# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 2032
# self = https://watcher.sour.is?uri=https://anthony.buc.ci/user/abucci/twtxt.txt&offset=1332
# next = https://watcher.sour.is?uri=https://anthony.buc.ci/user/abucci/twtxt.txt&offset=1432
# prev = https://watcher.sour.is?uri=https://anthony.buc.ci/user/abucci/twtxt.txt&offset=1232
@prologic @xuu Have a look at this page for inspiration. Among the nice things he discusses:
- Box: "Package box authenticates and encrypts small messages using public-key cryptography"
- Secretbox: "Package secretbox encrypts and authenticates small messages"
- Saltpack: "Need to encode, transmit, or store encrypted or signed data? saltpack is a streamlined, modern solution, designed with simplicity in mind. It is easy to implement & integrate"
- Magic wormhole: "This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another".
The first two are Go libraries so may be of special interest. Saltpack was put forward by keybase, but it's also a format that can be implemented in any language. Magic wormhole is implemented in either python or rust; the protocol is described here.
Update: I just found a Go implementation of magic wormhole: wormhole: "Package wormhole provides a magic wormhole client implementation."
Update 2: Found another one! https://github.com/psanford/wormhole-william
@prologic @xuu Have a look at this page for inspiration. Among the nice things he discusses:
- Box: "Package box authenticates and encrypts small messages using public-key cryptography"
- Secretbox: "Package secretbox encrypts and authenticates small messages"
- Saltpack: "Need to encode, transmit, or store encrypted or signed data? saltpack is a streamlined, modern solution, designed with simplicity in mind. It is easy to implement & integrate"
- Magic wormhole: "This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another". The library is implemented in either python or rust; the protocol is described here
The first two are Go libraries so may be of special interest. Saltpack was put forward by keybase, but it's also a format that can be implemented in any language.
@prologic @xuu Have a look at this page for inspiration. Among the nice things he discusses:
- Box: "Package box authenticates and encrypts small messages using public-key cryptography"
- Secretbox: "Package secretbox encrypts and authenticates small messages"
- Saltpack: "Need to encode, transmit, or store encrypted or signed data? saltpack is a streamlined, modern solution, designed with simplicity in mind. It is easy to implement & integrate"
- Magic wormhole: "This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another".
The first two are Go libraries so may be of special interest. Saltpack was put forward by keybase, but it's also a format that can be implemented in any language. Magic wormhole is implemented in either python or rust; the protocol is described here.
Update: I just found a Go implementation of magic wormhole: wormhole: "Package wormhole provides a magic wormhole client implementation."
@movq This is pretty cool. It looks like it needs xdotool installed in addition to dmenu (I'm using X11). dmenu itself conflicts horribly with my KDE/plasma setup for some reason so I think I'd have to tinker to get this to a usable state.
@xuu I just played around with ripasso and it feels a bit too early days for me to use regularly. The Qt GUI doesn't work at all for me (doesn't show any available password entries). The GTK GUI doesn't have a window border. The TUI seems to work well enough. It looks like a great project and I'll definitely keep an eye on it!
@xuu I haven't gone through pass thoroughly to see what I think is problematic or isn't. This is just something I've noticed while using it. I still use pass anyway, I just think it's bad behavior that shouldn't be there, and it does prevent me from using it for more than I do. I'd be happy to thumbs up and/or chime in on a PR but I'm afraid I wouldn't be able to help with coding (mostly for lack of time).
ripasso looks interesting, thanks for that!
@eaplmx I haven't yet! It's on my ever-growing list of things to check out. I was hoping maybe you had some experience with it!
I suppose I should add Vector to my list too.
Thinking of writing a TamperMonkey script or browser plugin that removes any lines of text with "GPT" in them from web pages until this hype bubbles bursts.
@eaplmx Have you ever checked out Vaultwarden by any chance?
I see what you mean about TVs etc. Hmm, I wonder if there's a way to self host your own "log in on another device" service so that you could add this capability to anything you wanted? 🤔
@prologic I'm happy to help fill out any of these lists and the threat model matrix if you want. Nice thing about it is you can create a spreadsheet and invite whoever you want to fill it out and stop when you feel it's been filled in enough. People can work on it asynchronously when they have the time.
@eaplmx Strongly agree! We have to jump through a lot of hoops to have a modicum of safety with passwords, and there are so many better ways.
@eaplmx I use kdeconnect, and link the clipboard of my desktop computer with my phone. I copy the password to the clipboard in my computer, it is sent to the phone via kdeconnect, and I paste it where it needs to go. kdeconnect secures the connection between the computer and phone and the clipboards on both sides are automatically cleared after 30 seconds. The password is never displayed on either screen and it does not end up in the scroll or shell history on either side. It's easy, it works great, and it minimizes the most obvious user errors and leaks that you're able to protect against with this kind of setup.
@movq that'd definitely be an improvement! You'd also want to make sure the password does not end up in shell history, terminal scroll history, etc etc etc, which would probably take a bit more care.
Personally, I'd also want a kind of "This is dangerous; are you really sure you want to do this?" warning that can't be disabled to show up, just to make sure users are understanding that what they are doing is not good. And perhaps some pointers about safer alternatives to use (for instance, copying password to the clipboard, which is automatically cleared after a short time period, and then having the downstream app/script grab the password from the clipboard. Or sending the password through a local pipe or socket that's been carefully secured).
This stuff is *already* leaky because when you use something like pass the cleartext password ends up in the RAM and CPU buffers for an unpredictable period of time, and can be sniffed out of there if you know what you're doing (that's why things like Yubikeys exist because they *don't* do that). Why make it *even more* leaky and invite user error on top of that when you don't have to?
@movq that'd definitely be an improvement! You'd also want to make sure the password does not end up in shell history, terminal scroll history, etc etc etc, which would probably take a bit more care.
Personally, I'd also want a kind of "This is dangerous; are you really sure you want to do this?" warning that can't be disabled to show up, just to make sure users are understanding that what they are doing is not good. And perhaps some pointers about safer alternatives to use (for instance, copying password to the clipboard, which is automatically cleared after a short time period, and then having the downstream app/script grab the password from the clipboard. Or sending the password through a local pipe or socket that's been carefully secured).
This stuff is *already* leaky because when you use something like pass the cleartext password ends up in the RAM and CPU caches for an unpredictable period of time, and can be sniffed out of there if you know what you're doing (that's why things like Yubikeys exist because they *don't* do that). Why make it *even more* leaky and invite user error on top of that when you don't have to?
@prologic @movq I'm pretty certain that best practice is "never show passwords in cleartext", very much like "never store passwords in cleartext". So, no, it's not really up for debate: it's bad behavior that shouldn't be there. I get that people might have taken advantage of it for various purposes, but that doesn't change that it's bad behavior, and the concern is easily addressed by this.
@prologic
1. Crowdsource it. Everyone who uses salty or might use salty who'd be willing to help can participate
2. Reduce the lists. For example, It's almost surely unrealistic to expect salty to be secure against state actors. But also that's a design choice. It seems to me that, realistically, you're unlikely to do what would be necessary to make salty secure against state actors, so why even try?
3. Not all pieces of affected data can be affected by all the actors. Also, some of the combinations tend to be trivial. Finally, you can sometimes group threat actors together ("we don't want anyone except the recipient of a message to be able to read the message" instead of 7 distinct lines, one for each threat actor) and possibly group affected data together sometimes too. It's not usually an all vs. all matrix
4. Focus on the high priority items first when constructing the matrix. Again that's partly a design choice
5. If you're clever, you can semi-automate the process of converting the matrix into code! (that's why I mentioned the casbin library--you can usually convert a threat model like this into casbin authorization policy files.
But, yeah, a thorough threat model will probably have *a lot* of rows--that's kind of what it means to be *serious* about security instead of bolting it on. The matrix size is a feature. You only have to do it once, and then revise it through time, and you can probably reuse some of that work on other projects that have a security aspect.
@prologic
1. Crowdsource it. Everyone who uses salty or might use salty who'd be willing to help can participate
2. Reduce the lists. For example, It's almost surely unrealistic to expect salty to be secure against state actors. But also that's a design choice. It seems to me that, realistically, you're unlikely to do what would be necessary to make salty secure against state actors, so why even try?
3. Not all pieces of affected data can be affected by all the actors. Also, some of the combinations tend to be trivial. Finally, you can sometimes group threat actors together ("we don't want anyone except the recipient of a message to be able to read the message" instead of 7 distinct lines, one for each threat actor) possibly group affected data together sometimes. It's not usually an all vs. all matrix
4. Focus on the high priority items first when constructing the matrix. Again that's partly a design choice.
5. If you're clever, you can semi-automate the process of converting the matrix into code! (that's why I mentioned the casbin library--you can usually convert a threat model like this into casbin authorization policy files.
But, yeah, a thorough threat model will probably have *a lot* of rows--that's kind of what it means to be *serious* about security instead of bolting it on. The matrix size is a feature. You only have to do it once, and then revise it through time, and you can probably reuse some of that work on other projects that have a security aspect.
Billionaires at Davos don't think COVID is a cold
What the billionaires do for themselves is what should be done for everyone. The fact that COVID protections are so absurdly lax, and so many people have gotten sick and died from it without the benefits of protections like these, tells you a lot about what the powers that be think about the rest of us.
A real "let them eat cake" moment in our history.
@prologic I will never not find that bizarre. It's like morning in the summer for you and a winter night for me, at the same time?!? 🤯
@prologic that's a good idea I'll look into that tomorrow (it's Friday night here 🤪)
@prologic You're almost inevitably going to type that by accident at least once, and a good proportion of newbies are going to type that, and old people with bad memories like myself are going to forget the -c half the time and type that, and some shell autocompletes are going to autocomplete to that, etc etc etc. It's why I think pass is lacking as a cli. KeePassXC makes it *difficult* to show the password in cleartext. You have to go out of your way to do it, and it's unlikely you'd go through those steps by accident or out of ignorance.
@prologic lol "today" is Friday where I am and Friday 12 pm UTC is in the past!
@prologic @bender yeah, I agree with @prologic you are diminishing security significantly by not doing OTP on some other device.
ignore that "cannot connect to socket" error; that's some misconfiguration in GnuPG that I haven't figured out how to fix yet.
@prologic @movq this is the default behavior of pass on my machine:
I add a new password entry named example and then type pass example. The password I chose, "test", is displayed in cleartext. This is very bad default behavior. I don't know about the other clis you both mentioned but I'll check them out.
The browser plugin browserpass does the same kind of thing, though I have already removed it and I'm not going to reinstall it to make a movie. Next to each credential there's an icon to copy the username to the clipboard, an icon to copy the password to the clipboard, and then an icon to view details, which shows you everything, including the password, in cleartext. The screencap in the Chrome store is out of date; it doesn't show the offending link to show all details, which I know is there because I literally installed it today and played with it.
@mckinley ugh that's annoying. I've never used it so I was wondering.
@eaplmx Given humanity's track record believing that "the upper limit is so high there's no way we'll still be using this software when it's hit", we perhaps have some reason to hope for our species?
@eaplmx oof that's a long rant, but I think there is way too much money in the hands of way too few people, and the hands it's in tend not to be connected to the best minds.... (there's even research about that lol)
@mckinley I use both KeePassXC and pass/pass-tomb. I find KeePassXC far superior. One major gripe I have with pass is that it is way, way, way too easy to end up with your passwords displayed on the screen in cleartext. That's the default behavior of the pass CLI--you need to use the -c switch if you only want the password copied to the clipboard. I've been playing with the browser extension for pass and have flashed half a dozen passwords up on the monitor for the world to see, totally unexpectedly and accidentally. Even now that I know the way it can happen, I *still* end up doing it, because it's just too easy. I don't like that, and will be deleting the extension. I've never had that problem with KeePassXC.
I find it to be surprisingly bad behavior, personally. It's soured me on pass, even though I generally like it as a command-line tool.
What's weird is that we already had a mini hype/bust cycle in AI a few years ago (circa 2016). Remember all the startups that had URLs ending in .ai? They're running out of ideas for things to hype it seems.
So I guess after the implosion of crypto and web3 all the dumb money is now being thrown into AI (again). Hence the hype around ChatGPT, Stable Diffusion and related stuff.
@lyse @mckinley The new look is similar to what the "Modern Wikipedia" plugin does. And, this is fun, it seems to break that plugin so that's nice. The ?useskin=vector trick is great, thanks for that.
@movq "melody" is not the first word that comes to mind when I listen to that 😆
We had a bit of downtime for awhile. I think there was an issue on the provider side that made it look to me at first like a DDoS was ongoing. I'll have to investigate.
I know it seems tedious, but you really need to go through this exercise carefully and thoroughly if you care about security. You can't just encrypt some stuff and hope for the best--that's hacky, and will not really help with security. There could be gaping security holes you overlooked because you didn't think it through even with encryption.
The good news is that once you're done, it's a great resource to always go back to. The priority columns help you priority where to put development effort and what to do. It also helps you write documentation where you can tell users, with some confidence, what they can expect to stay safe and what they cannot expect to stay safe when they use salty.
I know it seems tedious, but you really need to go through this exercise carefully and thoroughly if you care about security. You can't just encrypt some stuff and hope for the best--that's hacky, and will not really help with security. There could be gaping security holes you overlooked because you didn't think it through.
The good news is that once you're done, it's a great resource to always go back to. The priority columns help you priority where to put development effort and what to do. It also helps you write documentation where you can tell users, with some confidence, what they can expect to stay safe and what they cannot expect to stay safe when they use salty.
I know it seems tedious, but you really need to go through this exercise carefully and thoroughly if you care about security. You can't just encrypt some stuff and hope for the best--that's hacky, and will not really help with security. There could be gaping security holes you overlooked because you didn't think it through even with encryption.
The good news is that once you're done, it's a great resource to always go back to. The priority column help you prioritize where to put development effort and what to do. It also helps you write documentation where you can tell users, with some confidence, what they can expect to stay safe and what they cannot expect to stay safe when they use salty.
@prologic I can't write the whole thing; besides not being informed enough, I definitely don't have the time. But here's a start:
The notion is that you produce a list of threat actors (who you're worried about misbehaving), affected data (what data these actors might have some affect on), and vulnerabilities (what could the threat actor do to the data that you don't want them to do. Vulnerability can be driven by the "CIA" triad: confidentiality, integrity, and availability. With any data, you potentially want it to remain confidential (the C); you want the integrity to remain intact (the I; you don't want it spoofed, or modified, or deleted by someone else without authorization); and you want that data to be available to whoever should have it when they should have it (the A). You need to put some thought into this and fill out these lists as fully as you can. Probably everyone who uses salty should help.
Then, a threat model is a table like the one I put below. The one line I entered should be read "it is possible that one salty user can learn the IP address of another salty user". You may or may not care about that, so there is a priority column. Again, this table could be crowdsourced among salty users.
# Threat Actors
- other salty.im users
- salty.im server operators
- VPS operators
- network operators
- casual eavesdroppers
- law enforcement
- state actors
# Afftected Data
- login id
- login (IP) address
- login session times and durations
- chat session times, durations, participants
- contents of chats
# Vulnerability
- learn the data
- spoof the data
- delete the data
- prevent owner from reading the data
- prevent recipient from reading the data
- prevent owner from modifying/deleting the data
- prevent recipient from modifying/deleting the data
# Threat Model
| Threat actor | Affected data | Vulnerability | Priority (1-3; 3 high) |
|--------------|---------------|-----------------|------------------------|
| other user | login (IP) | learn the value | 1 |
(that's my 2 cents, if it helps at all)
@prologic the proposal does not include a threat model nor a discussion of how the proposed encryption protects against threats. What exactly is the purpose of encrypting the contents other than the fact that other software encrypts stuff? Why is a new blob request signed?
There is a statement
> This implies that it is not possile for other clients and users to access another’s blob store as all requests are signed by the client’s private key, verified and used to construct the path(s) on disk.
Does it? Has that property been verified?
@prologic It's always a trade off of some kind, but I think a lot of people overlook the risk of cascading disk failures in RAID setups. I had this happen to me and lost data because of it, so I'm risk averse I guess and I'd rather trade space for resilience most of the time.
@prologic I'm personally not a fan of RAID-anything, having been burned by it once. I don't know if you had a chance to read the article I linked arguing in favor of mirroring over RAID, but I found that guy's reasoning compelling. It drastically reduces resilvering time and does not introduce load onto any other vdev except the one(s) in the mirror during resilvering. That's a big deal because a particularly bad failure mode of RAID is that you lose a disk, and then the parity computations necessary to replace that disk introduce extra load on all the other disks in the array, which can hasten the failure of one of *those*, and you end up with a cascade of disk failures that result in data loss. This happened to me once years ago and it sucks. That's why I went with mirroring for my own cluster. But I'm still a bit torn.
In "Anthony is a consumer" news, four 2 Tbyte SSDs that I got for cheap on ebay arrived yesterday. Now I need to figure out how best to arrange them into a storage cluster. I prefer ZFS mirrored arrangements but I covet the space that you'd lose and I don't worry as much about reliability for this particular one. So maybe I'll go with ZFS RAIDZ.
@prologic wow they even have the weird name + bunch of numbers username pattern spammers use on twitter
@prologic I haven't been on there long enough and haven't accumulated enough cred to actually post anything so I've just been reading.
@prologic it's a social media site. A tiny bit like reddit but with actual human moderation so it doesn't seem like it has the kind of horrible stuff sites like reddit have. Old school looking too: https://www.metafilter.com/
@eaplmx I've played with that. My big worry with that one is that I've seen people refer to Steve Gibson as a crackpot, and I have no way to confirm or deny a claim like that. FUD works unfortunately 😦
@bender definitely! Welcome to the pod!
Oof, and also, when you delete a user, you're shown a "Success" page. To get back to the delete user box you have to click Settings, then click Poderator Settings, then click Manage Users, then scroll down. That's a lot of clicking.
should be able to delete multiple users at once, too.
Basically, I want to clean up the 6 users who registered on my pod a week or two ago but then never posted. I assume they're not valid users and potential spammers. One option I thought of: look for each one, report them, and then use the reports as a way to manage the deletion process. That's a no go.
So, I manually created a list of users off-site. But now I have to delete them one-by-one in poderator settings, since that appears to be the only option.
All this works, of course, but it makes deleting a bunch of users extremely tedious, which will definitely be a problem if there's ever an influx of bad actors that needs to be cleaned up.
Oof, the post reporting mechanism in yarn needs work.
@darch for what it's worth, I don't see that horizontal scrolling behavior on Android 11 in either a Chrome-based mobile browser or in a Firefox-based one. I'm using my own pod, which I just switched to the profile2 branch.
@eaplmx It's nice, but in the demo you still have to type a password! Since the password never leaves the computer, it could be removed from the flow entirely using the built-in password manager of the browser or, ideally to me, hidden from view entirely. Having a master password to open a "vault" of these OPAQUE passwords and then freely logging into web sites without ever dealing with password entry in login forms would be close to ideal for me. It's basically what I already do with my password manager, except significantly less awkward and also less vulnerable.
@eaplmx It's nice, but you still have to type a password! Since the password never leaves the computer, it could be removed from the flow entirely using the built-in password manager of the browser or, ideally to me, hidden from view entirely. Having a master password to open a "vault" of these OPAQUE passwords and then freely logging into web sites without ever dealing with password entry in login forms would be close to ideal for me. It's basically what I already do with my password manager, except significantly less awkward and also less vulnerable.
hmm, this is from 2011:
PAKE On The Web
A paper about using PAKE instead of passwords for *mutual* authentication on the web. Included an implementation!
"Don't cling to a mistake just because you've spent a lot of time making it."
direct browser and web site support of PAKE is what I meant.
@eaplmx One thing I worry about: in the US, law enforcement can take your devices and look through them if you ate suspected of a crime, but they are usually not authorized to force you to reveal information you know, which includes passwords (I think there are more and more exceptions to this now, which is a worrying trend).
That means using a memorized password you don't store on a device is safer against intrusion by law enforcement, who are largely free to take private keys but cannot force you to reveal passwords. Many people don't need to worry so much about that kind of threat, but some do.
@eaplmx I like your write up, thanks for sharing!
I think direct browser support of PAKE would be closest to ideal for me, but I can see that might not work for other people. I wonder if it's possible to make the authentication mechanism flexible enough to support different preferences while still being secure enough 🤔
@eaplmx probably something like that. It'd be so much easier *and* more secure though!
So far I've been pretty happy with Metafilter. It's definitely slower than social media sites, but I like that.
Since web browsers all have secrets management anyway, it should be a straightforward addition.
@eaplmx Many times per day. I adjust the thermostat inside based on it and decide what to wear outside and how to dress the baby.
Fifth time in the lurch for childcare. Absolutely amazing.
@prologic Yes, that one! Works quite well in my experience. Yes, it's backed by a markdown file, and you can (and I have) hand edit it if you want to.
I don't think there's a great way to use that with a team, so it's effectively single-user (but then obsidian largely is anyway). And, it can misbehave with some themes, if you're into installing a lot of themes (which I am lol). Those are pretty minor/expected issues though.
@prologic There's a way of thinking about this that *might* make some kind of sense. Like, if the management people who signed the documents went to prison when their companies had giant data breaches or whatever, then *maybe* the magical thinking "compliance process -> technical process -> actual security" *might* have some justification? But as it stands, there are data breaches left and right and as far as I can see none of the people who signed off on the security policies/compliance documents/what have you have not faced accountability like that. In fact, quite the opposite; many can claim they are exactly following the processes laid out in the SOC 2 process, *even though* their processes led to giant data breaches! It can function to indemnify the worst actors in the whole situation.
@prologic me too! I self-host kanboard, which I think is pretty nice, and I also use the kanban plugin for obsidian, which works pretty well for smallish single-person projects.
Something I appreciate about kanban boards, as opposed to something like a Gantt chart 🤮 or other calendar-based planning tools, is that you can revisit an old one from a project in virtually any state of completion, and pretty easily map it to the present if you want. You have your columns of cards and you might need to reset some "in progress" ones back to the backlog (or wherever you're storing your "not started yet" cards). You might need to change around some of the tasks, remove or add new ones, because of new information. All normal stuff you'd have to do when re-planning any project.
With a Gantt chart, you have to do all these things *plus* a bunch more crap trying to fit the work streams into the current calendar with the current "resources" you have etc etc etc. The level of granularity tends to be different, too, which makes all this harder. Adapting the plan to the present is a project all its own.
I'm saying this because I'm staring at two old project plans, one with a kanban board and one with a Gantt chart (not my choice; client necessity). The kanban board was trivial to map to the present. The Gantt chart? Frickin nigh impossible. I'm just going to re-plan the project from scratch I think.
What I'd really like is some semi-automated way to convert a kanban board into a Gantt chart so that I can plan and track projects internally with kanban boards but generate and share Gantt charts when those are needed. There's a pretty big impedance mismatch between the two styles so I don't expect it'd be easy to do such a conversion. The tools I know of that purport to do this (including Kanboard, which I use a lot) require you to put dates on your cards, which I'm trying to avoid. I'm not all that informed about the possibilities in this space, though.
@xuu yeah, I know less about ISO27k (in part because you have to pay for access to the complete standards documents!!!), but I figured it was similar.
@prologic Have you ever been involved in "security" processes like SOC 2? I was at a company once that got a SOC 2 report, and I was involved in that process for a bit so I read up on it. Most of these cloud services brag somewhere or other that they have SOC 2 certification or some related thing. Anyway, what blew me away about the entire thing was that *it wasn't about security at all*. It was about *processes approved by management*.
In other words, it didn't matter exactly which password policies your company had (for example), as long as you wrote that policy down and had someone in management sign it. Really. A "security audit" was then almost entirely about checking whether all the documents have been signed, who signed which documents, and whether those people are still with the company and still have the authority to sign such documents.
It's as if they all believe that as long as management signs documents, technical problems magically disappear. Your literal physical computers could implement no password policies at all, but as long as you managed to convince people to sign documents that said they did, then you'd get whatever SOC certification you wanted and pass whatever audit people wanted. None of these "security" people actually sat down at a computer and said "OK, now show me this password policy working in the following cases: ...." which is what you or I or any technical person who cared about security would probably do right?
@prologic I've noticed that when you reply to the Slashdot feed, the yarn is broken:
There's no "yarn" link or any obvious way for me to see what you're replying to.
@prologic At my startup, I got into a dispute that ended up with someone *creating a PowerPoint deck to argue their point* because I wanted to build out a small rack of computers to do our compute, and they wanted to do all that in the cloud. When we unraveled all our various points, the only advantage that shook out for the cloud was physical security. Even that is probably arguable (we obviously don't have visibility into the physical security practices of the exact data centers where our cloud stuff runs; we simply trust providers, who more and more don't seem to be worth trusting).
Basically on every point, a locally-hosted rack was cheaper than the cloud, by my reckoning (for our use case, and at that time circa 2016). Higher up-front cost purchasing the equipment, obviously, but after that? And where the cloud really kills you is data *egress*. If you try to get data *out* of their storage at any scale, you rapidly rack up enormous costs.
I argued the point so vehemently because I had just finished advising a different startup that was paying around $1,000 on cloud services to do....not very much. They petered out for lack of funding, but they could have lasted so much longer if they hadn't had that cloud gorilla on their back the whole time.
I don't think cost considerations are what's driving these decisions though, personally. Economics alone doesn't explain how so many people default to choosing the cloud time and again.
@prologic that would depend on which artist you're talking about I think; I have no idea. There are 1,164 tracks in there from who knows how many artists.
@movq @bender clearly you need a replicator!
Ugh, I am long overdue for a re-watch of Voyager. Might have to start into that soon.
@bender I was wearing this t-shirt yesterday:
The "Similar Projects" section on this page lists more interesting-looking search engines.
The "Similar Projects" section on this page lists more interestin-looking search engines.
Marginalia Search
> This is an independent DIY search engine that focuses on non-commercial content, and attempts to show you sites you perhaps weren't aware of in favor of the sort of sites you probably already knew existed.
> ...
> The search engine calculates a score that aggressively favors text-heavy websites, and punishes those that have too many modern web design features.
@prologic Sweet. I have the new filters (including mediaonly) and webfinger working now. Thanks!
@bender ugh autocorrect is the worst. I'm over here using git as wel speak for what it's worth 😆