Fantastic analysis of the Beirut explosion from a biomedical engineer who specialized in blast physics and chemistry.
TL;DR, the explosion was definitely not caused by a weapon, just careless storage of low explosive materials.
Did you know most file managers on Linux support a ".hidden" file in your home directory?
It works pretty much as gitignore does: it hides everything that you list in this file, one file/dir per line.
@shadowfacts If you're storing gigabytes of data? Sure, I guess it's more work. But users can change passwords as often as they want, right?. If you're storing enough data that this is actually an issue, then pw change would be a great DOS vector, like another poster pointed out.
@shadowfacts Rotation isn't the issue so much. Users change passwords too. So you'll need the new and old values to do the rotation and do a decrypt/encrypt cycle. The trouble with login tokens is you're probably not going to get the old one and the new one at the same time when the user has multiple devices.
@shadowfacts Actually, don't derive the key from the login token. That will make multi-device access impossible.
You just might not have a good story for convenient logins here.
@shadowfacts Ah, ok... that makes more sense. A second salt on the pw will give you a different hash. I guess that works.
The downside I suppose is you'll have to use pw auth to start every new session. ie, no "remember me" option. Unless you use a login token system (which is basically an autogen pw) and derive the key from the autogen pw.
Also, bcrypt is probably fine.... but you can upgrade to Argon2 if you want to add memory-hardness to your hash.
@shadowfacts Oh wait... you mean a second hash of the pw? ie, not the pw hash you're already using for auth?
@shadowfacts Am I missing something here?
I'm assuming your threat model includes an attacker imaging the server storage. Which means they'd get the encrypted data. They'd also get the password hash. Which means they'd also get the decryption key too, right?
So an attacker wouldn't get the password, but they could still access the encrypted storage using the hash.
I'm not sure the salt adds any extra security here, since the pw is ~32 byte hash.
Ps, you're using Argon2, right?
There is now a Mastodon instance for publishing scientists: FediScience.
Everyone is welcome from PhD student to professor, as well as researchers from outside of academia. You are welcome to stay afterwards, but it is also easy to change to another server.
There will be a lot of science talk on this server, but there is no need to only talk science
Boosts are appreciated to let others know about this new instance.
if you make a joke on Mastodon, no matter WHAT the content is, after 50+ boosts people will appear in the replies that take it completely at literal face value.
you could post "a man walks into a bar, says ouch!" and if it receives 50+ boosts, then you will begin seeing replies like "THIS IS WHAT HAPPENS WHEN STEEL BAR PLACEMENT IS DEREGULATED BY PROFIT DRIVEN CROOKS!"
this theory is commonly known as Eugen's Gambit. and i love it.
Twitter shares details on the hack.
Looks like hackers wrangled login credentials out of Twitter employees somehow and used internal admin tools to control high-profile accounts:
Holy crap! This is huge!
Massive Twitter hack totally breaches trust between the platform and its wealthiest most powerful users:
@shadowfacts ouch... so cringey!
GitHub's mysterious secret user repos:
Want your own profile to look like that? Just create a repository that matches your GitHub username and create a README there.
Entrepreneur, Developer, Scientist
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!