Show newer
Sven Slootweg boosted
Trammell Hudson

No, those are straight lines.

1+
Sven Slootweg boosted
David Revoy

✏️ Mark your calendars! In just two weeks, I’ll be offering a free Krita workshop (in French) at Capitole du Libre 2024. This session will be a perfect blend of exploring Krita’s features and sharing valuable drawing tips. I can’t wait to see you there and create together! 🎨 :krita:

More info: cfp.capitoledulibre.org/cdl-20

#cdl2024 #krita

1
Sven Slootweg

password hashing advice, re: okta vulnerability, grumbling about security 

@AFriendlyBeagle Sort of. In and of itself, bcrypt is fine, in that it does what it says on the tin - but it has an input limit (72 bytes if memory serves) that is not widely known, and easily missed. Usually that's only a problem if you have a very long password (since it's essentially quietly truncated to 72 bytes), but if you're using it for a cache key like Okta was... 😐

My go-to recommendation for new systems nowadays is either argon2id, argon2i, or scrypt (in order of preference, depending on what your environment supports). They're more resistant to GPU cracking than bcrypt is. But as long as you aren't prone to the truncation issue (ie. you either restrict the input length or you just don't have such long inputs) there's no need to change what's already using bcrypt, the crypto itself is still considered sound.

Really the only things that warrant immediate change are anything using MD5, SHA1, and (due to the risk of incorrect implementation) anything homegrown using SHA256/SHA512. Third-party implementations of eg. PKBDF based on SHA256/SHA512 should be treated with scrutiny.

0
Sven Slootweg

CW-boost: election manipulation 

federate.social/@mattblaze/113

0
Sven Slootweg

okta vulnerability, grumbling about security (2) 

I will give Okta a tiny bit of credit for having used a cryptographic hash for their cache, which is something that many people get wrong. But that doesn't really help you if you then use the *wrong* cryptographic hash...

Show thread
0
Sven Slootweg

re: okta vulnerability, grumbling about security 

@riley I mean, this is true for basically every auth company I've seen, they're all snake oil, just some hide it better than others. But that hasn't stopped them from building an 'experts' reputation in the tech world.

1
Sven Slootweg

re: okta vulnerability, grumbling about security 

@Scmbradley Probably nothing illustrates this better than Stormpath, a now-acquired "security and authentication company" that published an article about JWTs, half of which was outright factually incorrect and would never pass even cursory review by a security expert.

0
Sven Slootweg

re: okta vulnerability, grumbling about security 

@Scmbradley Oh, certainly, and this holds true in that case. But in the past few years it's become a bit of a Thing for people in tech circles to say "authentication is too hard to get right, you should outsource it", which ignores that a) this is outsourcing to a company, not a library, which has wildly different consequences, b) none of these companies are actually competent or trustworthy, and c) you're more likely to fuck up the integration with their (usually overly complex) system than you are to fuck up a simple "hash the password" implementation.

1
Sven Slootweg

okta vulnerability, grumbling about security 

Another year, another critical vulnerability in Okta's infrastructure - an authentication bypass for users with long usernames, this time.

They ran up against bcrypt's input limit. You know, exactly the kind of footgun that causes people to recommend "don't try to roll your own authentication, outsource it to experts". Like... Okta. Who used bcrypt. And did it wrong.

I would really like for people to stop recommending external authentication providers. It's not actually *that* hard to implement authentication correctly for the vast majority of cases, if you take some time to read up on how to do it. Outsourcing isn't the answer here.

1+
Sven Slootweg boosted
Andy Smith

I find myself wishing on a daily basis that I had built @bitfolk database as postgres from the start instead of MySQL (now MariaDB).

Don't be like me. If your new thing needs a relational DB, Just Use Postgres.

#JustUsePostgres #postgresql

0
Sven Slootweg boosted
Andy Smith

Just after posting this I lost 3 hours of my life to MariaDB's unhinged and cursed "utf8 charset/collation isn't really utf8" nonsense.

mathiasbynens.be/notes/mysql-u

Show thread
0
Sven Slootweg

So, does OVH have an actual internationally-expanded datacenter yet, or are they still just building stuff in the Frenchest places they can find?

1
Sven Slootweg boosted
piegames

Any fonts nerds here who'd offer to help me pick a font design for my homepage? I vaguely know in which direction I want to go, but I don't know a lot about fonts

0
Sven Slootweg

@brucelawson And not the first time I've seen a stalebot close an accessibility issue because nobody in a dev team assigned it to themselves, either...

0
Sven Slootweg boosted
Bruce Lawson ✅ (quiet time)

It's 1214 days since I filed a React Native bug because an external keyboard user on Android cannot get focus into a text input field so can't fill in forms. No-one cares. Except people with access needs, of course. github.com/facebook/react-nati

1
Sven Slootweg boosted
*
Amanda Hickie

Tyre mobility kit (spare tyre substitute) says to read the manual for instructions. We check the manual. Not under Tyre. Not under Puncture. Not under Tyre Mobility Kit. Not under Flat.

It's under I. For 'If'. Of course.

#FlatTyre #AccurateButNotUseful #TechnicalWriting #Index

0
Sven Slootweg boosted
Mx. Eddie R

LB (phpc.social/@elazar/1134025684)
Please, as an absolute minimum to participate in society,

*Mask if you know you're sick*

Absolute. Bare. Minimum.

0
Sven Slootweg boosted
De Volkskrant

Opinie: Wrang dat postcovidcentra ME-patiënten weren volkskrant.nl/columns-opinie/o

0
Sven Slootweg boosted
Loren

Omg the dominos guy who works next door is dressed up as a ninja turtle to deliver pizzas lmao

1+
Sven Slootweg boosted
Compagnie Internationale des Wagons-Lis (≙)
This, too, is rail transport. Two miners on infrastructure of the "10 de Noviembre" co-operative are exiting one of Cerro Rico's many adits with a fully loaded mining cart. The hill in Potosí, Bolivia, whose exploitation supplied a great part of the wealth of the Spanish colonial empire, has been continuously mined for almost 500 years, primarily for silver. Today, mining is still conducted without any large machinery through self-employed miners using co-operatively owned infrastructure. Work environments in the mountain are extremely hazardous, and particularly due to the lack of adequate protection from silicosis and poor healthcare, few miners live beyond the age of 45.
0
Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy