Pinned toot

I've been hacking unix systems since the mid-80s in a good way, and I try to stay in the unix/free software/open source software world as much as possible.

I build far too many workflows that mix bash, python, awk, sed and golang together to drag data from odd places, polish it up, and put the results somewhere where the sun does shine. With possibly less input safety than is needed ...

For money, I do infosec. For fun, I play Elite:Dangerous and help run the in-universe radio station

I also live somewhere that isn't in your timezone, have a family that just wants their tech to work, and look forward to owning electric vehicles.

My kid is fixing a bit of floor in Minecraft using TNT blocks because "it's what I had and I'll just not blow it up". I think this is what our industry calls technical debt.

twitter link

Update: I've tried out a bunch of solutions and unfortunately Roam is the only one that offers real block-level transclusion that isn't a messy hack. I've decided to continue paying for Roam but also pay for Obsidian in the hopes that they (or some other non-hosted or self-hosted solution) manage to figure it out.

For a short example of block-level transclusion in action see here

Show thread

I hate it when people write "mike" when abbreviating "microphone."

It's a microphone, not a homophone!

You think you wouldn't miss sandfall at all, but that's because you live in a sand-rich environment, just you grow up on a planet without sandstorms, you'll see.

Show thread

covid, politics, crass comment that might be true 

I've figured out the coronavirus strategy for the 'failing' countries ...

"Dead people cast no votes"

These days, the primary way I'm finding out about Mozilla projects for the first time is when their cancellation is announced.

Bitwarden has been automatically sending Basic Auth login attempts inappropriately ...

This has been addressed already, but all the same ... ouch.

I'm not convinced about cursive in any context (you try doing family history research with original documents!) but this here is a monospaced cursive font for programming ...

talk like a pirate day 

always seed your torrents

Show thread

talk like a pirate day 

copyright law is unethical

Show thread

I've implemented a 'social login' to a private family tree website, that uses open-source software on my end to hand off the whole authentication later to google, but keeps the authorization layer with me having access to the users' email address ...

I'm actually very surprised that it worked after only a couple of hours hacking!

nginx has a module called auth_request, that has a very simple contract with an "identity provider" that you will probably run on the same machine. It returns 200 or 401. If you get a 401 they're not currently logged in, and you redirect them to a login page. provides a small and neat implementation on Go (not that I care, because at the moment I'm using it via Docker Hub). There's a small config file that says "these usernames are OK" (so a manual list in the config of approved email addresses) and "Use oauth to google, using my ClientID and ClientSecret".

Google hand out an API setup basically free, if you don't ask for any sensitive data you don't have to be manually validated. There's some indication that it'll perhaps need validation some time in the future, after 100 users, but that's not going to be an issue here. In any case, it works ...

So previously I had this family tree website locked down to our home static IP, but now my wife can go to the local library, get their genealogy records, and still log in to the thing; and no-one else can :-)

Another possibility is JOSSO, but that's a big java set of servers, and depends on flash for the UI (until the next release, due RSN)

Show thread

This is beginning to look like perhaps nginx with it's auth_request module, talking to an instance of vouch ... suggestion via Okta, who write great docs :-)

Show thread

I've been working really hard the past couple of weeks building a new stats system for my web game Improbable Island.

It's a text adventure at, there's a lively roleplaying community, player-owned places (with a programming engine!), hundreds of pages of story and no ads/tracking/nastystuff. We've had problems getting new players 'cause the places we used to advertise are all going offline, so if y'all could help me out with a boost that'd be much appreciated

Also actually, if you get this far down, this is very very true ...

In conclusion, to be a hacker u ask for tap water.

Show thread

The hacker known as "Alex" (because that's his name) has been at it again ...

For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.

Actually lets change that around ...

I'd rather have an authorization layer than an authentication one. Push off the actual identification phase to federation with google/apple/facebook and then all the potential external users won't have another password to remember.

I'd like proper MFA though - when I'm logging in from the house the src IP address is a good identifier, if I'm coming in from outside then tokens are needed ... that sort of thing.

So not a user directory so much as a federation thing. Is that what Keycloak does?

Show thread
Show more

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.