acatton's recent activity

  1. Comment on The “email is authentication” pattern in ~tech

    acatton
    Link Parent
    TL;DR: For security use KeepassXC or Bitwarden I haven't used other password managers. But as a security and cryptography enthusiast, I've compared their security. 1Password, Nordpass, Dashlane,...

    TL;DR: For security use KeepassXC or Bitwarden

    I haven't used other password managers. But as a security and cryptography enthusiast, I've compared their security.

    1Password, Nordpass, Dashlane, Lastpass, SecureSafe are all closed source. There is some type of religion online around 1Password, I guess they have a good marketing team, but there is no way to analyse their security, since they're closed source like all the others. Lastpass was claiming for years that "everything was encrypted", until they got hacked, and details leaked. The encryption was very weak, and only the passwords were encrypted, criminals could use the clear-text metadata to target websites of lastpass users, since they could get websites and logins from the metadata.

    In the open-source world, where you can audit the source code, there are three contenders:

    1. pass: the oldest. It's written by the same person who wrote Wireguard, the new more secure VPN solution, which is now the standard replacement for OpenVPN on Linux, and built-in the kernel. It's a very nerdy setup. I uses GPG, which is the standard for security, doesn't try to do its own encryption. But it leaks a little bit of metadata.
    2. Bitwarden: this is what I recommend to non-technical users in my family. It's easy to set-up, it's opensource, and was audited by Cure53. Last time I checked, it was encrypted the entire vault with PBKDF2 (the recommendation for password key derivation is Argon2 nowadays, but PBKDF2 is still good) to seed AES-CBC. (the recommendation for encryption is XSalsa20 nowadays, AES-CDC is still secure, but getting old.) They messed up the default amount of iterations for PBKDF2, so you have to login to their web UI to increase the iterations for your vault, for old vaults. (not great, that means they could snoop your password if they wanted) I believe that new vaults use a sensible amount of iterations for PBKDF2 now.
    3. KeepassXC: it uses the KDBX 4 file format by default. This checks all the boxes for best encryption: Argon2 to seed a Chacha20 encryption, which encrypts the entire file as well. (Chacha20 is supposed to be even better than the recommended XSalsa20)

    In terms of security, KeepassXC is the best, followed by Bitwarden. In terms of usability for a non-technical user, Bitwarden is definitely better, and it has built-in sync. While still being very good, pass is the worst of both categories.

    There is this whole thing with KeepassXC as well that your browser doesn't have the passwords. It uses an extension to connect to KeepassXC and request the password to the KeepassXC without saving them. I find this ingenious.

    There is also Protonpass which is open-source, but I personally don't have the best trust in Proton. And I couldn't find any documentation about their encryption.

    3 votes
  2. Comment on Linux very close to enabling real-time "PREEMPT_RT" support in ~tech

    acatton
    Link
    Context: PREEMPT_RT is an out-of-tree patch for Linux, which allows to turn it into a real time operating system, kinda like FreeRTOS. This is has a ton of real life application, from low-latency...

    Context: PREEMPT_RT is an out-of-tree patch for Linux, which allows to turn it into a real time operating system, kinda like FreeRTOS. This is has a ton of real life application, from low-latency video game servers to firmwares for 3D printers.

    11 votes
  3. Comment on Any other 3D Printers here? in ~hobbies

    acatton
    Link
    I own a Prusa MK4. I'm a huge Prusa Fanboy, I love it, but It's taking a lot of space, I'm considering building and printing my own CoreXY printer from scratch out of 3D printed parts and extruded...

    I own a Prusa MK4. I'm a huge Prusa Fanboy, I love it, but It's taking a lot of space, I'm considering building and printing my own CoreXY printer from scratch out of 3D printed parts and extruded aluminium profiles. I basically want an enclosure that takes less vertical space. (the bed slinging is what leads to huge enclosures on the XY axis). I don't care about vertical space. I love what this guy did, except the welding + angle-grinding. I would prefer to make it more repairable with bolts, screws and T-slots.

    What have I printed recently? Hm... I recently printed reinforced feet for a heavy workbench. I love using OpenSCAD to design my parts, and tweaking the infill density for some area thanks to modifiers. I swear, I don't work or don't have any financial relationship with Prusa Research. I'm just a Fanboy, because the printer is great, and I love their open source tooling and their repairability.

    I only print stuff that I mostly design. I rarely print stuff out of the thingiverse or printables[dot]com, unless the nieces and nephews ask for a toy :) . I don't design toys, only functional prints :P

    1 vote
  4. Comment on Google now only search engine allowed to provide results from Reddit in ~tech

    acatton
    Link Parent
    You have a point. But if I listen to people working in marketing, teenager makes most of the purchase decisions, because they're able to influence the lady or the man of the house. A good example...

    You have a point. But if I listen to people working in marketing, teenager makes most of the purchase decisions, because they're able to influence the lady or the man of the house.

    A good example of this is the video game console success. I know that every Super Mario Odyssey reviewer on YouTube is basically a ~30 year old man going back to his childhood. But they're not the one massively buying the Nintendo Switch. AFAIU, the Nintendo Switch is mostly bought by parents annoyed that their kids keep asking for a Nintendo Switch.

    3 votes
  5. Comment on Google now only search engine allowed to provide results from Reddit in ~tech

    acatton
    Link Parent
    Redis didn't rebrand. They just became closed source. (or "fauxpen" as they call it) The Linux foundation took the last open source code, and forked it under ValKey. This is most likely what...

    ValKey (formely known as "Redis")

    Oh, I hadn’t heard about the rebranding. I wonder why they did that? Will need to look into it.

    Redis didn't rebrand. They just became closed source. (or "fauxpen" as they call it)

    The Linux foundation took the last open source code, and forked it under ValKey. This is most likely what debian will migrate their redis package to.

    A bunch of non-coporate people also maintain a fork called Redict

    11 votes
  6. Comment on Google now only search engine allowed to provide results from Reddit in ~tech

    acatton
    Link Parent
    Google crawler should not be verified based on the user agent. There is some official documentation on how to verify googlebot, this is basically un-spoofable. (TL;DR: the IP should have a...

    start disregarding robots.txt and spoofing Googlebot’s user agent

    Google crawler should not be verified based on the user agent. There is some official documentation on how to verify googlebot, this is basically un-spoofable. (TL;DR: the IP should have a *.googlebot.com reverse DNS, and that FQDN should resolve back to the IP of the crawler)

    It is very costly, and I don't know how Reddit checks if it's Google crawling them. But if they're committed to blocking crawlers except Google's, they would have to do this. You could easily cache the valid IP in ValKey (formely known as "Redis") for ~1h and make it cheap to verify.

    5 votes
  7. Comment on Google now only search engine allowed to provide results from Reddit in ~tech

    acatton
    Link Parent
    Exactly, every other popular post on Reddit's front page is basically a repost from 1-2 years ago. Repost bots have become rampant on large subreddits since reddit admins took over the moderation...

    Exactly, every other popular post on Reddit's front page is basically a repost from 1-2 years ago. Repost bots have become rampant on large subreddits since reddit admins took over the moderation after the moderator protests.

    Reddit is banking on growing their new users, and getting rid of the old "Aaron Swartz" user base. IMHO their strategy is to become what Facebook used to be ~10 years ago, with the same type of audience (what people used to refer to with disdain as "millenials" and "facebook moms")

    Being part of the original user base, I'm annoyed by it, but you know what? I'm pretty sure they will actually succeed. I believe investors will be happy, and the move taught in business schools.

    There is no money to be made from sceptical nerds and broke students. If your website is ad-based, your audience should be impressionable teenagers and bored housewives, preferably the former.

    And don't get me started on how comments went from 80/20 authoritative/fake-news to 50/50.

    23 votes
  8. Comment on Google confirms Play Store mass app deletion based on new quality standards—now just six weeks away in ~tech

    acatton
    Link
    Outside of Whatsapp (yes I know, unfortunately, that's the go-to messenger for my family) and Spotify, I install everything from F-Droid. In my opinion, opensource app catalogues (like linux...

    Outside of Whatsapp (yes I know, unfortunately, that's the go-to messenger for my family) and Spotify, I install everything from F-Droid. In my opinion, opensource app catalogues (like linux distributions) are much better filters for quality applications.

    29 votes
  9. Comment on What programming/technical projects have you been working on? in ~comp

    acatton
    Link
    I've been working on a pure-rust no-unsafe embedded on-disk key value store. I know, this sounds like a lot of buzzwords :) . For the user, the features would be the same as LevelDB or LMDB. But...

    I've been working on a pure-rust no-unsafe embedded on-disk key value store. I know, this sounds like a lot of buzzwords :) . For the user, the features would be the same as LevelDB or LMDB. But underneath, I would like use B-Espilon trees. All of this written only in rust, without any unsafe block, only using std. The goal is to offer similar read performance as LMDB, with batch writes as fast as RocksDB.

    I have some future personal use for this project, but to be fair, redb, sled or even the rust bindings to LMDB would work just fine for these future uses.

    This is a very selfish project where I would like to learn better how data is physically stored for database and file system. I would also like to show off what is possible with no-unsafe rust (and just whatever unsafe is wrapped by the Rust Standard Library)

    I'm leaning on the shoulder of giants, such as KingDB's series of blog posts which explains how to implement a key value store from scratch, and I'm also studying the code of Tkrzw which is under Apache 2.0. I chose this because Tokyo Cabinet (the predecessor of Tkrzw) was revolutionary, and I would like to publish my future project under a non-restrictive license.

    The project might never see the light of day, I hope it will, but my main goal is to learn along the way :)

    13 votes