theropologist

theropologist, 1 month ago to random

I was born crunchy and by God I will die crunchy

theropologist, 1 month ago to random

If anyone is wondering where the the financial report for the month of March went, Hetzner has apparently changed their billing cycle from the 1st of the month to the 15th of the month, which has thrown my nice little spreadsheet into utter chaos. I expect the next bill on the 15th, which should cover the period of March 1st - April 15th. Hopefully I will have pulled out of my spreadsheet doom spiral by then and will be able to post some coherent numbers.

the_etrain, 1 month ago to random

Once Hollywood has cycled through board games, they should make movies based on breakfast cereals.

theropologist, 1 month ago to random

After the eclipse, the wolf awakens in a field wearing a suit and tie. Accounts receivable forms flutter in the breeze. Not again, he thinks.

theropologist, 1 month ago to random

After having to figure out how to do some minor plumbing repairs around the house I have come to appreciate the humble gasket as the only thing separating civilized society from utter chaos

RickiTarr, 1 month ago to random

Please everyone, do not send your opinions about history to @theropologist HE DOES NOT HAVE TIME TODAY!

Please bank them, and send them on the weekend.

theropologist, 1 month ago to random

My taste in music is pretty eclectic, but it's not really a result of being particularly knowledgeable or having my finger on the pulse of anything. I'll just hear something and it gets stuck in my head and then that's all I can listen to for about four months. The problem is that kind of serendipity isn't very repeatable, and most of the new stuff I hear ends up sounding like sleepy English cats half-heartedly doing a rave, so my music discovery process has now devolved into stumbling through random alleys and falling into dumpsters full of sheet metal that looks like it might sound interesting.

theropologist, 1 month ago to random

This is what a feminist looks like

theropologist, 1 month ago to random

So is the fact that Hetzner hasn't sent me my invoice yet a hilarious April fool's joke?

theropologist, 1 month ago to random

Happy Liar's Day, the one day of the year when lies are fun, because the liars say so.

theropologist, 1 month ago to random

I was reading up on the xz backdoor and found a pretty good rundown on it here:

https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feared/

A couple of thoughts on this. First, the scary thing about this on the surface was that the malicious code was intentionally introduced by a trusted contributer who had worked on the project for over two years. This was a supply chain attack, but also a bit of social engineering of the OSS community. Prior to this new contributer showing up out of the blue, xz had been languishing somewhat under a single maintainer who appeared to be less and less able to keep up with it. In short, he was looking for someone to pass it on to and Jia Tan seemed like the perfect candidate—apparently by design. So when we say he was a trusted contributer, we really only mean that he gained the trust of the original maintainer. You con the right person and show you are helpful and competent for a few years and you are handed the keys to the kingdom. And since the kingdom is a boring compression utility that most people don't think about, there's not as much scrutiny on it as you might think, or more accurately, hope.

But wait, you might say, isn't the whole point of open source that you have many eyes on the actual source code so that malicious code and vulnerabilities are discovered essentially through crowd sourcing? Yes! That is indeed a huge advantage of OSS. And if the actual code that was in the repo for everyone to see was actually being used by the package managers of major Linux distros, this would have never been a problem. Which brings me to point number two, which is far scarier to me. Apparently most distros prefer using manually built upstream tarballs over pulling git sources directly. Including boring old stable Debian, where the malicious code was first detected. To be clear this was in Debian sid, and the malicious code never made it to a stable release, but then again it was only found out because a software engineer at Microsoft decided to investigate why an ssh login was taking 500ms too long. Which is way too close for comfort in my book.

So why is this so shocking? Well, the malicious code never made it into the git repo where all of those crowdsourced eyeballs would have had a chance to catch it. Instead it was embedded in a build script in the upstream tarball that nobody was looking at. Instead of trusting the collective wisdom of the open source community, distros installing via this tarball were trusting only the person who signed the tarball. In this case Jia Tan, and that trust was extended only because the original maintainer trusted him and allowed him to create and sign the tarballs. So basically, because one person was conned, the entire infrastructure of the Internet was put at risk. To me, that's what we should really be worrying about.

Time and again, technology has promised to eliminate the need for personal trust. Mechanisms are created so that everything is in the open and can be verified, but those mechanisms only work as long as people understand them, and are paying attention, and the problem is that's a lot of work, so we fall back on ad-hoc systems of personal trust, which are a lot easier for our primate minds to understand. They feel more real than something as abstract as the collective wisdom of the open source community.

Or, to take another recent example, people want to get into crypto but they don't want to have to learn about blockchains and public and private keys so they trust conmen like SBF to do it for them because they saw a slick commercial with Larry David in it. Once again we use personal trust as a shortcut to gain access to the shiny new object that is only shiny and new because it's supposed to eliminate the need for that trust in the first place.

This is not to say that person-to-person trust is not valuable. As the admin of a small Mastodon instance I rely on building and maintaining that trust with my users. However, meditating that trust through technology doesn't make it easier or more secure, it just makes it harder in a different way. By the way I'm including systems of government and finance in the broad definition of "technology" here. If we develop systems to replace personal trust we need to understand that they are not a solution in and of themselves. The systems themselves must be maintained and understood, and we need to keep in mind that our brains are poorly suited to innately understanding the abstractions they produce. In short, technology doesn't obviate our need to think critically—it in fact makes it all the more critical for us to do so.

theropologist, 1 month ago to random

Going down in 3...2...1...

theropologist, 1 month ago to random

:bc: Attention Beige Party-goers! :bc:

I need to perform some OS upgrades on the Beige Party servers. This is a little more involved than upgrading the Mastodon software so I will be taking the site down to make server snapshots first, so the site will be unavailable for about half an hour while I'm making these snapshots.

The maintenance window will start at our regularly scheduled time of 3:00 AM UTC on Monday, April 1st, and will continue through 5:00 AM UTC. For those of you in the Western Hemisphere, that's 11:00 PM EDT on Sunday, March 31st - 1:00 AM EDT on Monday, April 1st. As stated above, you can expect the site to be down for about half an hour, but please be prepared for the site to go down at any time during the maintenance window.

And no, this isn't a joke!
(probably)

Thanks, and Beige-Bless :bb:

theropologist, 2 months ago to random

So much of getting old is like Hey you know that part of your body that you barely gave any thought to? Now it's the only thing you can think about.

angry_drunk, 2 months ago to random

Hahaha. No.
https://beige.party/@RickiTarr/112134348438349149

theropologist, 2 months ago to random

Remember in Blues Brothers when they end up at the Nazi rally and the point isn't even that Jake really hates Nazis, it's that Nazis are about the biggest losers that anyone could imagine. They are portrayed as completely pathetic dead-ender assholes.

Or in the Rocketeer when the mobsters find our the Sinclair guy is a Nazi and join forces with the FBI to stop them because Nazis are clearly the worst thing.

Or when Christopher Plummer rips the Nazi flag in two in Sound of Music.

None of these films were making bold political statements. The Nazis were the bad guys because that was something that everyone in the audience could agree one. Dunking on Nazis was a guaranteed crowd pleaser.

When the hell did we stop agreeing on something so simple and self-evident as Nazis Are Fucking Losers?