@matdevdug@c.im
@matdevdug@c.im avatar

matdevdug

@matdevdug@c.im

Security/Devops engineer. Moved from Chicago to Denmark. I’m an expert on nothing but I’m trying.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

thomasfuchs, to random
@thomasfuchs@hachyderm.io avatar

Me: "It's bad and confusing to users that Mastodon doesn't show you all replies to a post (including from accounts or servers that you or your server didn't block)"

Mastodon stans

matdevdug,
@matdevdug@c.im avatar

@thomasfuchs it’s such a crazy omission. Like mastodon should not have told people they can host their own server when it works like this. If mastodon only fully functions when everyone is on one server, we shouldn’t have wasted time talking about federation.

jerry, to random

Any views on bluesky vs mastodon/fediverse? Seems like lots of buzz about bluesky lately

matdevdug,
@matdevdug@c.im avatar

@jerry On a technical level I like that your identity on Bluesky is basically DNS: used to lookup what PDS stores your data. The use of signed data repositories and the DID standard (https://www.w3.org/TR/did-core/) for account migration makes it much, much easier for users to gracefully migrate without much work on their side. Neither of these would be easy to add to ActivityPub as far as I can tell

Building in search as a first-class citizen is smart, with the concept of "server" isolated from the higher-level function of “Crawling Indexer". However a lot of the key exchange stuff places a lot of trust in the server/dns stack.

Going through the docs (https://atproto.com/docs) I think it does some things really well compared to Mastodon and has some advantages to ActivityPub, especially around user identity and portability. It does seem geared towards very large servers given how often a smaller server would be needing to make calls to get public keys (which presumably large servers would cache).

I don't think people are going to be hosting PDS on raspberry pis on their own domains. I think it's going to be primarily a small number of commercial servers. However honestly their docs are missing so much information that it's very hard to make an informed guess at this point.

kathhayhoe, to random

On Monday, I wrote an essay about climate and biodiversity for Scientific American. I tracked proportional engagement, calculated as (likes + shares + comments)/followers, over six social media platforms.

The winner? MASTODON, by a landslide.

Second place? INSTAGRAM. It's harder to share posts on IG, but lot of people like things there!

The loser? FACEBOOK, also by a landslide.*

  • On Facebook, I've been shadow-banned since August 2018 when they listed clean energy and climate as "socially sensitive topics" so my page there stopped growing 6 years ago and now only about 1% of my followers there ever see my posts. It's actually too bad, because that's the platform where I reach the most conservative audiences through their connections to friends and family. So even though it's dead last, I still persist.
matdevdug,
@matdevdug@c.im avatar

@kathhayhoe I am shocked people engage with content on LinkedIn. It’s like hanging out in a break room with your most annoying former coworkers.

dansup, to random
@dansup@mastodon.social avatar

https://fedidb.org is no longer including pawoo due to reports of CP.

I should clarify inclusion rules add a "News" section for situations like this, and update the stats logic to recalculate stats without the removed instances.

I feel like a resource like this should include instances regardless of reputation except in situations where they break the law.

Wdyt? How should we handle this, and what other inclusion rules would you like to see?

Boosts greatly appreciated!

matdevdug,
@matdevdug@c.im avatar

@dansup Instances should default to not counting towards stats until they’ve demonstrated that they’re not full of spam/CP/junk. If the point of the stats is to demonstrate some sense of progress then any spam server, harassment server or illegal content server shouldn’t count.

paul, to random
@paul@tapbots.social avatar

Why is Bluesky suddenly “trending”? Did they open up a bunch of spots?

I'm still team Mastodon, but if Jack wants to send me 20+ Bitcoins I can take a look. 🤪

matdevdug,
@matdevdug@c.im avatar

@mekkaokereke Now that the default Mastodon app defaults you to the most popular server of Mastodon.social, do you think that’s a positive step towards easier on boarding or a danger to the value of federation and decentralization?

rmondello, to random
@rmondello@hachyderm.io avatar

Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.

matdevdug,
@matdevdug@c.im avatar

@rmondello @siracusa Core to the early passkey design docs was the idea that the user can never ever export the private key. This is true across every public private key design system. If users are exporting private keys from specialized key storage hardware, the system has failed.

The only proposal I’ve seen is that a user would be able to enroll multiple tiered keys at the same time, which neither solves the vendor lock-in problem or the usability design.

matdevdug,
@matdevdug@c.im avatar

@dwaite @rmondello Again I'm totally fine with missing something obvious and I'll gladly eat some crow on this but this has been an unanswered question about how this will work since 2018 so if there was a decision made about how the keys get shared somewhere I would love to read it and be less wrong.

matdevdug,
@matdevdug@c.im avatar

@rmondello WebAuthn https://github.com/w3c/webauthn/issues/931

The chrome conversation and documentation about passkey sync with the end result here: https://developers.google.com/identity/passkeys/use-cases#sign-in-with-a-phone

The Yubico spec is the only multiple device proposal I’ve read and is what I’m referencing: https://github.com/Yubico/webauthn-recovery-extension/ https://github.com/Yubico/webauthn-recovery-extension/

Finally the formal analysis of the proposal here: https://eprint.iacr.org/2020/1004.pdf

If there’s another chat I’m more than happy to be wrong.

matdevdug,
@matdevdug@c.im avatar

@dwaite @rmondello I understand that the platform sync is a component of the implementation outside of the spec of webAuthn and there is nothing preventing vendors from taking the sync component and adding the ability to add a target to the sync. I also understand the different between a sync and Asynchronous Remote Key Generation.

My confusion is that central to the idea of webauthn is hardware based storage of private keys. So a vendor is basically trusting itself with the sync component to allow for the exporting and mandating of exports of private keys from the hardware to a software sync. Everything we've seen (publicly) has been the sync process is locked to whatever ecosystem you enroll in. Chrome doesn't sync through the browser to write to arbitrary hardware storage.

Even more complicated is that the standard allows for different levels of quality when it comes to that hardware storage device for keys. So while the sync itself presents an understandable (if high) risk for users, an export either suggests: I can write the private key to a text file and import it to A Password Manager which largely defeats the purpose.

Or vendors are going to extend the sync process to include some other arbitrary target depending on some unknown criteria. I can't find any additional conversation or plans in the spec debate or online in general that lays out how any of that will work, hence my concern.

I.E.: If Apple implements the option to export a private key to 1Password, that's great, but can I put it in Android? Is there a specification that says where I can and cannot put it? Will Apple let me export them in a file and import them into a lower-security device like a cheap Windows laptop?

hacks4pancakes, to random

I really do love travel, but I kind of just want one week when I do not have a half-packed suitcase and a pile of assorted dongles taking up my bedroom floor as a tripping hazard. Also I would like to fly business class one time so I can experience sleeping on a plane that doesn’t involve a red eye and sheer desperate exhaustion.

matdevdug,
@matdevdug@c.im avatar

@hacks4pancakes oh god I cannot imagine if I walked into someone’s house and saw “Marriott three streaks of primary colors against an off white canvas”.

matdevdug,
@matdevdug@c.im avatar

@hacks4pancakes The thing that used to bum me out when I was flying every week for work was the hotels. It’s like you are staying at the same building regardless of where in the country you are. It felt slightly maddening to see the same artwork even though I had flown from Chicago to Texas or whatever.

uncanny_kate, to random
@uncanny_kate@dice.camp avatar

Do you have opinions on tech you used more than 10 years ago, that's still used by some people?

You should let these go. Odds are, development has continued and the pain points have changed. Writing in things like perl, python, javascript, php are radically different than even in the 2010s, let alone the 90s. Your experience is just not valid any more.

matdevdug,
@matdevdug@c.im avatar

@uncanny_kate worse than this are all the people who just repeat shit they heard elsewhere. “Perl is terrible”. Ok have you ever tried to use it? When? For how long?

For years I heard “PHP is a nightmare” and then I sat down to use it. I found a very serviceable language that worked as intended. Easy to connect to databases, easy to handle forms, fast to cache and easy to troubleshoot.

SwiftOnSecurity, to random

If I had a boat I would rent it to someone and then disappear and make them keep it

matdevdug,
@matdevdug@c.im avatar

@SwiftOnSecurity As a child tasked with helping his parents fix sailboats, the nicest thing you can do to someone with a boat is sink it for them so they can claim the insurance.

42GB, to random

Why would you gift dead flowers to anyone? Seems utterly strange in times of climate crisis.

matdevdug,
@matdevdug@c.im avatar

@42GB It's amazing how absolutely nothing in our lives is sustainable. Not the food we eat, the clothes we wear, the cars or bikes we ride or the flowers we buy loved ones. We have constructed lives and social norms that are just going to collapse.

dangillmor, to random
@dangillmor@mastodon.social avatar

The Democrats are, as a party, so weak that they choose not to persuade Feinstein -- a non-working, soon-to-be 90-year-old senator who's already announced she won't run for reelection next year -- to retire now.

The cost to progressive causes is incalculable.

The Republicans are laughing.

It's all a reminder that Democrats always bring handshakes to knife fights.

matdevdug,
@matdevdug@c.im avatar

@dangillmor It’s the same as RBG. It’s an intense selfishness that says me having the title exceeds the damage not gracefully stepping down causes. She is not currently an effective member of the senate, full stop. Her absence is actively causing damage.

This generation of older politicians has completely forgotten that serving in Congress is a privilege and they should be mentally fit to do so.

jr, to random

...

matdevdug,
@matdevdug@c.im avatar

@jr new stadia! Thanks bard.

matdevdug, to gaming
@matdevdug@c.im avatar

Nothing says you are not young anymore like having to stop playing Zelda to stretch out a mysterious back pain.

To be clear, this was not a marathon session. We’re talking 30 minutes tops.

matdevdug, to random
@matdevdug@c.im avatar

Sometimes I think I’m not an optimist but then I remember how much time I’ve spent sorting and recycling plastic so clearly I’m some sort of delusional.

matdevdug, to random
@matdevdug@c.im avatar

in can be divided into three distinct groups.

  1. The tourist. On hotel bikes going impossibly slow. Nobody cares about them as long as they don’t block people from passing.
  2. The commuter. Most folks rely on bikes to get around so this is the majority. Heavy bikes with cargo racks, important not to work up a sweat before work.
  3. Pretending to be in the Tour de France. Full spandex, clippy shoes, angry that people won’t get out of their way.

Group 3 infuriates me. There are kilometers of empty bike paths where you can go as fast as you want, but no. I watched one of these guys get bent out of shape yesterday because there were toddlers on the path near a playground.

I secretly think they don’t pick the empty trails because that’s where real biking enthusiasts go. Instead they pick crowded paths because the joy is showing normal commuters how much faster they are.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • tacticalgear
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • provamag3
  • ethstaker
  • GTA5RPClips
  • modclub
  • tester
  • Leos
  • osvaldo12
  • cisconetworking
  • everett
  • cubers
  • normalnudes
  • anitta
  • megavids
  • lostlight
  • All magazines
    •