Notices by Terence Eden (edent@mastodon.social), page 8

What is your most impressive *sounding* accepted Pull Request?

Here's me casually getting some code merged by the NSA 😅

https://github.com/NationalSecurityAgency/nationalsecurityagency.github.io/pull/38

Wondering what the world would look like if we implemented "Universal Basic Website".

Entitle everyone to their own domain, a few GB of space, the ability to run simple apps / blogs / etc.

What does the world look like if people aren't beholden to Flickr / Facebook / Google Photos to share their family albums?

#UBI

@ryanc ahhhh. That makes sense. Time for me to do some digging.

@ryanc I am blissfully ignorant of such matters!

@ryanc Interesting. My WiFi unit is in the middle of our 3 floor house.
So I have half the antennae pointing up and the other half perpendicular to them. In the vague hope the vertical ones will cover the middle floor and the horizontal ones will send the signal upstairs & downstairs.
It *seems* to work - but I've not done any serious testing.

How should you orient your WiFi antennae?

https://shkspr.mobi/blog/2013/03/how-to-orient-wifi-antennae/

Anyone know where I can buy one of these USB dongles?

I have a device with a USB Micro socket. I want to plug in to a computer with a USB-C port.

I can find the cable version of this OTG adapter. But I'm struggling to find a small, solid component.

#USB #OTG #USBC #Electronics

🆕 blog! “How updates work in ActivityPub / Mastodon”

I didn't realise this, so I'm documenting it to stop other people making the same silly mistake that I did. Messages in ActivityPub have two distinct ID strings. Here's a (truncated) view of what happens when I send a new message on Mastodon: "id": "https://mastodon.social/users/Edent/statuses/1234567890/activity", "ty…

👀 Read more: https://shkspr.mobi/blog/2024/03/how-updates-work-in-activitypub-mastodon/
⸻
#ActivityPub #mastodon

🆕 blog! “OpenBenches on the Volunteer Technologist Podcast”

I was delighted to be interviewed by the Volunteer Technologist podcast about our OpenBenches project. Huge thanks to Gene Liverman for having me on. It is available, as they say, wherever you get your podcasts.

👀 Read more: https://shkspr.mobi/blog/2024/03/openbenches-on-the-volunteer-technologist-podcast/
⸻
#OpenBenches

Which (new) HTTP response code would you use to represent "User Has Died"?

#IndieWebCamp

@ryanc I'm noodling around in a demo database - nothing prod facing.
But, this is to try and prevent an attacker producing a file with a specific hash.

So I'm assuming SHA over MD5?

@ryanc @retr0id
Oh, sure, the sha256 of "b" and "e" both start with "3".
But I'm sure I read something about manipulating the first and last 5(?) characters.
It is entirely possible I dreamt it though.

On a related note, I'm *sure* I read a paper / post where someone proved that you could manipulate a file to produce a hash where the first and last few characters matched the hash of an unrelated file.

Anyone know what I'm talking about?

#Cryptography #Security

@evan I still think there's a missing step. My thinking is...

owner.publicKey is derived from sig_key.

So if sig_key is lying about who its owner is, you're just comparing the same source twice, right?

So I *think* it should be

owner_id = get_id(sig_key.owner)
Then
if (owner_id == message.actor) ...

Does that make sense?

@erincandescent @evan @Gargron

I'm sorry if I'm being thick (and feel free to tell me) - but...

I get a signature with a keyID of `evil.com/evil#sig`

I get the public key from evil.com

I verify the time, digest, and signature all match.

The body of the message says actor example.com/edent Creates...

When / how do I then check that edent's public key is the same as the one in the keyID?

@Gargron @evan
I see. So both need to be verified?

Or, to put it another way, the location of the key should be taken from the actor, not the signature header?

@evan but how do I test that?

If the keyID is "example.com/keys/123456" that might lead to a fake page which claims to be from the user in the body.

(Feel free to tell me I've overthinking this.)

Another #ActivityPub question about verifying signatures.

A header contains:
`keyID="example.com/user/1#main-key`

But the body of the message might have:
"actor": "example.com/user/2"

How do I check that that message has been signed by the actor in the body?

The URls might not be in the same format. So I guess back to webfinger to request the key from the actor - ignoring the one provided in the header?

🆕 blog! “A simple(ish) guide to verifying HTTP Message Signatures in PHP”

Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using P…

👀 Read more: https://shkspr.mobi/blog/2024/02/a-simpleish-guide-to-verifying-http-message-signatures-in-php/
⸻
#ActivityPub #cryptography #http #mastodon #security

@Gargron Yet another thing for me to try and fix if I ever get any spare time!