an informal grammar, and programmers can't handle it




Most people are more likely to lose authenticator tokens (their phone, their yubikey) than be hacked by a sophisticated attacker

Password manager 2FA and SMS 2FA solves the threat model that most people live in

(Organizational security has a far different threat model)

in reply to Hypolite Petovan

Which is more likely: a second LastPass situation or me washing my Yubikey?
in reply to Hypolite Petovan

Which is more likely - Becky losing her phone number or a second LastPass?
in reply to silverwizard

@silverwizard A second LastPass, but some SMS 2FA attack vectors don’t require you to lose your phone number, so I’m partial.
in reply to Hypolite Petovan

Oh, no - attacking SMS 2FA is easy to just SIM hijack

I am talking about getting locked out because you accidentally lost your auth app

in reply to silverwizard

@silverwizard Still LastPass, these days losing a *phone number* is pretty hard to do.
in reply to Hypolite Petovan

That's what I'm saying
You won't lose your phone number for SMS or password manager

Whereas losing a phone with an TOTP authenticator setup or losing a yubikey is pretty simple

in reply to silverwizard

So far, every service for which I've registered TOTP (Twitter, Facebook, Mastodon) has offered recovery codes in case I lose my TOTP device. Surely that mitigates @silverwizard 's loss model.

@hypolite

in reply to Bob Jonkman

And I keep my paasword manager DB on several devices. Does that make me as weird as @silverwizard ?

@hypolite

in reply to silverwizard

@silverwizard What's TOTO? I have a KeePass TOTP plugin that I use as the truth source for all my TOTP tokens. Based on the seed it can generate a QR code that token apps can read.
in reply to Hypolite Petovan

Also - I am a terrible example because I have a backup yubikey to sign up two tokens
in reply to silverwizard

Mostly I find myself weirded out by people acting like authenticator apps are high friction in comparison to SMS 2FA. The user experience of "hopefully the code arrives quickly" makes it just that bit unpleasant even when they often *do* come promptly. (Yubikeys have a very obvious $$ barrier to being the norm for individuals.)
in reply to ⛅ w chance of bears

Yeah, I just only have the option of Google TOTP which squicks me, or Yubico TOTP which needs a key, so uh, kinda fails the access test

But also - I am *far* more likely to lose a phone than by hit by SIM swapping (to be clear - only because I'm a dumbass)

in reply to silverwizard

Yeah, most of my TOTP tokens are mirrored across my Yubikeys largely to save headaches when changing phones. I have one on Entrust's app that I can't do that with and the couple of times I've had to move it were a pain finding the instructions again.

But using Yubico TOTP also basically primed me for "password manager TOTP is functionally the same as Google TOTP but with the convenience of device portability"

in reply to ⛅ w chance of bears

Well, the issue most people have with password manager TOTP is that then if your password manager is compromised, then your password is

And the answer to that is "it's complicated" - but yeah - in a perfect world we'd all have two security keys, and one is kept in a secure location and one is kept in a wallet/keychain - but that's not feasible (says the man with that)

in reply to ⛅ w chance of bears

@⛅ w chance of bears Although for authenticator apps, the high friction comes when the device where tokens are installed disappears for some reason (repairs, theft, replacement). Then the real uphill battle starts.


My son asked to watch a song with a video about a train, so I put on a song about a train, and he's like "Why are there lions?"


I mostly respect Indigo's response to their security incident. Shutting down their entire online store takes actual guts.

(If you don't know what Indigo is - it's Canadian Barnes and Noble)



I dummyed a variable for integration testing of our pipelines
And it turns out it silently failed *lint* in the *build stage*, not a prelinter

Pipielines were a mistake

in reply to silverwizard

i went absolutely apeshit on a linter two months ago:

it barfed up a message like "you are adding elements to this array in a fixed-size loop, preallocate space for it first" for some test setup code that was like,

for (int i = 0; i < 1000; i++) { vector.emplace(blah blah); }

so the guy fixing all this linter garbage typoed

vector.resize(1000);

instead of

vector.reserve(1000);

so a bunch of unit tests were now using a homogeneous pile of default-constructed elements

in reply to Alex P. 👹

does the linter warn you about "hey, you have a big vector of identical default-constructed elements and then you added 1000 actual randomized test objects to it that none of your code will ever touch?" — no, of course not, that's too complicated for it

¯\_(ツ)_/¯

in reply to Alex P. 👹

Yeah - computers can't read code - and the people writing linters suck - it's hard - I think they're a net good - but seriously - they get in the way so often
in reply to silverwizard

yeah, a net benefit but certainly less useful — and, ime, less trustworthy — than "-Wall -Werror"
in reply to Alex P. 👹

I mean - a compiler warning and a linter is definitely similar.

But yeah - the compiler will usually say "you're an idiot, but I'll allow it' instead of "fuck off and rewrite it"

in reply to Alex P. 👹

I get why the linter said it - but - horrible - these are both *good* uses for a linter - but fuck - that shouldn't have passed review.
But - seriously - make the linter not dumb, and make it make suggestions if it has some.

Also - why the fuck are they populating a vector with a loop?!

in reply to silverwizard

the actual code is more like

for (blah blah) {
// do some rng shit to make a funny object and maybe connect it to some other objects
vector.emplace(blah blah);
}



youtube.com/@any_austin this youtuber is rapidly becoming a non-trivial portion of my media diet

But only the series where he does an employment survey of a video game, and then does a report on it - and - uh - what an ideal gimmick

in reply to silverwizard

youtube.com/watch?v=fXs4F1zUay… just slowly falling apart trying to figure out what employment means "The thieves are taking money from people... but I guess that's any job..."


Reading raw HTTP requests and just finding dozens of font faces and a full copy of a PDF viewer flying by me

Alex P. 👹 reshared this.