@matdevdug@c.im
@matdevdug@c.im avatar

matdevdug

@matdevdug@c.im

Security/Devops engineer. Moved from Chicago to Denmark. I’m an expert on nothing but I’m trying.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

hacks4pancakes, to random

I really do love travel, but I kind of just want one week when I do not have a half-packed suitcase and a pile of assorted dongles taking up my bedroom floor as a tripping hazard. Also I would like to fly business class one time so I can experience sleeping on a plane that doesn’t involve a red eye and sheer desperate exhaustion.

matdevdug,
@matdevdug@c.im avatar

@hacks4pancakes The thing that used to bum me out when I was flying every week for work was the hotels. It’s like you are staying at the same building regardless of where in the country you are. It felt slightly maddening to see the same artwork even though I had flown from Chicago to Texas or whatever.

rmondello, to random
@rmondello@hachyderm.io avatar

Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.

matdevdug,
@matdevdug@c.im avatar

@rmondello @siracusa Core to the early passkey design docs was the idea that the user can never ever export the private key. This is true across every public private key design system. If users are exporting private keys from specialized key storage hardware, the system has failed.

The only proposal I’ve seen is that a user would be able to enroll multiple tiered keys at the same time, which neither solves the vendor lock-in problem or the usability design.

matdevdug,
@matdevdug@c.im avatar

@rmondello WebAuthn https://github.com/w3c/webauthn/issues/931

The chrome conversation and documentation about passkey sync with the end result here: https://developers.google.com/identity/passkeys/use-cases#sign-in-with-a-phone

The Yubico spec is the only multiple device proposal I’ve read and is what I’m referencing: https://github.com/Yubico/webauthn-recovery-extension/ https://github.com/Yubico/webauthn-recovery-extension/

Finally the formal analysis of the proposal here: https://eprint.iacr.org/2020/1004.pdf

If there’s another chat I’m more than happy to be wrong.

matdevdug,
@matdevdug@c.im avatar

@dwaite @rmondello I understand that the platform sync is a component of the implementation outside of the spec of webAuthn and there is nothing preventing vendors from taking the sync component and adding the ability to add a target to the sync. I also understand the different between a sync and Asynchronous Remote Key Generation.

My confusion is that central to the idea of webauthn is hardware based storage of private keys. So a vendor is basically trusting itself with the sync component to allow for the exporting and mandating of exports of private keys from the hardware to a software sync. Everything we've seen (publicly) has been the sync process is locked to whatever ecosystem you enroll in. Chrome doesn't sync through the browser to write to arbitrary hardware storage.

Even more complicated is that the standard allows for different levels of quality when it comes to that hardware storage device for keys. So while the sync itself presents an understandable (if high) risk for users, an export either suggests: I can write the private key to a text file and import it to A Password Manager which largely defeats the purpose.

Or vendors are going to extend the sync process to include some other arbitrary target depending on some unknown criteria. I can't find any additional conversation or plans in the spec debate or online in general that lays out how any of that will work, hence my concern.

I.E.: If Apple implements the option to export a private key to 1Password, that's great, but can I put it in Android? Is there a specification that says where I can and cannot put it? Will Apple let me export them in a file and import them into a lower-security device like a cheap Windows laptop?

matdevdug,
@matdevdug@c.im avatar

@dwaite @rmondello Again I'm totally fine with missing something obvious and I'll gladly eat some crow on this but this has been an unanswered question about how this will work since 2018 so if there was a decision made about how the keys get shared somewhere I would love to read it and be less wrong.

dangillmor, to random
@dangillmor@mastodon.social avatar

The Democrats are, as a party, so weak that they choose not to persuade Feinstein -- a non-working, soon-to-be 90-year-old senator who's already announced she won't run for reelection next year -- to retire now.

The cost to progressive causes is incalculable.

The Republicans are laughing.

It's all a reminder that Democrats always bring handshakes to knife fights.

matdevdug,
@matdevdug@c.im avatar

@dangillmor It’s the same as RBG. It’s an intense selfishness that says me having the title exceeds the damage not gracefully stepping down causes. She is not currently an effective member of the senate, full stop. Her absence is actively causing damage.

This generation of older politicians has completely forgotten that serving in Congress is a privilege and they should be mentally fit to do so.

matdevdug, to random
@matdevdug@c.im avatar

There’s a lot of surreal things about being an but few rival the experience of being in an American themed restaurant. The waiter greeted us with a howdy and brought us a mountain of steak.

It’s nowhere near as strange as many have to deal with, but seeing a Big Boy status covered in NASA stickers makes you feel A Way.

SwiftOnSecurity, to random

If I had a boat I would rent it to someone and then disappear and make them keep it

matdevdug,
@matdevdug@c.im avatar

@SwiftOnSecurity As a child tasked with helping his parents fix sailboats, the nicest thing you can do to someone with a boat is sink it for them so they can claim the insurance.

dansup, to random
@dansup@mastodon.social avatar

https://fedidb.org is no longer including pawoo due to reports of CP.

I should clarify inclusion rules add a "News" section for situations like this, and update the stats logic to recalculate stats without the removed instances.

I feel like a resource like this should include instances regardless of reputation except in situations where they break the law.

Wdyt? How should we handle this, and what other inclusion rules would you like to see?

Boosts greatly appreciated!

matdevdug,
@matdevdug@c.im avatar

@dansup Instances should default to not counting towards stats until they’ve demonstrated that they’re not full of spam/CP/junk. If the point of the stats is to demonstrate some sense of progress then any spam server, harassment server or illegal content server shouldn’t count.

matdevdug, to random
@matdevdug@c.im avatar

Sometimes I complain about living in , but watching the Netflix show How to Get Rich has made me realize how bleak it has gotten in the US.

One couple has the husband interviewing for a job where the recruiter informs him they're looking for a "minimum" of 40 hours a week. He responds that as long as it isn't 80 hours a week, "at least not right away”, it's fine. He's got multiple children at home that I guess he's never gonna see again.

One woman is an Olympic gold medalist who cannot afford to get the hot water fixed in her condo. What a horrifying glimpse for the world in how bad life has gotten in the US that even the absolute best, top-tier performers, cannot afford basic luxuries like "hot water in your brand-new condo".

The expert spends a lot of time telling people that actually home ownership, which is impossible, isn't even something they should want. Instead they should focus on the things that make them feel good. It's just this intensely sad show about convincing people they aren't as screwed as they feel.

paul, to random
@paul@tapbots.social avatar

Why is Bluesky suddenly “trending”? Did they open up a bunch of spots?

I'm still team Mastodon, but if Jack wants to send me 20+ Bitcoins I can take a look. 🤪

matdevdug,
@matdevdug@c.im avatar

@mekkaokereke Now that the default Mastodon app defaults you to the most popular server of Mastodon.social, do you think that’s a positive step towards easier on boarding or a danger to the value of federation and decentralization?

thomasfuchs, to random
@thomasfuchs@hachyderm.io avatar

Me: "It's bad and confusing to users that Mastodon doesn't show you all replies to a post (including from accounts or servers that you or your server didn't block)"

Mastodon stans

matdevdug,
@matdevdug@c.im avatar

@thomasfuchs it’s such a crazy omission. Like mastodon should not have told people they can host their own server when it works like this. If mastodon only fully functions when everyone is on one server, we shouldn’t have wasted time talking about federation.

jerry, to random

Any views on bluesky vs mastodon/fediverse? Seems like lots of buzz about bluesky lately

matdevdug,
@matdevdug@c.im avatar

@jerry On a technical level I like that your identity on Bluesky is basically DNS: used to lookup what PDS stores your data. The use of signed data repositories and the DID standard (https://www.w3.org/TR/did-core/) for account migration makes it much, much easier for users to gracefully migrate without much work on their side. Neither of these would be easy to add to ActivityPub as far as I can tell

Building in search as a first-class citizen is smart, with the concept of "server" isolated from the higher-level function of “Crawling Indexer". However a lot of the key exchange stuff places a lot of trust in the server/dns stack.

Going through the docs (https://atproto.com/docs) I think it does some things really well compared to Mastodon and has some advantages to ActivityPub, especially around user identity and portability. It does seem geared towards very large servers given how often a smaller server would be needing to make calls to get public keys (which presumably large servers would cache).

I don't think people are going to be hosting PDS on raspberry pis on their own domains. I think it's going to be primarily a small number of commercial servers. However honestly their docs are missing so much information that it's very hard to make an informed guess at this point.

uncanny_kate, to random
@uncanny_kate@dice.camp avatar

Do you have opinions on tech you used more than 10 years ago, that's still used by some people?

You should let these go. Odds are, development has continued and the pain points have changed. Writing in things like perl, python, javascript, php are radically different than even in the 2010s, let alone the 90s. Your experience is just not valid any more.

matdevdug,
@matdevdug@c.im avatar

@uncanny_kate worse than this are all the people who just repeat shit they heard elsewhere. “Perl is terrible”. Ok have you ever tried to use it? When? For how long?

For years I heard “PHP is a nightmare” and then I sat down to use it. I found a very serviceable language that worked as intended. Easy to connect to databases, easy to handle forms, fast to cache and easy to troubleshoot.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • magazineikmin
  • cubers
  • InstantRegret
  • cisconetworking
  • Youngstown
  • vwfavf
  • slotface
  • Durango
  • rosin
  • everett
  • kavyap
  • DreamBathrooms
  • provamag3
  • mdbf
  • khanakhh
  • modclub
  • tester
  • ethstaker
  • osvaldo12
  • GTA5RPClips
  • ngwrru68w68
  • Leos
  • anitta
  • tacticalgear
  • normalnudes
  • JUstTest
  • All magazines
    •