blitz's recent activity

  1. Comment on TV Tuesdays Free Talk in ~tv

    blitz
    Link
    How do people feel about Star Trek: Picard so far? I've been enjoying it, it has had some stronger and weaker episodes, particularly the most recent one. My favorite episode so far has been ep. 7,...

    How do people feel about Star Trek: Picard so far? I've been enjoying it, it has had some stronger and weaker episodes, particularly the most recent one. My favorite episode so far has been ep. 7, Nepenthe, and it seems the IMDB ratings agree with me.

    3 votes
  2. Comment on Costco will not allow returns on high-demand items like toilet paper, water and more in ~finance

    blitz
    Link Parent
    It's really only the unused half they'll take back though, isn't it. ;)

    Outside of this hoarding pandemic you can return a half used package of toilet paper.

    It's really only the unused half they'll take back though, isn't it. ;)

    2 votes
  3. Comment on A bunch of updates and fixes from open-source contributors in ~tildes.official

    blitz
    Link Parent
    Very good points! In practice this document is written for government agencies with much more complicated access structures. Maybe it's unnecessary for something like Tildes. Still: Tildes is...

    Very good points! In practice this document is written for government agencies with much more complicated access structures. Maybe it's unnecessary for something like Tildes. Still:

    Viewing the backup codes requires the user to enter a 2FA code (or one of the backup codes themselves), so anyone that's able to do it already has the ability to pass 2FA validation for that user. If they had one backup code, this could allow them to get more of them (up to 9), but just having more backup codes seems like an extremely niche threat, since they could have used it to completely disable 2FA instead.

    Tildes is unique among the sites I use in requiring a 2FA code to modify 2FA. I'm not sure how I feel about this either, since my thinking is that the authenticated device itself counts as a second factor, so requiring only the password to access 2FA settings is reasonable to me, and is actually a benefit in the case that I lose my other factors but am still in possession of an authenticated device.

    Hashing the backup codes in the database seems reasonable anyway, but that would be intended to protect the codes in a case like a database breach. If they're hashed, even if someone gets the user data, they wouldn't be able to see the actual backup codes (just like with passwords). However, the user's TOTP secret itself is also stored there, and isn't—and can't be—hashed, so a database leak already means 2FA could be compromised.

    Hashing the backup codes implicitly foils side channel attacks like non-constant-time compares. It also means that the backup codes can't be leaked in some other partial database compromise.

    2 votes
  4. Comment on Any bike commuters here? in ~life

    blitz
    Link Parent
    “Road bike” shoes you have to change out of because the cleats stick out and you clip-clop around if you don’t change. “Mountain bike” shoes have the cleat recessed into the shoe, so other than it...

    “Road bike” shoes you have to change out of because the cleats stick out and you clip-clop around if you don’t change. “Mountain bike” shoes have the cleat recessed into the shoe, so other than it being slightly stiffer than a normal shoe, I don’t notice any difference running errands in them.

    (I’m not trying to argue with you, I just want other people to have all the information 🙂)

    1 vote
  5. Comment on Mitigating content marketing in ~tildes

    blitz
    Link Parent
    I’ve also requested one. Thanks!

    I’ve also requested one. Thanks!

  6. Comment on A bunch of updates and fixes from open-source contributors in ~tildes.official

    blitz
    Link
    I had no idea Tildes had 2-FA! I'm gonna turn it on right away. I'm against this specific feature, though. Showing your 2FA backup codes only once is a security feature. If you lose them, you...

    Added a way for users to view their two-factor authentication backup codes (previously you could only see them at the time you activated 2FA).

    I had no idea Tildes had 2-FA! I'm gonna turn it on right away.

    I'm against this specific feature, though. Showing your 2FA backup codes only once is a security feature. If you lose them, you should be required to generate new ones, and Tildes should send you a notification (via message or email, though I see tildes doesn't actually store your email address).

    NIST Special Publication 800-63B is my bible when it comes to making decisions about passwords, and as for everything it has opinions on, it has very specific things to say about Look-Up Secret Validators:

    5.1.2.2 Look-Up Secret Verifiers

    Verifiers of look-up secrets SHALL prompt the claimant for the next secret from their authenticator or for a specific (e.g., numbered) secret. A given secret from an authenticator SHALL be used successfully only once. If the look-up secret is derived from a grid card, each cell of the grid SHALL be used only once.

    Verifiers SHALL store look-up secrets in a form that is resistant to offline attacks. Look-up secrets having at least 112 bits of entropy SHALL be hashed with an approved one-way function as described in Section 5.1.1.2. Look-up secrets with fewer than 112 bits of entropy SHALL be salted and hashed using a suitable one-way key derivation function, also described in Section 5.1.1.2. The salt value SHALL be at least 32 in bits in length and arbitrarily chosen so as to minimize salt value collisions among stored hashes. Both the salt value and the resulting hash SHALL be stored for each look-up secret.

    For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.

    The verifier SHALL use approved encryption and an authenticated protected channel when requesting look-up secrets in order to provide resistance to eavesdropping and MitM attacks.

    13 votes
  7. Comment on A bunch of updates and fixes from open-source contributors in ~tildes.official

    blitz
    Link
    I think my ability to set up a dev environment and get immediately to fixing the bug is much more a testament to the level of documentation and automation surrounding setting up the dev...

    I think my ability to set up a dev environment and get immediately to fixing the bug is much more a testament to the level of documentation and automation surrounding setting up the dev environment.

    The only change I had to make was to find an Ubuntu box that used libvirt instead of virtualbox (since libvirt is waayyy faster and I don't have virtualbox installed). I ended up using nrclark/xenial64-minimal-libvirt.

    10 votes
  8. Comment on Any bike commuters here? in ~life

  9. Comment on Any bike commuters here? in ~life

    blitz
    Link Parent
    Have you tried both? I have. I'd say cages are way more of a hassle than clipless pedals.

    Have you tried both? I have. I'd say cages are way more of a hassle than clipless pedals.

    1 vote
  10. Comment on Any bike commuters here? in ~life

    blitz
    Link Parent
    Having a good connection between your feet and your pedals really changes they way you bike, I feel. Definitely worth trying out. What might feel like a surprising fact is that cages are harder to...

    Having a good connection between your feet and your pedals really changes they way you bike, I feel. Definitely worth trying out.

    What might feel like a surprising fact is that cages are harder to get out of than clipless pedals, so I feel like clipless pedals are safer. The downside, like others have said, is that you need a special set of shoes.

    2 votes
  11. Comment on Any bike commuters here? in ~life

    blitz
    (edited )
    Link
    I bike to work In Denver, Colorado, USA when it’s not snowy/icy outside. It’s about a 3 mile round trip, so I don’t even need to change when I get to work. Most of drivers here seem to be very...

    I bike to work In Denver, Colorado, USA when it’s not snowy/icy outside. It’s about a 3 mile round trip, so I don’t even need to change when I get to work. Most of drivers here seem to be very friendly cyclists, it’s a very active state so there are lots of cyclists on the road too. It takes a little bit of experience to be able to coexist with traffic. There are times when you need to take the full lane (when trying to turn left, for example, or when cars don’t have enough room to pass you safely but might try anyway).

    I always wear a helmet and obey most traffic laws, including waiting at red lights. For stop signs I slow down and check cross traffic and don’t stop if it’s all clear.

    I have a set of flashing front and rear lights that are on 100% of the time when I’m riding in traffic including in the daytime. I’m pretty sure these have saved me from accidents when drivers would otherwise not have seen me. For these to be effective though you need high quality lights that are bright enough to be seen in the daytime. I use these. I also use SPD clipless pedals, I wouldn’t be able to go back to normal biking shoes.

    I also have a bike rack and panniers, so my back doesn’t get sweaty in the summer from wearing a backpack.

    5 votes
  12. Comment on As of Python 3.7, dictionary order is guaranteed to be insertion order in ~comp

    blitz
    Link Parent
    I think the biggest reason for this is that programming is still a very new activity. We really don't know how to do things well yet. New ideas are introduced in one language and other languages...

    Why do programing languages need to always try to implement their own version of feature x that was copied form language y? Wouldn't be much better if each language focused on their use case domains and people used languages more like unix tools? Everybody seems to want to reinvent the wheel instead of trying to maintain and improve old implementations.

    I think the biggest reason for this is that programming is still a very new activity. We really don't know how to do things well yet. New ideas are introduced in one language and other languages adopt them if they can see a value. It's way too soon to announce that a language is "done," because we don't really know what they can do yet.

    The zeitgeist also changes. Static typing and formal type systems have been around since the 80's, but only now are they really gaining mindshare with most developers.

    I see Python as glue language, maybe a shell on steroids, to be used when writing a shell script would end up with lots of lines but we still don't want to write C or stuff like that. Also as a good language for prototyping stuff.

    That's fine, and many people use it this way, but languages are general things that have more than the one use case. Many people implement complex software in Python because it's at an abstraction level they're comfortable with. It's not "wrong" to use Python for complex software if it meets your requirements.

    2 votes
  13. Comment on Boeing's Starliner could have failed catastrophically during a December mission if a software error hadn't been found and fixed while the vehicle was in orbit in ~space

    blitz
    (edited )
    Link Parent
    The "fire" that we see around space vehicles re-entering the atmosphere is actually an ionized plasma. Plasma is highly conductive. This effectively forms a Faraday cage around the spacecraft....

    The "fire" that we see around space vehicles re-entering the atmosphere is actually an ionized plasma. Plasma is highly conductive. This effectively forms a Faraday cage around the spacecraft. It's impossible for electromagnetic signals to get into a Faraday cage, so it's impossible to communicate with a spacecraft during re-entry.

    Because of this, I expect that no, it's not possible to update a spacecraft during re-entry.

    In terms of generalized software updates, the actual mechanism varies by spacecraft, but it seems like your question is mostly about the logistics of getting data from the ground to the spacecraft. There are many networks used for communicating from the ground to spacecraft in low earth orbit, higher orbits, and in deep space:

    https://en.wikipedia.org/wiki/NASA_Deep_Space_Network
    https://en.wikipedia.org/wiki/Tracking_and_data_relay_satellite
    https://en.wikipedia.org/wiki/Near_Earth_Network

    For the Curiosity Rover on Mars, for example, the method of getting data to and from the rover can depend on the position of the earth in the sky relative to the rover. They frequently send data to the Mars Reconnaissance Orbiter first, and then that satellite can relay the data to the rover. Otherwise, if earth is visible in the sky from the rover's position, they can use the Deep Space Network to send data directly to it, at (I believe) much higher throughputs.

    6 votes
  14. Comment on Boeing's Starliner could have failed catastrophically during a December mission if a software error hadn't been found and fixed while the vehicle was in orbit in ~space

    blitz
    Link
    Well, if there was any doubt about who would get crew to the ISS first, I guess this pretty much settles it.

    The safety panel also recommended that NASA conduct "an even broader" assessment of Boeing's Systems Engineering and Integration processes. Only after these assessments, Hill said, should NASA determine whether the Starliner spacecraft will conduct a second, uncrewed flight test into orbit before astronauts fly on board. (Boeing recently set aside $410 million to pay for that contingency).

    Finally, before the meeting ended, the chair of the safety panel, Patricia Sanders, noted yet another ongoing evaluation of Boeing. "Given the potential for systemic issues at Boeing, I would also note that NASA has decided to proceed with an organizational safety assessment with Boeing as they previously conducted with SpaceX," she said.

    Well, if there was any doubt about who would get crew to the ISS first, I guess this pretty much settles it.

    1 vote
  15. Comment on As of Python 3.7, dictionary order is guaranteed to be insertion order in ~comp

    blitz
    Link Parent
    Yep, I've been going to PyCon for the past 5 years and I've noticed a shift in the kinds of people who attend. I've even mostly stopped going to talks, I just try to find insightful people like...

    Yep, I've been going to PyCon for the past 5 years and I've noticed a shift in the kinds of people who attend. I've even mostly stopped going to talks, I just try to find insightful people like Hynek and pick their brains in the hallway. I hope I'm not annoying them! D:

    3 votes
  16. Comment on As of Python 3.7, dictionary order is guaranteed to be insertion order in ~comp

    blitz
    Link Parent
    I used to work at the company where Python was invented. If I've learned anything from talking to the greybeards who worked there at the time (they're still a fairly close-knit group!), it's that...

    I used to work at the company where Python was invented. If I've learned anything from talking to the greybeards who worked there at the time (they're still a fairly close-knit group!), it's that the history behind Python is fairly complex. Maybe simplicity was one of the goals, but it certainly wasn't the only one; I would be careful ascribing motives like that to the language.

    Aside: Python was used as the first client-side executed server script through a browser called Grail(as in holy)(as in Monty Python's). We almost had Python in the browser instead of Javascript! What a different world we developers would be in. Unfortunately due to circumstance and internal disagreements at CNRI it was not to be.

    13 votes
  17. Comment on As of Python 3.7, dictionary order is guaranteed to be insertion order in ~comp

    blitz
    (edited )
    Link Parent
    There’s a faction in the python community that fights any change to Python that would make it “harder for newbies to learn”. This faction was a large opponent of the walrus operator because they...

    There’s a faction in the python community that fights any change to Python that would make it “harder for newbies to learn”. This faction was a large opponent of the walrus operator because they felt that Python was moving away from being a newbie-friendly language.

    I kind of understand where they’re coming from, but as a person whose income comes primarily from writing Python, I feel like my interests are diametrically opposed to theirs. I think that If Python is supposed to be used professionally, it can’t make concessions for newbies, and if Python targets newbies then it won’t have the things I need for professional use. Thankfully it seems that Python is gaining features that are geared more towards professionals (static types, walrus op, etc).

    I definitely feel like ordered dicts by default is a win for the newbie camp, and I agree with you the people who rely on this will likely encounter other problems down the line.

    3 votes
  18. Comment on Wind Turbine Blades Can’t Be Recycled, So They’re Piling Up in Landfills - Companies are searching for ways to deal with the tens of thousands of blades that have reached the end of their lives. in ~enviro

    blitz
    Link Parent
    Ok, but then the headline should be "Discarding old windmill blades is easy and safe, and it's likely they can be recycled" (or something, I'm not a journalist). Leading with one headline and then...

    Ok, but then the headline should be "Discarding old windmill blades is easy and safe, and it's likely they can be recycled" (or something, I'm not a journalist). Leading with one headline and then contradicting it in the article is a practice I'm growing increasingly frustrated by.

    3 votes
  19. Comment on Wind Turbine Blades Can’t Be Recycled, So They’re Piling Up in Landfills - Companies are searching for ways to deal with the tens of thousands of blades that have reached the end of their lives. in ~enviro

    blitz
    Link
    Ultimately it doesn’t seem like a problem. We’re burying material that doesn’t decompose or leak, and we’ve got loads of space for these things. So, the waste generated by throwing away old blades...

    Ultimately it doesn’t seem like a problem. We’re burying material that doesn’t decompose or leak, and we’ve got loads of space for these things.

    “Wind turbine blades at the end of their operational life are landfill-safe, unlike the waste from some other energy sources, and represent a small fraction of overall U.S. municipal solid waste,” according to an emailed statement from the group. It pointed to an Electric Power Research Institute study that estimates all blade waste through 2050 would equal roughly .015% of all the municipal solid waste going to landfills in 2015 alone.

    So, the waste generated by throwing away old blades for over 50 years is a one-thousandth of the landfill waste of the country in one year. It hardly seems worth writing an article about. Perhaps there is lower hanging fruit?

    8 votes
  20. Comment on Any thoughts on Cloudflare's new(ish) VPN/DoH service? in ~tech

    blitz
    Link Parent
    Good point. I'll submit a PR for fixing this in a minute.

    Good point. I'll submit a PR for fixing this in a minute.

    6 votes