One of the things that is destroying the web is WASM and JavaScript.
This isn't really even a joke - it's literal.
By having all these tools to make a web browser have unfettered access to the system, it becomes unsafe to allow users to generate arbitrary code. We can't have another MySpace or NeoPets User Lookup because we can't allow users to write their own HTML, because that's *dangerous*.
like this
reshared this
So my project planning document at work is a wiki page called "Looming Disasters". It's just stuff that might explode.
I just had to add a slack thread to one of these disasters as illustration. >.<
like this
like this
silverwizard likes this.
@Hypolite Petovan I didn't want to link originally since no advertising.
But yeah - I also just want to be clear - the game is one of the most awful I've ever played. It was hell.
Hypolite Petovan likes this.
I’ve been out of the CISO world for 3.5 months now, and that’s given me a lot of perspective. I’ve had a chance to reflect on what I’ve learned over 30 years in IT and spoke to a bunch of people recently.
I can summarize what organizations need to do to better secure their data, prevent ransomware and whatnot:
Stop fucking around.
I think that will be the title of my book.
reshared this
Please have a chapter on data governance strategy.
"Pick your data. Pick ... pick less data. Put some back. That's too many datas."
#rescueTransRescue financial update!
So far, the exhibit has raised a bit over $500 through sales 🎉
reshared this
like this
reshared this
Is your natural carbon sink continually growing its biomass, each year containing more biomass than the year before? Then it's an actual carbon sink. If it's at equilibrium it's a carbon store.
That's also important! Don't cut it down, for the love of our biome, but don't pretend like you can keep burning old trees you pumped out of the ground just because you have a pile of fresh trees just standing around.
If we want to fix our carbon balance we need to first of all stop digging and pumping more carbon out of the ground, because eventually that will all end up in our air. But we also need to start putting it back in the ground where it came from, or putting it somewhere else where it won't go into the atmosphere for a long time, preferably for centuries or even millennia.
silverwizard likes this.
reshared this
theguardian.com/environment/20…
"As human emissions rose, the amount absorbed by nature increased too: higher carbon dioxide can mean plants grow faster, storing more carbon. But this balance is beginning to shift, driven by rising heat."
"Only one major tropical rainforest – the Congo basin – remains a strong carbon sink that removes more than it releases into the atmosphere."
The mention of the Congo rain forest reminded me that local activists would really appreciate it if people would stop chopping the rain forest down and stop killing people trying to protect the rain forest
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
There are forests and soils and mycelial networks that drive more carbon into the soil, there are solutions like biochar for taking wood and plowing it into the soil, allowing a new tree to grow in that tree's place, there are algea and plankton in the ocean that actually make carbon fall to the ocean floor (the article above just taught me that), there are people working on mechanical and chemical ways of removing carbon from the air.
All of these sinks together cannot compete with how much we are still, *increasingly*, pumping and digging out of the ground.
That has to stop, that's step zero, and then all of these ways of reducing existing carbon can be our way to get back to 20th century climate, maybe some time in the 22nd century. But that's currently a fantasy, as we're not even stopping the escalation of burning 300-million-year-old trees and other plants.
(I had to look it up, trees showed up 370 Mya, so they're in there) 😅
reshared this
silverwizard likes this.
My job is technical support for a small company, but I often end up doing technical support for big companies too. Because when the problem is in between our servers and the servers of a big company (like with email deliverability, DNS config, etc) guess who is easier to reach? Guess who actually cares about getting it into a working state?
So I too, am a tech support dope 🤷
In light of our praise of the Internet Archive - can we make sure to use Indigo as an example of another org that did the right thing after a databreach?
Took everything down, fixed it, and improved the process.
I'm not caping for Indigo. I just know people who still haven't forgiven them, and this is the attitude we need to be encouraging, and putting into people's minds as a good thing.
Staying up during a breach investigation should be seen like running with a broken leg.
Rivetgeek (He/Him) likes this.
Hypolite Petovan likes this.
reshared this
Build small, simple, inspectable programs.
Build them this way so others can understand them; so Future You can fix them, even when you're tired, when the duties of life rest heavily on your aching shoulders, when it would be easier to let the breakage lie.
Build simple things because fulfilling duty and taking responsibility is more important than automation.
reshared this
like this
reshared this
I think it'd be like 255.255.255.3? So the nets are (say) 192.168.1.0, 1.1, 1.2, and 1.3, and the hosts are ... jesus, this is why nobody's tried this.
Bitwise, it'd be: xxx00, xxx01, xxx10, xxx11
0 net: .4, .8, .12, .16, .20…
1 net: .5, .9..yeah, that makes sense.
2 net: .6, .10…
3 net: .7, .11, .15, .19, .23…
and so on.
This was asked in a meeting with NeXT engineers while I was a contractor at a government agency in the early 90’s. I think their answer was... "We support it...maybe? Why would you want to?”
I've always wanted to try, just for the hell of it, but I suspect 99% of networking gear would break.
It used to be (I guess this was before CIDR became popular) that netmasks were expressed as literal bitmasks. So a /24 would actually be written as "192.168.1.0, netmask 255.255.255.0” where the "24" represents the leading 24 bits representing the network (192.168.1).
So a /28 would be..255.255.255.240 (11110000).
But it was always a consecutive string of “1” bits, and the hosts were the remaining block of lower-most "0" bits. Usually 8, for a /24, but often smaller (for, say, a small block of public IPs your ISP gives you). I remember the net my office desktop was on in school that was 255.255.254.0 (or /23). That network used 9 bits for 512 hosts. (ish - router and broadcast addresses are still needed out of that 512).
A non-contiguous netmask would mean that consecutive final octets would be on consecutively different networks.
255.255.255.3 would be all 1s, then 00000011, so the NET portion is .0, .1, .2, and .3. So hosts .4, .5, .6, .7, .8, .9, .10, .11, .12... would be on networks 0, 1, 2, 3, 0, 1, 2, 3, 0….
Like I said, I doubt much of anything would support it now. Even when we wrote netmasks as bitmasks, it's likely most gear would've just failed using this approach.
It really is a cursed idea. :)
This wiki page may help, too. Once you see it, it's ... logical? (I won't say "easy”). en.wikipedia.org/wiki/Subnet
@David Schuetz Oh, I see, a subnet mask bitmap with non-contiguous 1s - that makes sense.Gross.
So something like 192.168.90.256/192.255.148.45, not just a wall of 1s.
(I know enough to set subnet masks on weird ancient gear ;), but I almost always am setting 255.255.255.0 and 255.255.255.255 because /24s rule everything around me. But yeah - reasonable)
I just don't know if I have any gear that would parse subnet masks like that enough to confuse it.
@Jonathan Lamothe @David Schuetz Are you aware of the RFC 864 Compliant Dungeons and Dragons Character Generator I worked on?
@Dave worked on a bunch of it and I need to replace his work (not because I don't like it -but because I want to do the actual work not just crib his, the goal was to learn socket code).
Tragic. I was hoping I could get firefox to accept my bullshit, but it's correct it doesn't work
yuki - queen of the snow likes this.
Send me your Southern Ontario Urbanist accounts on Mastodon and the Fediverse! I wanna use this more than Bluesky.
Boosting would be nice. 😄
#AskFedi #BikeTooter #Urbanism #Transportation #CarFree #Guelph #Kitchener #Waterloo #Ottawa #CycleKW #Cycling #ActiveTransport #GCAT
reshared this
I am trying out BS now and like it
Can you tell me what you dislike about BS ?
thanks !!
@failedLyndonLaRouchite Bluesky is another Silicon Valley for-profit startup which is nominally better but still relies on "trust me bro, big tech can be nice THIS time."
Bsky ditched the ActivityPub protocol to create a protocol they control. Despite claiming to be decentralised, bsky is still highly centralised and federates with itself, refusing to federate with the many existing fediverse sites.
Mastodon is a truly decentralizrd nonprofit that federates widely and uses open standards.
Why does the SecTor app contain several trackers?! I mean - I'm not installing it because of this, and that's a pain in the ass?
Shouldn't we, as security people, be able to notice this shit and be better than it?
@Dave "Wear A Goddamn Mask" Cochran :donor: One day the risk management discipline will manage risk
Uuuug, I'm already so concerned about SecTor, vaxing, nitrite nasal spray, and an N95 mask, baaaaah
Dave "Wear A Goddamn Mask" Cochran likes this.
Did you know that Unix-like operating systems come with a utility that you can use to answer yes/no questions rather than turning to an LLM?
$ echo "Should I use an LLM for my next project?" | yes no
reshared this
Hypolite Petovan likes this.
reshared this
The kids helped, they definitely got distracted, but they helped!
They, most importantly, got to see inside a computer and were allowed to touch all the pieces.
My kids have been able to use their computers for lots of little things
like this
And to be clear:
the 5yo is playing Mario and a few other small games, mostly micro-indie games
the 3yo is listening to audiobooks and lullabies using a device he's built.
This isn't full hacking - this is still kids.
I'm looking at sourcing some classic lego motors to see if I can use these as the brains of a lego robot.
Alex P. 👹 likes this.
silverwizard likes this.
@Michael Brown lol - that's also a pretty good option.
My goal is to make an ebook reader that will start playing when a CF card is inserted. And then bulk buy 128MB cards and put books on them.
Michael Brown likes this.
i feel like the thing that's missing from all the online voting discourse is that the core part of your base doesn't just vote, they *move their communities* by doing all the annoying door-knocker volunteer shit that gets other people voting
and they can't do that very well if they're eating shit
because you need enthusiasm to do all that volunteer shit
and you need enthusiasm to *sell* the candidate, it's the bedrock of doing outreach with any semblance of sincerity
silverwizard reshared this.
these frustrated, beleaguered, constantly-smeared people can force themselves to vote but that's not where the bar is!
you will lose thousands and thousands of other votes they bring in if that's where you set the bar!
Juniors, here's why it's always better to raise your mistakes early and get help: You're very unlikely to be fired over a mistake you owned up to.
Me helping you fix your mistake is cheap.
Recruiting your replacement costs more.
But recovering from a cover-up is REALLY costly.
reshared this
way way back in the day on a school trip, I thought a soap dispenser at the facility were visited was a "pull handle out for soap" model.
It was a push handle in to release soap model.
I ripped that box clean off the wall.
The people in charge were pleased I reported the accidental destruction rather than doing the pretend it wasn't you cowardly ostrich approach and made it a teaching moment for the rest of the class.
Good times.
Something looks suspicious about the IA attack, and I suspect the goal is to change sentiment about *something*, probably the Internet Archive, but it's not clear what, and it may be more than one thing. It seems like someone probably paid a hacking agency to do this, very possibly a publishing house upset about copyright claims, and I say that especially because:
- "See you on Have I Been Pwned", but really, this is one of the least dramatic things to end up on HIBP of all time: it's names and email addresses sure, but all the passwords are properly hashed and there isn't much else. So why gloat about it?
- There seems to be an attempt to lower public impression of IA in terms of talking about its tech "held up with sticks". It is old tech, so maybe, but why the focus on that?
- If you analyze the HN thread about it for comments in terms of when posted, there were a bunch of sockpuppet accounts created almost immediately after the post was made, seemingly to add comments: news.ycombinator.com/user?id=N… news.ycombinator.com/user?id=h… news.ycombinator.com/user?id=1… news.ycombinator.com/user?id=M…
- An allegedly pro-palestinean militant hacking group is claiming responsibility, but their rationale doesn't make sense: they say it's because the IA is an American company, and the US is helping Israel. But why the IA *specifically*? This seems like a false flag operation either to draw attention away from the real perpetrators, or possibly to try to turn technically inclined people against pro-palestinean activists x.com/sn_darkmeta/status/18441…
The IA *is* engaged with several fights with publishers and people who have beef on copyright grounds. It's entirely possible one of them hired a nation-state affiliated hacking group (of which there are quite a few) that had a side beef, or that group is trying to throw the public off its tracks, but regardless, sock puppets like this typically appear after a hacking attack when there's a paid organization.
Regardless, nobody else is keeping the internet's history alive, and yes, the IA has made some mistakes sometimes, but I stand behind them and wish their staff strength in dealing with this time.
like this
reshared this
To the dumbasses that are like "please don't share our site on mastodon" my $4/month VPS can handle all the requests from my 1.6 thousand followers without even going up in CPU usage at all.
Optimize your godawful website.
Hank G ☑️ likes this.
reshared this
reshared this
@kaimac It's 256 /64s, which is the only measurement of IPv6 addresses most people should ever worry about.
All the ^ notations and strings of digits are meaningless when you're supposed to allocate 2^64 (18,446,744,073,709,551,616) of them at a time.
256 networks. Kind of a lot, but the next nibble boundary down only gives you 16 networks, which is fine for anyone who rolls with defaults, but is a little weak for even moderate tech hobbyists.
1. Taking off my spectacles, pinching the bridge of my nose then asking "What is the problem you are actually trying to solve?".
2. Peering over my spectacles and asking "…and at the time, did anyone express any concerns about that course of action?".
3. Taking long drag from my cigarette and intoning the ancient proverb "The root cause is that our processes are not robust enough to prevent a person from making this mistake." before being told "Amy please not right now.".
4. Riffling my notes and beginning the explanation to the auditor or committee with "So, you see, what had happened was…".
5. Making direct eye contact with an engineer through a webcam and asking first how long that will take and then whether the plan is missing any steps.
reshared this
If you came from #BlackTwitter i wanna follow you. Tryna find my people. I need more Black humor, culture, opinions, and experiences on my TL. I need more Black folx on ny TL. I miss us.
If that's not you, that's totally fine too. Gimme a repost and help me with my search?
If you never liked Twitter in the first place, sit this post out.
Searching across #BlackMastodon #blackFedi and shit, nahmean?
reshared this
My 3yo got through 1 paragraph of @Michael W Lucas¹ :flan_mail: 's SSH Mastery before saying "I'm done with this book"
I think these books aren't for toddlers!
like this
reshared this
@sirwumpus
He's far too young to have chosen a preferred OS.
Give him ten years, and he'll experiment with Inferno just because he think it'll piss off Dad.
@Michael W Lucas¹ :flan_mail: @SirWumpus His grandpa's university friend wrote Inferno, so uh... he has the access
My dad wrote Coherent, so I rebelled against my OS dev dad by becoming a sysadmin, so I hope he makes better decisions than me
like this
I wonder if Tim Pool will have to give back his Russian propaganda funded skatepark
This is a sentence I just idly thought, this is a glimpse into madness
Hypolite Petovan likes this.
Thinking about Bandcamp and incentives.
So I just bought music from derinaharveyband.bandcamp.com/… and you should too. You should buy it all and leave a tip. But, let's talk incentives.
So I want to buy Derina's music, because (he way she sings makes me want to scream, weep, join the chorus, and somehow fly. And if she releases a new anything, I want to know one second after, if not early enough I can preorder.
But I don't buy a lot of music, I have extensive ear damage and most music falls flat for me. So I don't care about much other music.
Derina Harvey Band doesn't care what music I buy, as long as I buy theirs (they are probably good people and hope I support their community though, back there in a second).
So Derina Harvey Band and I have a relationship (I want to give them money), but they want to make more, so they use Bandcamp for discoverability. I found their bandcamp before I found their website! So bandcamp is good! It fascilitated a relationship, and I get to hear about the sea.
But now Bandcamp wants to spam me about not-Derina-Harvey, they want me to learn about Nathan Evans or whoever, bands I really don't want to engage with, since I might buy their music. And this has lead me to turn off all communications from Bandcamp. This means I miss when bands I like release music.
So, because there's a broker (platform) who is going to meditate my relationship with Derina Harvey Band, I am going to lose out. Bandcamp turned a new fan into a new customer, but made it harder for a customer to stay a customer.
And, I want to be clear here, there was not even regular Enshittifiation. It's bandcamp Friday, I sent the band slightly over full price for all their albums and they're probably getting, as cash, the full price of all their albums, the platform took nothing. But they band also doesn't have a POSSE style setup, I need to use a platform to learn about tours and releases, and I don't.
I dunno, this is just a tragic story, there's no lesson we don't all know, and there's no solution that isn't to tell a band to manage their own mailing list. The obvious solution is to create a platform that isn't evil, but even then, I don't think that's possible because of all this.
Abolish capitalism so I can revel in a shanty about how capitalism ruins sailing.
Bandcamp won't let you, but one "Paweł Grzybek" has set this service up based on another. It's limited to 100,000 daily requests, so he requests people don't hammer it too much.
pawelgrzybek.com/generate-rss-…
I guess that means you can't get notified the very second another album comes out, but I bet once per day wouldn't strain Paweł's limits too much.
Generate RSS feed for Bandcamp artists using Deno Deploy | pawelgrzybek.com
I mentioned multiple times how much I like RSS. But unfortunately, not every website I use generates feeds — Bandcamp is one of them.pawelgrzybek.com
Justice for Stephanie Woodland
Home About History Mailing List Waterloo Regional Council Kitchener City Council Sign the Petition! Watch the Video Email Mayor Berry Vrbanovic, Email Kitchener’s Crown Attorneys Email Mayor …fightbackkw.wordpress.com
reshared this
reshared this
@Hypolite Petovan yeah
The point is that if we gave people access to money they would be more able to make software and maintain it
hackbyte (friendica) 13HB1 likes this.
reshared this
silverwizard
in reply to silverwizard • •like this
FoolishOwl, Jack Jackson, Tavi, jeeger, Mx Amber Alex (she/it), Ozzelot, ZanaGB and demoncards! like this.
silverwizard
in reply to silverwizard • •like this
Ligature ⏚ and screwlisp like this.
Andrew (Television Executive)
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Andrew (Television Executive) • •like this
screwlisp and Andrew (Television Executive) like this.
Andrew (Television Executive)
in reply to silverwizard • • •I haven't seen the video, but I worked in reliability there for half a decade.
Reliability and security on that platform (not to mention safety) are huge unsolved problems.
silverwizard likes this.
silverwizard
in reply to Andrew (Television Executive) • •screwlisp likes this.
cy
in reply to Andrew (Television Executive) • • •silverwizard likes this.
j_angliss
in reply to silverwizard • • •silverwizard reshared this.
silverwizard
in reply to j_angliss • •j_angliss likes this.
Frost, Wolffucker 🐺:therian:
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Frost, Wolffucker 🐺:therian: • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan @Frost, Wolffucker 🐺:therian: CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.
But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.
I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.
like this
Hypolite Petovan and Frost, Wolffucker 🐺:therian: like this.
Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Frost, Wolffucker 🐺:therian: likes this.
Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan developer.mozilla.org/en-US/do…
Is there a way to say default-src: none? Or just set no valid sources? not as I recall
Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan So if I send:
Content-Security-Policy: script-src: 'none'
<html>
<script>alert("OH NO");</script>
</html>
With a valid Content-Length and junk
Would that work?
silverwizard
in reply to silverwizard • •@Hypolite Petovan Ok - actually
I ran
cat test.txt | nc -l -p 2000
with test.txt containing
(Ignore the fake content length)
I then pointed my browser (librewolf) at it, and it saw these response headers:
And it popped up a popup saying "OH NO"
silverwizard
in reply to silverwizard • •Hypolite Petovan
in reply to silverwizard • • •'self'
?silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan likes this.
Hypolite Petovan
in reply to silverwizard • • •unsafe-inline
policy is explicitly allowed.silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •Frost, Wolffucker 🐺:therian:
in reply to Frost, Wolffucker 🐺:therian: • • •silverwizard likes this.
silverwizard
in reply to Frost, Wolffucker 🐺:therian: • •MontyOnTheRun
in reply to silverwizard • • •I would also argue that it enables the big corps to limit our freedoms with the computers we bought, by locking us to "the web".
Bare metal is freedom!
Even if people don't like C/C++/Rust/Go/Pascal, it is important that they exist, so others can have their native Python and Node.
I must admit that I do enjoy messing around with WASM, but now that I think of it, it's sort of me enjoying my own leach.
silverwizard
in reply to MontyOnTheRun • •@MontyOnTheRun yeah! We can build these things! Build a limited web and unlimited world!
Remember never download a . exe from the web, but your safe otherwise!
MontyOnTheRun likes this.
valkyrie_pilot
in reply to silverwizard • • •silverwizard
in reply to valkyrie_pilot • •lifts
in reply to silverwizard • • •CSS Security Vulnerabilities | CSS-Tricks
Chris Coyier (CSS-Tricks)silverwizard
in reply to lifts • •valkyrie_pilot
in reply to silverwizard • • •silverwizard
in reply to valkyrie_pilot • •valkyrie_pilot
in reply to silverwizard • • •That said, I've gone on record saying javascript is overhated, so. Make of that what you will.
silverwizard
in reply to valkyrie_pilot • •like this
cy and FoolishOwl like this.
cy reshared this.
cy
in reply to silverwizard • • •I am so using that
silverwizard likes this.
valkyrie_pilot
in reply to silverwizard • • •It's not a perfect platform. But it's a hell of a lot better than... iOS... or Android... or Windows... or macOS... they're such terrible targets to build for and people use web tech for it anyway.
silverwizard
Unknown parent • • •like this
Preston Maness ☭, Brooke Vibber and cy like this.
reshared this
cy reshared this.
Jonathan Lamothe
in reply to silverwizard • • •silverwizard likes this.
silverwizard
Unknown parent • •Sconient
in reply to silverwizard • • •Samy Kamkar - The MySpace Worm
samy.plsilverwizard
in reply to Sconient • •