zkxs's recent activity
-
Comment on Inside the "three billion people" National Public Data breach in ~tech
-
Comment on Inside the "three billion people" National Public Data breach in ~tech
zkxs If anyone is trying to get their hands on the files and wants to know if they have the right stuff here are the sha256 checksums: 5d4ab848129e55042c5b6bd3f74a115b26472a184b0f4d0d4b0728e00e1d08ec...If anyone is trying to get their hands on the files and wants to know if they have the right stuff here are the sha256 checksums:
5d4ab848129e55042c5b6bd3f74a115b26472a184b0f4d0d4b0728e00e1d08ec *NPD202401.7z f6bd4edf8fc484d8d6697f13924c7c0108e453b2dbbc6981c767050ece561237 *NPD202402.7z
I calculated these from the files I downloaded from the magnet link, and someone else who downloaded them from the original source (not the magnet link) also claims those hashes are correct.
I haven't had time to do a whole lot of data crunching yet as I'm having a wee bit of trouble working with 276 GB of data, but I count 272,541,507 distinct SSNs in 2,695,681,513 rows. That's 10% of rows with a unique SSN.
Curiously, that's quite different from Troy Hunt's estimate of 899M distinct SSNs.
-
Comment on Inside the "three billion people" National Public Data breach in ~tech
zkxs It's not unreasonable to think, especially because 7z also had some security issue 2 years back: https://nvd.nist.gov/vuln/detail/cve-2022-29072 I decompressed the 7z archives using a pure-rust...It's not unreasonable to think, especially because 7z also had some security issue 2 years back: https://nvd.nist.gov/vuln/detail/cve-2022-29072
I decompressed the 7z archives using a pure-rust lzma implementation just to see if it would do anything unusual and for what it's worth it didn't. I don't think it's a 7z 0-day.
-
Comment on Reddit communities are switching to NSFW to create some friction and rob Reddit of ad revenue in ~tech
zkxs Apparently the /r/mildlyinteresting moderators were removed by mistake, as absurd as that sounds, according to this comment on /r/ModSupport which appears to be from a member of the mod council. I...Apparently the /r/mildlyinteresting moderators were removed by mistake, as absurd as that sounds, according to this comment on /r/ModSupport which appears to be from a member of the mod council. I guess the Reddit admins are having a tough time telling /r/mildlyinteresting and /r/interestingasfuck apart...
-
Comment on Beehaw.org: defederating effective immediately from lemmy.world and sh.itjust.works in ~tech
zkxs (edited )Link ParentOut of curiosity, why not use an account on an instance that federates with both beehaw and lemmy.world?Out of curiosity, why not use an account on an instance that federates with both beehaw and lemmy.world?
-
Comment on Beehaw.org: defederating effective immediately from lemmy.world and sh.itjust.works in ~tech
zkxs That's actually pretty confusing to me, as you don't need multiple accounts. I have a single Lemmy account on lemmy.sdf.org which presently has completely open federation. Meaning that I can...And the answer can't be to just register multiple accounts like people suggest in the comments there.
That's actually pretty confusing to me, as you don't need multiple accounts. I have a single Lemmy account on lemmy.sdf.org which presently has completely open federation. Meaning that I can access, post, and comment on content from BeeHaw, lemmy.world, sh.itjust.works, anywhere. And the fact that the comments on Lemmy are so overrun with the sentiment of "I now need a BeeHaw and a lemmy.world account" is wild, as it shows that all of those vocal commenters have a big gap in their understanding of how federation works.
-
Comment on Beehaw.org: defederating effective immediately from lemmy.world and sh.itjust.works in ~tech
zkxs I'm seeing a lot of posts along the lines of "tankies bad, lemmy devs are tankies, therefore lemmy bad" which strikes me as an incredibly fallacious argument. Maybe there's some critical context...I'm seeing a lot of posts along the lines of "tankies bad, lemmy devs are tankies, therefore lemmy bad" which strikes me as an incredibly fallacious argument. Maybe there's some critical context I'm missing somewhere, but the more I see that same argument, again and again without context, the more I suspect that the context doesn't exist.
I'm not a huge fan of using an anonymous mastodon user as my only source, especially one who for some reason says "I have receipts, DM me if you want to see them for yourself" instead of you know, citing their sources. So I've done some looking around to see if there's anything with a bit more detail.
The very same Lemmy instance this post is about, beehaw, has a well thought-out post regarding the politics of the two Lemmy developers, "On Politics and Forking", which seems pretty relevant here.
One of the two Lemmy developers wrote a "Statement on Politics of Lemmy.ml", where they straight up say they're communists. But they also present a very reasonable narrative that they keep their politics out of Lemmy decisions and call out the Lemmy Code of Conduct, which certainly appears to be a safe, apolitical document to me.
My personal take here is that if the Lemmy devs can, in fact, keep their politics and Lemmy development separate then why not use the project? I'm wouldn't donate to the Lemmy devs, especially not if it would fund the hosting of Lemmy instances that are a safe haven for extremist communist rhetoric, but it seems to me that simply using the code doesn't promote political extremism.
Finally, this is a bit of an aside, but this situation also reminds me of a post by an Invidious contributor, TheFrenchGhosty: "I'm Not Invidious". For context, Invidious is an open source alternative frontend for YouTube, which unsurprisingly Google is not very happy about. TheFrenchGhosty's argument is that as an open-source project with numerous contributors, no one person "owns" Invidious. Obviously TheFrenchGhosty has a vested interest in not being considered an owner of Invidious due to the cease-and-desist Google sent them. But regardless of TheFrenchGhosty's bias, I think it's a pretty valid approach to think of FOSS code as being ownerless.
-
Comment on Are "Ask" posts stifling the visibility of link posts on Tildes? in ~tildes
zkxs Definitely. I'm completely unsurprised though, as this is Activity sort working as designed. Ask posts are naturally going to have a lot of discussion and be continually bumped up. As Activity is...Have other users noticed this? How do you feel about this shift?
Definitely. I'm completely unsurprised though, as this is Activity sort working as designed. Ask posts are naturally going to have a lot of discussion and be continually bumped up. As Activity is the default sort, it's naturally going to funnel folks who don't play with the alternative sorts into those Ask discussions, creating a feedback loop.
I think this is fine, as it's still easy to discover other types of post by using any other sorting algorithm, ignoring ask posts you aren't interested in, or even completely filtering out the
ask
tag entirely.Is there any merit to having a group dedicated to ask posts? Sort of like /r/AskReddit, but for Tildes? (That way, the posts can be easily filtered if a user wants to only see link posts.)
I don't think so, as it doesn't make sense to group posts by "ask" instead of their larger category. I'd expect a tech-related ask post to be in ~tech. And again, users can filter out the
ask
tag entirely if they want.Should the visibility of link posts and ask posts on the front page be artificially balanced in some way?
That's not a bad thought. A new sorting algorithm with slightly more elaborate logic than Activity, or even a slightly tweaked Activity could do a lot to reduce the disproportionately high position Ask posts are getting. For example, if Activity sort excluded non-root comments in its "bump" logic specifically for Ask posts.
There's a lot more detail in how the sorts work in the Tildes Front Page documentation.
-
Google Authenticator now supports Google Account synchronization
After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0. Google Security Blog: Google Authenticator now supports Google Account synchronization This is...
After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.
Google Security Blog: Google Authenticator now supports Google Account synchronization
This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:
There is by design NO account backups in any of the apps. [source]
This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.
If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk
11 votes -
Comment on What programming/technical projects have you been working on? in ~comp
zkxs If you like the simplicity of immediate-mode, egui and imgui are quite popular. I've been maintaining a small GUI application in Rust for a while now. I personally didn't like the idea of...If you like the simplicity of immediate-mode, egui and imgui are quite popular.
I've been maintaining a small GUI application in Rust for a while now. I personally didn't like the idea of immediate-mode, so I went with iced. It's been mostly good, but it's very much a pre-release product and they periodically make breaking API changes, which can be a headache. Can't complain about the performance or how easy it's been to build artifacts for any target OS.
Finally, if you don't mind web dependency, I've got some friends who say good things about tauri.
Those are the four frameworks I've personally heard the most about. Hopefully that provides a slightly less alarming start to your search than the giant list at areweguiyet.com.
-
Comment on Introductions | June 2023, part 2 in ~talk
zkxs Haha I think you might be the first person to ever ask me that in the 12-ish years I've been using "zkxs". It's time to reveal my dark secret: "zkxs" is what you get if you type "xkcd" with your...Haha I think you might be the first person to ever ask me that in the 12-ish years I've been using "zkxs". It's time to reveal my dark secret: "zkxs" is what you get if you type "xkcd" with your left hand shifted one key to the left. Corny, no?
Happy to see another console command enjoyer. I find myself using the terminal more and more these days as I try my hardest to pretend my work Macbook doesn't have a GUI.
-
Comment on What's your go-to mono font? in ~tech
zkxs I too enjoy DejaVu Sans Mono. I've noticed MacOS uses Menlo as a default monospace font, which is nearly the same as DejaVu Sans Mono (they're both derived from Bitstream Vera). I actually prefer...I too enjoy DejaVu Sans Mono. I've noticed MacOS uses Menlo as a default monospace font, which is nearly the same as DejaVu Sans Mono (they're both derived from Bitstream Vera). I actually prefer DejaVu Sans Mono though, as I think the hyphens (
-
) are more clearly separated when you've got more than one in a row. Also, DejaVu fonts have such a permissive license that I can use them wherever I want to, so that's a huge bonus.A lot of folks seem to enjoy JetBrains Mono, but I find the fancy ligatures alarming. I don't want my
!=
sequence merging into some sort of spookyâ‰
creature. -
Comment on What are some of your most frequently visited websites? in ~tech
zkxs Oh boy, it's not often I get to sort my Firefox history by visit count. How exciting! Arbitrarily ordered: Twitch GitHub Google Gmail YouTube Google Calendar Google Keep (for my terribly...Oh boy, it's not often I get to sort my Firefox history by visit count. How exciting!
Arbitrarily ordered:
- Twitch
- GitHub
- Gmail
- YouTube
- Google Calendar
- Google Keep (for my terribly unorganized sticky notes)
- Google Drive (mostly for my crippling spreadsheet addiction)
- Google Messages (why would I ever use SMS from my phone when I have a full sized keyboard right on my desk?)
- Wolfram|Alpha (typically for mathy things beyond what Google's good for)
- My dang Nest thermostat's crappy cloud-based web UI
- My pfsense router's significantly better web UI (so I can keep an eye on my packet-loss-o-meter and see if my ISP is failing me or not)
- A certain NSFW website I'll omit for your (dis)pleasure, as I haven't quite figured out how Tildes people feel about NSFW yet.
- monthly.moe (for keeping track of whatever seasonal anime seems interesting)
- isthereanydeal.com (for tracking game sales much better than Steam wishlists ever did)
-
Comment on Introductions | June 2023, part 2 in ~talk
zkxs Hi I'm zkxs. Silly unpronounceable username I know, but it's short and was quite stylish (or so I thought) back when I was active in IRC. Guess it stuck... I'm yet another Reddit refugee. Been on...Hi I'm zkxs. Silly unpronounceable username I know, but it's short and was quite stylish (or so I thought) back when I was active in IRC. Guess it stuck...
I'm yet another Reddit refugee. Been on Reddit since 2012, where I mostly lurked and sometimes wrote walls of text. Blame @OBLIVIATER's very nice post in /r/videos for clueing me into the existence of Tildes. I've been watching Twitter, Twitch, and now Reddit implode these past weeks with gradually growing discontent. After taking a look around Tildes it looks wonderful. I've been dreaming of a Reddit-style comment-tree based website with an actual measurable signal-to-noise ratio, and here I find that it actually exists. So here I am finally feeling optimistic again! It's wild to see familiar usernames. I'd mention talklittle to thank them for RiF, but I fear they may be grieving and I don't want to contribute negative thoughts.
Enough about my social media woes. I'm a software developer working remotely for some giant faceless corporation. Bunch of backend Java stuff. If work doesn't drain my batteries sometimes I'll do some recreational programming. Nothing so interesting it's worth mentioning, though. I enjoy markdown entirely too much, and was pleased as punch to see that Tildes uses it for formatting. Beware: it has taken actual mental effort for me to not subject you to technical writing in this comment, but I figure introductions are bit too soon to be firing bulleted lists into the crowd.
Usually I just do video games in my free time. Outer Wilds is a masterpiece. Myst, Riven, etc., are all quite good. VR is pretty neat. I used to play Neos VR entirely too much, but now I play VRChat entirely too much instead. It turns out that living alone during Covid lockdown had me pretty lonely, a fact I was blissfully unaware of until VRChat did funny things to my monkey brain. Who would have guessed that social animals like to socialize?
Sometimes I'll read a book, but not nearly as much as I used to (the internet has ruined me and turned my brain to mush, you see). Most recently I've read Dirk Gently's Holistic Detective Agency, loved it, and immediately afterwards learned that Douglas Adams died entirely too soon for my tastes, inconsiderately leaving me without much more of his work to enjoy.
Anyways, hello fellow internet people. You lot seem like a cool bunch.
The US population is ~333M and with 273M distinct SSNs in the dataset (some unknown number of which are for deceased individuals) there's decent odds that any given person isn't in there. There's also definitely some garbage data in the dataset, so there's some unknown percentage of those SSNs that are just wrong. But yeah, this breach is quite large.
In a twisted way I was actually hoping this breach would be larger, because we really need something to get companies to stop using SSN as an ID number when it was never built to be secure. CGP Grey has a video on this topic that while 7 years old is still accurate https://www.youtube.com/watch?v=Erp8IAUouus