Fantastic analysis of the Beirut explosion from a biomedical engineer who specialized in blast physics and chemistry.

wired.com/story/tragic-physics

TL;DR, the explosion was definitely not caused by a weapon, just careless storage of low explosive materials.

Did you know most file managers on Linux support a ".hidden" file in your home directory?

It works pretty much as gitignore does: it hides everything that you list in this file, one file/dir per line.

fosspost.org/tutorials/hide-fi

@shadowfacts If you're storing gigabytes of data? Sure, I guess it's more work. But users can change passwords as often as they want, right?. If you're storing enough data that this is actually an issue, then pw change would be a great DOS vector, like another poster pointed out.

@shadowfacts Rotation isn't the issue so much. Users change passwords too. So you'll need the new and old values to do the rotation and do a decrypt/encrypt cycle. The trouble with login tokens is you're probably not going to get the old one and the new one at the same time when the user has multiple devices.

@shadowfacts Actually, don't derive the key from the login token. That will make multi-device access impossible.

You just might not have a good story for convenient logins here.

@shadowfacts Ah, ok... that makes more sense. A second salt on the pw will give you a different hash. I guess that works.

The downside I suppose is you'll have to use pw auth to start every new session. ie, no "remember me" option. Unless you use a login token system (which is basically an autogen pw) and derive the key from the autogen pw.

Also, bcrypt is probably fine.... but you can upgrade to Argon2 if you want to add memory-hardness to your hash.

@shadowfacts Oh wait... you mean a second hash of the pw? ie, not the pw hash you're already using for auth?

@shadowfacts Am I missing something here?

I'm assuming your threat model includes an attacker imaging the server storage. Which means they'd get the encrypted data. They'd also get the password hash. Which means they'd also get the decryption key too, right?

So an attacker wouldn't get the password, but they could still access the encrypted storage using the hash.

I'm not sure the salt adds any extra security here, since the pw is ~32 byte hash.

Ps, you're using Argon2, right?

@ashfurrow "If you can think of it, there's a fediverse server for it"

There is now a Mastodon instance for publishing scientists: FediScience.

Everyone is welcome from PhD student to professor, as well as researchers from outside of academia. You are welcome to stay afterwards, but it is also easy to change to another server.

There will be a lot of science talk on this server, but there is no need to only talk science

fediscience.org/invite/j6X8z7q

Boosts are appreciated to let others know about this new instance.

Show thread

I just typed a super long regular expression, ran it against a file, and it matched perfectly the first time!

Damn, now I feel like a rockstar!

if you make a joke on Mastodon, no matter WHAT the content is, after 50+ boosts people will appear in the replies that take it completely at literal face value.

you could post "a man walks into a bar, says ouch!" and if it receives 50+ boosts, then you will begin seeing replies like "THIS IS WHAT HAPPENS WHEN STEEL BAR PLACEMENT IS DEREGULATED BY PROFIT DRIVEN CROOKS!"

this theory is commonly known as Eugen's Gambit. and i love it.

Twitter shares details on the hack.

Looks like hackers wrangled login credentials out of Twitter employees somehow and used internal admin tools to control high-profile accounts:

twitter.com/TwitterSupport/sta

Holy crap! This is huge!

Massive Twitter hack totally breaches trust between the platform and its wealthiest most powerful users:

techcrunch.com/2020/07/15/twit

breaking into the Svalbard seed vault to make a true everything bagel

GitHub's mysterious secret user repos:

github.com/muesli

Want your own profile to look like that? Just create a repository that matches your GitHub username and create a README there.

java feels like if the sunk cost fallacy was a programming language

Show more
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!