@jawnsy@mastodon.social
@jawnsy@mastodon.social avatar

jawnsy

@jawnsy@mastodon.social

I'm here to learn. He/him. Interested in containers, computers, and human beings. Urbanist living in San Francisco.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mjg59, to random
@mjg59@nondeterministic.computer avatar

Another day another reminder that auth tokens should be bound to the browser (and ideally to the hardware): https://sec.okta.com/harfiles

jawnsy,
@jawnsy@mastodon.social avatar

@mjg59 I'm super excited about this work: https://github.com/WICG/dbsc and I guess there have been other, similar proposals, too. With device-bound passkeys, hopefully more frequent reauthentication should be more tolerable.

jawnsy,
@jawnsy@mastodon.social avatar

@mjg59 This post says: "In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it."

But it's not clear to me if there are easy ways to do that (example scripts?), or why Okta can't do that sanitization for uploaded files prior to storing them. This feels a bit like blaming victims here ๐Ÿ˜”

jawnsy,
@jawnsy@mastodon.social avatar

@mjg59 Yeah that's true. Is there anything like that available today?

anderseknert, to golang
@anderseknert@hachyderm.io avatar

I'll just say it โ€” the forced "unused variable" compiler check is one of my least favorite features of . That shit is for linters to deal with.

jawnsy,
@jawnsy@mastodon.social avatar

@anderseknert I also find it annoying when iterating on code, but I think it can be useful to catch real bugs, and whether something should be fatal or a warning or just info is often a matter of opinion. Nobody will ever agree on the classifications and what's there seems good enough ๐Ÿคทโ€โ™‚๏ธ

stuartmarks, (edited ) to random
@stuartmarks@mastodon.social avatar

The https://time.gov/ website is operated by NIST and the US Naval Observatoryโ€™s Precise Time Department. They operate the master atomic clocks, coordinate with GPS time, operate master NTP servers among other things. Cool, fundamental stuff. 1/

jawnsy,
@jawnsy@mastodon.social avatar

@stuartmarks You might also be interested in this talk: https://mastodon.social/@jawnsy/111241662902576125

Really fascinating and wonderful stuff! So much of what we do depends on accurate time, and yet, most of us don't think very much about where time comes from

jawnsy, to random
@jawnsy@mastodon.social avatar

It's always a delightful surprise to come across posts from folks with familiar names when looking something up. I wanted to get a comparison of Kyverno vs Open Policy Agent Gatekeeper and came across this awesome comment by longtime Kubernetes security nerd, @raesene: https://www.reddit.com/r/kubernetes/comments/u5tcfd/comment/i56i5ta/

jawnsy,
@jawnsy@mastodon.social avatar

@raesene Granted, the comment is a few years old, so I'm not sure how accurate it is today. I'd be curious to hear if/how your opinion might have evolved in the years to follow, Rory!

I'm also curious what the more OPA-oriented folks like @anderseknert would say. ๐Ÿ˜Š

jawnsy, to random
@jawnsy@mastodon.social avatar

Great talk about configuring sampling for OpenTelemetry traces: https://youtu.be/97RTSznmDH4 by @paigerduty

This is a rare situation where it's easy to achieve five nines or greater... ๐Ÿ˜…

stuartmarks, to random
@stuartmarks@mastodon.social avatar

"Andreessen Shrugged"

jawnsy,
@jawnsy@mastodon.social avatar

@stuartmarks OMG this is so perfect

azonenberg, to random
@azonenberg@ioc.exchange avatar

Did some preliminary benchmark testing of my Ceph storage cluster on a NVMe backed pool... not bad, but I'd like to figure out how to improve especially on writes (which are nowhere near saturating the network).

Current setup has three cluster nodes each connected via a single 10G pipe to the core switch.

I tested both linear and random reads but got substantially the same performance for both since it's NVMe, I didn't bother to benchmark the HDD backed pools since my plan is to transition away from HDDs and go all NVMe in the near-ish future.

10GbE client:

  • 79 IOPS, 319 MB/s, 2.5 Gbps write
  • 274 IOPS, 1099 MB/s, 8.79 Gbps random read (network bound)
  • 266 IOPS, 1066 MB/s, 8.52 Gbps sequential read (network bound)

40GbE client:

  • 89 IOPS, 359 MB/s, 2.87 Gbps
  • 423 IOPS, 1694 MB/s, 13.55 Gbps random read
  • 425 IOPS, 1702 MB/s, 13.61 Gbps sequential read
jawnsy,
@jawnsy@mastodon.social avatar

@azonenberg I'm very curious about what you're up to here - are you going to blog about it at some point?

eric_capuano, to random

Fun fact... Did you know there is a massive loophole in HIPAA laws that make it so that your local/state government does not need to protect this data the same ways your health care providers/insurance companies do?

In fact, HIPAA compliance does not even apply to you unless you are a health care provider, insurance firm, or health care clearinghouse. (source)[https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html]

Lots of people think HIPAA applies everywhere the PHI is stored, and its simply not true. Speaking from experience, many state/municipal orgs have your data and are failing to adequately protect it.

image/png

jawnsy,
@jawnsy@mastodon.social avatar

@eric_capuano My goodness!

kwf, to random
@kwf@social.afront.org avatar

Ok, well let's calm down there OhmConnect.

I don't think $100 is as much money as you're making it out to be here.

Rich is yesterday's $100 prize winner!

jawnsy,
@jawnsy@mastodon.social avatar

@kwf What do you mean? They're Rich!!! ๐Ÿฅณ

willmcgugan, to random
@willmcgugan@mastodon.social avatar

Textual 0.38.0 has landed. ๐ŸŽ‰๐Ÿ˜€๐Ÿฆพ

This is a significant release, as it adds the new TextArea!

Check out the blog post for details:

https://textual.textualize.io/blog/2023/09/21/textual-0380-adds-a-syntax-aware-textarea/

jawnsy,
@jawnsy@mastodon.social avatar

@willmcgugan Is TextArea also the name of your home office?

davidho, to random
@davidho@mastodon.world avatar

Itโ€™s a shame that it costs $2 more to use Citi Bike in NYC than to take the bus or subway. ๐Ÿ˜’

jawnsy,
@jawnsy@mastodon.social avatar

@davidho I suppose that governments could allocate more funding to encourage cyclists. Seems like a good way to make people healthier, and road work for bike paths ought to be cheaper than for cars

anderseknert, to random
@anderseknert@hachyderm.io avatar

Oh God, all my workspaces have now been FUBARed by their new "design". It's shit, but oh well, at least it's now consistently shit, and I guess I should spend less time in that app anyway.

Now here's one thing they don't want you to know about, and Slack will hate you for this one weird trick. If you press Cmd + Shift + S, you can bring the workspaces sidebar back! It won't unfuck the rest of the design, but at least it'll fix one the worst aspects of it.

jawnsy,
@jawnsy@mastodon.social avatar

@parcifal @anderseknert Some communities use Linen to capture the conversations for posterity and make them searchable :)

Shoutout to @anna__geller for introducing me to it

jawnsy, to random
@jawnsy@mastodon.social avatar

Looking through this list of libraries for working with JWTs, it seems that the highest-quality ones assume that keys are managed directly, instead of using a Vault, Cloud KMS, etc. to sign. This is true for Python and Go libraries at least. Why is that? https://jwt.io/libraries

jawnsy,
@jawnsy@mastodon.social avatar

@anderseknert Ah, that makes a lot of sense to me!

One of the reasons that I wonder about it is because I'm curious about implementing OIDC federation for service-to-service credentials (similar to Google Workload Identity Federation and I think based on OAuth2 Token Exchange).

Could be interesting to sign a JWT that I could exchange for a Google Cloud service account token, given the right workload identity pool config, similar to GitHub Actions: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform

jawnsy,
@jawnsy@mastodon.social avatar

@anderseknert Not sure if it's abusing the spec but Sigstore, PyPI, GitHub Actions, Google Cloud, AWS, Azure all support a mode where you can exchange a JWT from one issuer for a credential from another issuer. These allow "credentialless" service-to-service auth across clouds.

In GitHub Actions, "id-token: write" permissions allow you to exchange your GITHUB_TOKEN for a JWT, which you can share with Google to get a Google Cloud JWT

It's pretty nifty -- short-lived creds for everything!

jawnsy,
@jawnsy@mastodon.social avatar

@anderseknert I think the GITHUB_TOKEN to JWT part is nonstandard: https://github.com/github/actions-oidc-debugger/blob/aa6f357e1e75bafb27d8d6528f2a02fe5c540a20/actionsoidc/actions-oidc.go#L85

But afterward, you're just working with a JWT.

I think it's similar in AWS, presumably you're using their Security Token Service to exchange a AWS Access Key ID and AWS Secret Key ID for a JWT? No idea, it's all relatively new & exciting stuff, IMO!

Google might be different, because Google Cloud uses JWTs natively, so you might get to skip that non-standard exchange step

kwf, to random
@kwf@social.afront.org avatar

Thanks to Divergent Networks for hosting another in Great Britain.

They were kind enough to source all of the hardware locally so we didn't need to pay the expense of shipping the box to them internationally.

It's a nice trick. Want to cut in line for hosting a Micro Mirror? Just build the hardware yourself.

jawnsy,
@jawnsy@mastodon.social avatar

@kwf where can I read more about what you're doing with micro mirrors?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • โ€ข
  • JUstTest
  • thenastyranch
  • magazineikmin
  • ethstaker
  • khanakhh
  • rosin
  • Youngstown
  • everett
  • slotface
  • ngwrru68w68
  • mdbf
  • GTA5RPClips
  • kavyap
  • DreamBathrooms
  • provamag3
  • cisconetworking
  • cubers
  • Leos
  • InstantRegret
  • Durango
  • tacticalgear
  • tester
  • osvaldo12
  • normalnudes
  • anitta
  • modclub
  • megavids
  • lostlight
  • All magazines
    •