Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)V

vvv

@ vvv @programming.dev

Posts
4
Comments
147
Joined
3 yr. ago

  • How is everyone handling the 2FA requirement for GitHub?

    Jump

  • Your two factors shift to possession of your password vault + knowledge of the password to it. You're okay IMO.

    You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.

  • What do you call application modules that are responsible for business logic?

    Jump

  • that's a good call actually. I got pretty hung up on domain objects being mostly data classes, but one approach is to have them perform business logic themselves.

  • How do you backup 2FA setup codes/QR codes?

    Jump

  • Not a security scientist, but in my interpretation, it's the "categories" of the factors that matter. Ideally, you use some two of three of:

    • something (only) you know - generally represented by passwords
    • something (only) you have - most commonly represented by some device. you prove that you have the device by providing a token only that device can generate.
    • something (only) you are - generally represented by biometrics

    the goal then is maintaining the "only"s.

    if you tell someone your password, or they see you type it in, or they beat it out of you with a wrench, it's no longer something "only" you know, and it is compromised.

    if you use the same password on two websites, and one website is compromised, the password is compromised.

    OTPs from a key fob or yubikey or something are similarly compromised if the device that provides them is left out in public/lost/stolen/beaten out of you with a wrench.

    biometrics are again, are compromised if it's not "only" you with access to them - someone scans you face while you're asleep, or smashes your finger off with their wrench.

    having multiple factors in the same category, like having two passwords, or two otp tokens, or two finger prints, doesn't significantly improve security. if you give up one thing you remember, it's likely you'll give up more. if one fob from your keychain is stolen, the second fob on that keychain is of no additional help.

    you can start shifting what categories these things represent though.

    if you write down your password in a notebook or a spreadsheet, they become thing you have.

    OTPs can become something you know if you remember the secret used to generate them.

    knowing many different things is hard, so you can put them in a password vault. the password vault is then something you have, which can be protected by something you know. so although your OTPs and passwords are in one place, you still require two factors to get access to them.

    you still need to protect your "only"s though. and don't put yourself in situations where people with wrenches want your secrets.

  • How do you backup 2FA setup codes/QR codes?

    Jump

  • I use passwordstore.org/ as my password manager, including for my otp codes. It's backed by a git repo. I get a backup of it on every device it is cloned to.

  • What do you call application modules that are responsible for business logic?

    Jump

  • (often abbreviated BS)

  • What do you call application modules that are responsible for business logic?

    Jump

  • Thanks for that, I think Engines is winning in my mind so far!

  • What domain name to choose for an open source website where I could ask for personal donations?

    Jump

  • Be careful, if you get a .pizza, you are only legally allowed to spend the donations on pizza.

  • Deleted

    Permanently Deleted

    Jump

  • Further, in terms of safety, having a large display built into your dash showing you navigation is much better than a small device you jerryrig onto a vent or something. It's easier to see via your peripheral vision, and won't put you in a situation where you need to go find it off of the floor when it falls off.

  • Self-Hosted (or github pages hosted) "clipboard"?

    Jump

  • just to give you the term to search for, these types of applications are called snippet managers. for example, https://snibox.github.io/

    there's a ton of them around. I don't have a particular one that I recommend, since it's not something I use in my workflow.

  • Amber - the programming language compiled to Bash

    Jump

  • I can't believe they didn't with go with BatShIt. it's right there! they were SO close!

  • find a file containing some text

    Jump

  • grep -r exists and is even more faster and doesn't require passing around file names.

     
        
grep -r --include='*.txt' 'somename' .

  • Integration Tests - What's New?

    Jump

  • I just started using this at $jorb. Check out their "ui-mode" is all I'm going to say about that.

  • SSH login without user name?

    Jump

  • Better than that, git config supports conditional includes, based on a repo URL or path on disk. So you can have a gitconfig per organization or whatever, which specifies an sshCommand and thus an ssh key.

  • Novel attack against virtually all VPN apps neuters their entire purpose

    Jump

  • (obligatory I'm not a network surgeon this is likely not perfectly correct)

    The article mentions network interfaces, DHCP and gateways so real quick: a network interface usually represents a physical connection to a network, like an Ethernet port or a WiFi card. DHCP is a protocol that auto configured network routes and addresses once a physical connection is established, like when you jack in via an ethernet cable, it tells you the IP address you should go by, the range of IP address on the network you've connected to, where you can resolve domain names to IP addresses. It also tells you the address of a default gateway to route traffic to, if you're trying to reach something outside of this network.

    You can have more than one set of this configuration. Your wired network might tell you that your an address is 10.0.0.34, anything that starts with 10.0.0. is local, and to talk to 10.0.0.254 if you're trying to get to anything else. If at the same time you also connect to a wireless network, that might tell you that your address is 192.168.0.69, 192.168.0.* is your local network, and 192.168.0.254 is your gateway out. Now your computer wants to talk to 4.2.2.2. Should it use the wireless interface and go via 192.168.0.254? or the wired one and use 10.0.0.254? Your os has a routing table that includes both of those routes, and based on the precedence of the entries in it, it'll pick one.

    VPN software usually works by creating a network interface on your computer, similar to an interface to a WiFi card, but virtual. It then asks the OS to route all network traffic, through the new interface it created. Except of course traffic from the VPN software, because that still needs to get out to the VPN provider (let's say, at 1.3.3.7) via real Internet.

    So if you're following along at home, your routing table at this point might look like this:

    • traffic to 1.3.3.7 should go to 10.0.0.254 via the wired interface
    • all traffic should go to the VPN interface
    • traffic to 10.0.0.* should go to the wired interface
    • all traffic should go to 10.0.0.254 via the wired interface
    • traffic to 192.168.0.* should go to the wireless interface
    • all traffic should go to 192.168.0.254 via the wireless interface

    whenever your os wants to send network packets, it'll go down this list of rules until one applies. With that VPN turned on, most of the time, only those two first rules will ever apply.

    If I'm reading the article correctly, what this attack does, is run a DHCP server, that when handing out routing rules, will send one with a flag that causes, for example, the last two rules to be placed at the top of the list instead of the bottom. Your VPN will still be on, the configuration it's requested the OS to make would still be in place, and yet all your traffic will be routed out to this insecure wireless network that's somehow set itself as the priority route over anything else.

  • What would your last words be?

    Jump

  • The password to my password manager: a few randomly chosen words that will definitely just sound like nonsense dementia-talk probably.

  • What are some free interests/things/hobbies you can do in the city?

    Jump

  • Geocaching is free and usually lots of fun in cities. It's like a big database of dead drops - people hide small containers with pieces of paper to sign, and post their GPS coordinates online. Frequently they're hidden near points if interest, as well so you might find some cool shops or bars as a side effect.

  • Am I the only one who thinks the community is being to hard on the Rabbit R1?

    Jump

  • That's the other one. The Rabbit thing is $200, which, not that I would buy one, is not too unreasonable for an AI tamagotchi

  • Which are the F-Droid apps everyone should download?

    Jump

  • Once you have your list, check out fdroidcl so you can get it all installed from your laptop via adb

  • Recommendations please: Self-hosted web site analytics

    Jump

  • yep. they're still here. they got smaller, and we call them "tracking pixels" now.

    it's just an image, which, server side, you can count the number of times it got loaded. easy to embed and no js required.