Bluesky registrations are now open!
I have been posting primarily there for months now. It has an early Twitter vibe, a hacking friendly protocol, and cool custom feed algorithms.
Join me there! → @/filippo.abyssdomain.expert 🦋
Data is not the new gold, data is the new uranium.
Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated.
Why keep uranium you don't need?
I have some personal news 👀
Today is my last day at Google! 🛫🏝🌅
I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid.
I want to make a thing, starting with Go cryptography!
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.
"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding
@rgoers
's work: Michael, Glenn, Matt"
People, what are we doing.
I just saw a professional electrician follow a YouTube video, and I was confused for a second.
Then I remembered I have 15 StackOverflow tabs open, and it all made sense.
No one is paying the log4j2 maintainers!?
There is a whole page on the responsibilities of a
@TheASF
"Project Management Committee"... AND NO ONE IS PAYING THEM?
Open Source needs to grow the hell up. Yesterday.
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
I'm being downvoted on HN for mentioning that a black person saying "all white people are bad" is not the same thing as a white person saying "all black people are bad", in case you were wondering how tech is doing on understanding systemic racism.
Earlier today, I kept getting "406 Not Acceptable" errors adding an embedded tweet to my blog post.
Spent 15 minutes trying to figure out what was wrong. No hits on Google.
Look at my Twitter name and tell me if you can figure it out 😅
Hiring engineering talent is hard.
And yet, there is a large pool of engineering talent up for grabs by any company that can muster the courage to say:
- remote policy is yes
- SF/NY mid-market rate worldwide after taxes/benefits
- unlimited immigration budget
- four day weeks
We all agree the status quo is unsustainable.
Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.
The thing is, companies need it as much as maintainers do.
These checklists from Apple are gold.
If you want to see if anyone else has access to your device or accounts:
If you want to stop sharing:
If you want to make sure no one else can see your location:
Sad to see all these cheap negative quips about Github & Microsoft. MS has been doing some awesome work in Open Source recently (just look at VS Code), and hired some excellent people. I see no reason to be worried.
The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check .)
The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month.
You see the problem?
Software engineers will build the tools to burn the world down as long as they’re in the correct programming language and ace the benchmarks.
Maybe the most powerful people of our time reduced to puppets by basically “who’s a smart engineer? you’re a smart engineer, yes you are”
StackOverflow question: “the police are making people on the street install spyware, how do I protect myself?”
Top HN comment: “discussing authoritarianism is pointless, more importantly, why doesn’t the spyware use HTTPS?”
I hate this soulless industry.
Kathryn,
@eiais
, did not bypass code review.
She didn't disrupt anyone's work.
She didn't target an individual.
She didn't violate any policy I'm aware of.
She linked to an NLRB notice from an extension that exists to show links to policies.
This only makes sense as retaliation.
Wow. Linus admits his behavior was hurting people and Linux, recognizes being an asshole does not scale, apologizes, and takes time off to work on himself.
Hopefully others who looked up to his behavior can take the occasion for similar introspection.
I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext.
Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.
Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore.
It's the only time I just try random upvoted commands from GitHub issues until it works.
How does anyone get any work done like this?
I don't really care who this man-child is, but notice something...
He worked at Stripe for years.
This shit is everywhere in the industry. The next time you hear a story of discrimination that you find hard to believe, just remember this loser.
The TSA first made flying a miserable experience, then made you pay a bribe to skip most of it with Pre. Now they mismanaged the bribed line too, and you can pay a bigger bribe to Clear to skip most of that. 💯🇺🇸🦅💵
As a bonus, a private company has your biometrics now. 👁
I am—or at least was in this picture—America's newest pilot! ✨🛩👨✈️
I passed my checkride today on this Piper. This was both a dream and a challenge like I haven't tackled in years.
48 hours, 35 days start to finish including weather days. It's been a ride 🍾
For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands:
$ defaults read | pbcopy
# make changes in System Preferences.app
$ diff -u -F '^ "' <(pbpaste) <(defaults read)
I'm a big fan of brew cask for its library of zap instructions, which remove all traces of an application, however it was installed.
The Zoom one has just been updated to remove the persistent server.
brew update
brew cask zap -f zoomus
Folks, it works!!
I am officially a full-time independent open-source maintainer! 🧑💻💼
That means I spend most of my time on open-source maintenance, and I offer retainers to companies that benefit from my work and from access to me.
Full details 👉 ✨
(BTW, I also know that guide dogs and emotional support dogs are critical to inclusivity, so that's not what I'm talking about. It's normal to have to accommodate conflicting needs sometimes. I'm taking about bringing your pet to work for fun.)
The BUS DRIVERS are refusing to work for the police state, while software engineers, with the most leveraged profession of our time, still can't get their employers to stop working for ICE.
Cowards. Disorganized and cowards. All of us. I'm ashamed.
JWT is so bad that I find myself wondering what I was doing when it was being created and if I could have done something to stop it.
Also, note that this HN thread is full of developers just now learning that JWTs only does signing. Except it can also do encryption. 🤷♂️
There's some inane gatekeeping pushback on this absolutely mild take, so let me say it loud and clear:
I'm a Senior Software Engineer at Google who works on cryptography and open source, and I find email-based patch submission a meaningful barrier.
I'm already tired of QR discourse.
Users click on links and scan QRs. It's what they are for.
Mentally model the security boundary where it is, not where you want it.
Here's one thing I think we'll find unacceptable in 50 years.
The degree to which minors have no rights.
They are basically non-people: no right to privacy (school and parent spyware), no right to freedom (go to your room!), can't even make their own medical decisions.
I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.
Occasional reminder of unevenly distributed knowledge.
Above $200k, you mostly negotiate equity, not salary.
Mid-career engineers in the US can go way beyond $200k at large tech companies and startups that compete with them.
YIKES.
It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING.
Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy.
YIKES. YIKES. YIKES.
Talkspace, a text therapy app made famous by Michael Phelps ads, keeps transcripts for about 7 to 10 years because they're medical records—and data-mines them, of course. But all the other stuff going on there was WILD.
This is my main objection to password-encrypted key files.
If you get to read arbitrary files from my disk you can pull my pictures, messages, and cookies (including the AWS console ones).
But at least not the SSH key? Yay? Who cares?
Other places are way worse. I get recruiting emails listing the "office dog" as a perk.
Guess what, me and a number of other people can't work for you now due to a completely work-unrelated medical reason.
Folks, the time to run or is now.
You don't need to have an account elsewhere yet. Download the CSVs while you can, and you can import them later.
go go go go
But here's the thing: the issue compounds. If you are already fighting a culture of sexism, are you going to spend political capital on... not letting people bring their dog to work?
Of course not, so maybe it has to be privileged people complaining about this.
🎉 mkcert made it to 10.000★ 🎉
v1.1.1 can make HTTPS certificates for localhost or any name on macOS, Linux and Windows, automatically trusted in Chrome, Firefox and Java.
TIL that the gnu coding standards specify that you must not abbreviate "windows" as "win" because that's too positive and suggest standardizing on "woe", which is puerile even by the low bar I already had in mind for gnu
The police is arresting, shooting, and macing journalists.
They are driving tanks into cities and escalating.
They're getting recorded and they don't care.
Defund the police. Disarm them. Drop qualified immunity.
Feature request: block all accounts created in 2020.
Most of them are bots. And if someone actually joined Twitter in 2020, look, they clearly make bad life choices.
Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem.
... nope! systemd of course didn't!
Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥
age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp
Try it out and send feedback 👉
Can we talk about the fact that
@TeenVogue
is systematically putting much of the news industry to shame?
This guide to filming police misconduct is grounded, useful, correct, insightful, actionable, sourced, and AFAICT flawless.
Journalists. When reporting about Telegram groups, I need you stop referring to it as a “secure messaging app” without context.
This is not crypto nitpicking. Telegram groups ARE NOT ENCRYPTED.
OMG YES YES YES
If you are into signing git commits, here's your answer!
Also, I'm happy any time I see SSH signatures in use. Every developer has SSH keys! We have robust tooling and hardware for them! They are simple!
You can use ssh-keygen(1) to produce and verify them.
Others have a phobia of dogs instead of allergies, and they feel even less legitimized to speak up and "be that person", but have to cope with a work space that does not feel safe.
Everyone is talking about the RSA key generation bug, and there's indeed a catalog of things that went wrong, but the thing is...
YOU DON'T GET TO IMPLEMENT A FALLBACK FOR RANDOMNESS
That's it. That's the tweet.
In summary, allergies and phobias don't get the same treatment as disabilities, but they are also issues that exclude people for no good reason, or force them to fight for a safe environment.
I was going to announce a newsletter, but instead I found an XSS in the service I'm using for it, so now the sign up page is a Proof of Concept and I'm not sure this story has a moral.
PSA: don't rely on GnuTLS, please.
[CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially.
Also, TLS 1.2–1.0 session tickets are awful.
I'm such a sucker for nice UNIX pipelines.
$ pngpaste - | zbarimg -q --raw - | pass otp append
This extracts a QR code from a screenshot in the clipboard (⌘⌃⇧4) and saves it as a TOTP 2FA entry in password-store.
$ brew install pngpaste zbar pass-otp
To prove that crypto code can be understandable, I gave my best shot at writing a readable Poly1305 implementation. It tries to explain both what it’s doing and how. (It’s also 75% faster than the current one.)
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it.
It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it.
Wireguard is up there with Mosh in terms of not leaking the network semantics into the user experience: I've had a Mosh session and a Wireguard tunnel open to my home server for days from home, to plane WiFi, to Italian tethering.
Other software, be more like Wireguard and Mosh.
By the way, I like dogs! I like dogs so much that sometimes I take meds and cover every inch of my skin to play with them for half an hour (and then immediately jump in the shower and accept some mild asthma for a couple days). But no one should have to at work.
Linus is arguing against the whole secure-by-default philosophy in order to break the only correct randomness interface in Linux. (The one that works like all the BSDs.)
I can't, I just can't. I'm actually giving up.
Go will mitigate it if it happens, but that's it.
I disagree with Linus on this issue. It’s the situation where you’re sure you really *don’t need* secure random numbers that represents the special case. Put your API flag there.
Do you have a bunch of GPUs and passphrase bruteforcing experience?
Crack the NSA’s five SHA-1 hashes at the heart of NIST's elliptic curves, solve a cryptographic mystery, and earn $8k (tripled if donated to charity)!