Notices by Erin 💽✨ (erincandescent@akko.erincandescent.net), page 4

@Beckydog @MOULE <points at lump of cesium> this thing isn’t thinking

Disadvantages of having a physics degree & being a bit of a timekeeping nerd:

You know that most of the time when programmers are talking about UTC timestamps they actually mean UT1. (Except NTP. NTP is also developed by timekeeping nerds)

RE: https://akko.erincandescent.net/objects/874224bb-0390-4b06-9095-37e6cc6118ce

@snowfox @equinox yeah, the CLOCK_TAI <-> CLOCK_REALTIME offet is also integer seconds, which is less than ideal because its probably reasonable to leap-smear these days because of the quantity of questionable software.

@equinox @snowfox IMO the lack of kernel support for non-integer or even algorithmic offsets is one of the biggest impediments to CLOCK_TAI use.

• Most systems don’t have a correct TAI<->UTC offset loaded anyway
• Making it correct requires making CLOCK_REALTIME non-monotonic (which breaks shit!)
• If you do it with leap smear it makes a mess

i.e. fixing shit really needs to start with the kernel, but clock_gettime is a super hot path…

@puppygirlhornypost2 @trwnh @cwebber Object already permits just putting an Object-ID-URI there, Object | Link is a horrible overcomplicated mess (IMO) that should never have made it into the standard >_<

Oh well

@puppygirlhornypost2 For better and worse Congress has no formal sponsors. (Better: No corporate interests distorting things; Worse: things can be a bit more expensive than they otherwise would if ther were sponsors)

(There are some informal sponsors, but informal in this sense means “they donate some services for free e.g. the fat fat internet pipe without getting their logo anywhere)

@puppygirlhornypost2 The 38th Chaos Communications Congress, a gigantic (16,000? person) hacker event in Germany.

@puppygirlhornypost2 Given Fedi’s demographics I’m sure you can understand why half of the fediverse population suddenly appears to have converged on Hamburg

@puppygirlhornypost2 Anyway DEFCON is the US’s closest event but has a signficantly lower quantity of Antifacist Aktion flags and a much less… friendly? atmosphere to it

@lanodan in this case its just the hash of the key fingerprint in order to generate a probablistically unique key ID. It doesn’t even need to be unique, duplicates just mean multiple trial verifications until the recipient finds the right key.

Of course the signing key’s ID is base64 of a truncated sha256 hash so that bit ends up being base64(encrypt(base64(json(base64(truncated-hash))))) :floofWoozy:

JSON and Cryptography: It’s not a good mix.

I find myself working with JOSE (not my choice, protocol dictates :<) at the moment and I’m slowly going insane at the levels of recursive base64 involved :floofWoozy:

e.g. if you end up doing signed-and-encrypted JWTs you end up with base64(encrypt(base64(json)))

@mildsunrise @david_chisnall I generally think in a lot of those cases the solution is rethinking the abstraction a bit

The problem is often less “I have to do multiple things” and more “doing these things requires so much extra code” and e.g. this might mean that e.g. your API should be more monadic

@david_chisnall:

It’s great for boilerplate! No. APIs that require every user to write the same code are broken. Fix them, don’t fill the world with more code using them that will need fixing when the APIs change.

This is the thing that gets me. If you can autocomplete the boilerplate, you can eliminate it!

RE: https://infosec.exchange/@david_chisnall/113690087142854474

Everyone’s busy building admin tooling for shared block lists when what they could be building is structured “threat intelligence”

Which is kind of the same data (Except with much more focus on timestamps & description), its just the UI and how the data is consumed is different (rather than automatically blocking/unblocking things I get a queue of notifications I can act on)

Does it mitigate all of the issues that exist with shared blocklists? No, because those are human nature. An admin can decide to just blindly follow recommendations without doing their own investigations and there’s nothing you can do about it.

Does it mitigate all of the worst aspects? Yes.

Is it something you can build and deploy without doing complicated protocol development as might be required for something more ideal? Yes.

After spending years on here its easy to forget that other social networks don’t have (convenient) ways for users to mark their own images as sensitive

Well, until you’re scrolling your BSky feed and get faceblasted with uncensored yiff (because nobody bothered to train the ML porn classifier on murrsuits, of course)

(To be clear: the image isn’t the problem. the fact that its dangerous to open my feed in a place where someone might see my screen is!)

(seriously how did nobody train the porn classifier on e621? do these people have no furries working at them?!)