HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jprjr_

no profile record

comments

jprjr_
·há 18 dias·discuss
Nothing else, I think what the're more concerned with is how open an architecture is.

I think with RISC-V if you wanted to design your own chips and stuff you can just do it, whereas ARM doesn't let you do that.

I'm not about to build my own chips so it doesn't matter all that much to me but I understand where the person is coming from. They'd rather write assembly for the more open architecture.
jprjr_
·há 18 dias·discuss
You could argue well, if you have to open the file to read it anyway may as well look for magic numbers.

That doesn't work well with text documents which won't have any kind of magic number. So now you're doing some heuristics to determine is this text/plain, text/html, text/svg? You're pretty much just guessing at that point.

A good number of file formats out there are just Zip files with a particular structure. JAR files, docx - so relying on magic numbers doesn't really work for those, either.

Also to service a HEAD request you'd have to open the file and read a few bytes that you just discard.

If you just do it by extensions you don't need to read files at all or perform heuristics, and no ambiguity for what mimetypes to use for text documents, zip-based formats, etc.
jprjr_
·há 29 dias·discuss
Honestly requiring DMARC was overall a good thing.

I was an email admin for a university. In the past - each college ran their own email. Before DKIM, before SPF, you'd just have basically random servers on the internet sending email as (school).edu. Tons of random subdomains too. math.(school).edu and so on.

Email was eventually centralized but you'd have parts of the university still running their own things. Insisting they're special and can't be brought into the fold.

So, we had a lot of stuff out there just not passing authentication. A lot of spammers could just impersonate our domain.

We'd go to leadership and say "hey we should really get our act together" - but everything was working. Our emails were still getting out. Hard to justify spending the time, getting various higher-ups within departments to give up their things, and so on.

Unless you can get like, the president to back your initiative- universities are very decentralized and it becomes an issue of "do we have the political capital to spend here." The overall relationship between central IT and the various college-based IT departments was terrible, often bordering on combative.

Google and Yahoo made it so we could go to leadership and say "people will not get our emails if we don't get this straightened out" and it became a priority. When I left our DMARC reports were showing something like a 99% pass rate when it was previously like, 50.

So, I'm glad Google and Yahoo made that call, it gave us the kick in the pants we needed to get our own shit together. I am 100% certain we were not the only org like this.

Plus for a small host - where you're just running a single mail server or something - you just need a few things to pass DMARC.

A DMARC record, and an SPF record, and for your emails to pass SPF. You technically don't need to do DKIM signing (though I'd still recommend it because that survives automated forwarding).
jprjr_
·há 29 dias·discuss
Just a few years ago, Atlassian required you to add an unnecessary include: record to your SPF record, and wouldn't use your domain for emails until they scanned your SPF record for that include. https://jira.atlassian.com/browse/AX-1477

You'd think companies generating as much email as Atlassian would know what they're doing.
jprjr_
·há 29 dias·discuss
Lookalike domains are a problem but in my opinion the bigger problem is when attackers figure out how to hijack a real domain.

For example, making a company named "there's a problem with your account call this number" on a site like PayPal and getting it to generate emails. They'll be from actual paypal.com and pass all authentication.

The other issue I'll often see is subdomain takeovers. Company makes a subdomain a CNAME to some other, external domain. Usually with the intention of hosting a webpage externally or whatever.

That other domain expires, but the CNAME doesn't. Somebody buys up the external domain, now they can publish SPF records and pass DMARC relaxed alignment on the organizational domain.

Now you can send all the emails you want with literally anything you'd like and the providers will say "yep, this passed DMARC."
jprjr_
·há 29 dias·discuss
That was how I felt. "The Future of Email", from Fastmail - I immediately assumed some big announcement.

It's basically "you need to pass DMARC now" which has been true for 2 years.

It also goes into how authentication helps stop spoofed domains which yes, is true. But in my opinion the biggest problem isn't spoofed domains at all.

Attackers will figure out how to make your payment platform (PayPal, Stripe, etc) send out emails. They'll figure out what pieces of info make it into the generated emails, so they'll do things like set their company name to "there's a problem call this phone number." So next thing you know you're getting an email from PayPal that sounds urgent because they'll put that company name in the subject or body of the email.

These emails will be legit, from-the-actual-company, passes-all-authentication emails. DMARC can't catch that, and that's what I've been observing attackers do. They'll find a ticketing system or payment processor and get them to generate "authentic" emails.

I was sincerely hoping that Fastmail had something to deal with that problem.
jprjr_
·há 29 dias·discuss
> They're widely understood

I'll tell you right now, I've had multiple cases where I've had to quote parts of the RFCs to large companies because they were handling email authentication incorrectly.

They are wildly misunderstood. The moment I see "add this include: directive to your SPF record" in some marketing platform's integration documentation I know they're going to fuck something up.

To add-on, the really pro move is to not touch the client's SPF record at all. Use your own domain in the SMTP envelope and have SPF be valid for that. Just have the client establish DKIM records and use DKIM, and only DKIM, to pass DMARC.

If you insist on using the client domain in the envelope, make it a subdomain with MX records back to your infrastructure (so you can track bounces). That will pass relaxed alignment - or just use a subdomain in the from and now you're passing strict alignment as well.

Most companies have no idea how the envelope domain impacts bounces and frankly, doesn't care about tracking them.

A shockingly high number of companies have no idea of the concept of the envelope address.
jprjr_
·há 2 meses·discuss
Restricted access, yes but I'd argue intelligence, tech-savvy, and common sense aren't really the same thing.

There's two big issues I saw on a large University network (talking something like 60k users).

Issue one was account compromises. I cannot tell you how many times faculty, staff, and students would get emails that were clearly phishing and fall for it. Things like, filling out a Google Form with their username and password, despite literally every Google Form saying "never ever put your password in these things."

So then you pair this with universities offering web hosting for students and stuff, and now you've got a bunch of porn being served from your school's web servers because you've got students with no idea how email and phishing work being given university email addresses.

Issue two is their decentralized nature. You'll have some person you've never heard of pop up and say "I run a lab, can I get ailab.(university).edu to point to (university)ailab.com?"

You can try to throw up some road blocks and hassle the user about "why did you do all this and not come to IT sooner, we can host a website for your lab, we have branding guidelines you need to meet to use our domain." Then feathers start getting ruffled, jimmies get rustled, people start flexing about the grant money they pull in, deans get involved, and next thing you know, you're making a CNAME to an off-site domain that you'll never get real control over.

Then that professor or whoever leaves, that pet project of theirs goes away, that off-site domain expires, scammers buy it up and now you've got porn from off-site webservers but using your own domain.

People can be intelligent enough to push our knowledge boundaries into new frontiers, but not have enough common sense or tech-savvy to reach out to IT before setting up a website for their lab.

I have better hopes of social media sites keeping porn out because you can't have dick-measuring contests about the millions of dollars of research grants you're pulling in and get exemptions to policies. They just take the porn off and tell you no, you can't do that.
jprjr_
·há 3 meses·discuss
Regarding SFUs - with something like HLS, I can really easily scale up using something like a caching CDN (not entirely sure if that's the right term). But the idea goes: I can distribute the HLS media playlist, and have my media segment entries prefixed with a caching/CDN service. The service will be configured with the actual origin server, and when a segment isn't in the CDN, the CDN fetches from the origin, on-demand. That was a nice option when I was doing owncast streaming since I really only paid based on viewership, and just had to make sure I had the correct cache-related headers on my media segments.

Or alternatively - I can push media segments up to a CDN and distribute that way, using an s3-compatible service, or just rsyncing to a server with better bandwidth, etc. One thing I didn't care for - again back when I was broadcasting with Owncast - was that I needed to make sure old media segments were expired, otherwise I would rack up an insane bill. I had a 24/7 owncast stream and if you're not on top of expiring media segments with your CDN, it gets expensive fast.

The overall idea is - serving HLS is ultimately serving files and there's a good amount of tooling for that, right.

Now that you mention it, I think WHIP/WHEP can solve some of that. I just don't know of any service where I can have that same cache/CDN-like experience, of either having the CDN connect to the origin as needed and fan-out, or where I can push up and let the service distribute. (though - now I'm googling for "webrtc sfu as a service" and see that is a thing!).

Didn't know about the playout delay extension.

Whether capturing individual audio is easier with RtpTransport or insertable streams - I'm unsure. Possibly? I just figure since MoQ is going to rely on things like WebCodec/WebAudio there's hopefully a bit more control over what happens with audio as it comes in.

I'll admit though - I've started noticing how often podcasts are clearly recorded using something that doesn't allow per-participant recordings and, I'm guessing as long as the quality is good enough most aren't worrying about it.

EDIT: feel like I should mention Pion rules, I used it a few years ago to put together an SRT-to-WebRTC thing and RTMP-to-WebRTC thing to use with Janus Gateway, it was so easy.
jprjr_
·há 3 meses·discuss
There's a few cases where WebRTC falls apart that I think MoQ could help with.

It doesn't work so well for having a low-latency broadcast. Your choices right now are - use WebRTC and deploy selective forwarding units, which are going to be something custom, and likely involve spinning up a bunch of geographically-distributed virtual machines, figuring out signalling and whatnot. Or - use HLS so you can use more standard HTTP CDN tech, but you gain orders of magnitude of latency.

MoQ should allow for a standardized CDN stack, meaning we should be able to have a more abstract service (instead of spinning up VMs, you just employ some company's CDN service and tell it where to get media from).

There's a lot of other little issues with WebRTC for certain, specific applications. Like - last I tried it, browsers will subtly speed up audio/video to keep everything in sync, and you can have scenarios where you'd rather just let the viewer fall behind a bit and skip ahead later (say you're listening to music, speeding it up isn't ideal).

Or - say you want to have a group call and capture each participant's audio individually and edit it together later for something like a podcast. It's been a while since I've tried this, but I recall it being pretty difficult to do that with WebRTC. I remember all the mixing would happen in the browser's libwebrtc and I had really limited control over things.
jprjr_
·há 3 meses·discuss
Universities are so tricky. If you put up too many roadblocks you wind up with official shit on completely external resources. Which makes it hard to figure out what's legitimate and what's a scam.

But make it too easy, you wind up with CNAMEs to external domains, that expire, get bought and now you have scams running on your .edu.

You just don't have the same ability to do top-down management and requirements that you do with the private sector. Individual researchers will get grants and really drive how things need to get done because they're the ones bringing money in.
jprjr_
·há 3 meses·discuss
The answer is yes, to all of it.

Email providers have better spam filtering, some have strict rules about attaching any kind of executable code to an email (as in - you just can't).

Email clients are always getting updated, stricter about validating content before showing it, etc.
jprjr_
·há 3 meses·discuss
To be fair that seems to be the path email is going down. Most businesses don't want run their own email and just use one of two big providers.
jprjr_
·há 3 meses·discuss
It's not really tables all the way down - Lua has datatypes like nil, boolean, number, string, table, userdata + lightuserdata, functions, coroutines. I think that's the entire list, actually.

So a table is a hashtable. Just about anything can be a key to the hash - a number, a string, a boolean, another table, a userdata. I can't recall if functions and coroutines can be keys but I suspect they could. I definitely know that nil can't be an index.

In Lua - all iterators are implemented as a function + state + current key. When you write "for x in (whatever)", that (whatever) is really a function call like func(state,key). Lua calls it repeatedly to traverse the loop.

Lua will take the first returned value and use it as the new key in the next call to func(). Once the function returns nil as the first value (or just returns no values) - the loop stops.

There are two functions - pairs and ipairs - that really just return the built-in next function with a starting key. pairs returns (lua's next(), the table, nil), and ipairs returns (next(), the table, 0).

(there's a bit more to it than that and some under-the-hood changes between Lua versions but we'll just go with that explanation).

Lua repeatedly calls that next() function with the table and previous key.

Say you had an array like table like { [1] = some_value, [2] = another_value }.

When you write something like "for i,v in ipairs(a_table)" that roughly expands to:

  * pairs() returns next(), the table, 0. 
  * Lua calls next(table, 0) and next returns (1, some_value)
  * Lua calls next(table, 1) and next returns (2, another_value)
  * Lua calls next(table, 2) and next returns nil.
So - when is a table an array?

When you can iterate through it with sequential, integer keys.

Note - you don't necessarily need to use ipairs to iterate. Lua also has a numerical "for" loop so you could do that. Or - if you want to start your arrays at 0 instead of one you can write your own ipairs() like function in just a few lines of code. Observe:

  local zpair_it = function(table, key)
    key = key + 1
    if table[key] then
      return key, table[key]
    end
  end

  local zpairs = function(table)
    return zpair_it, table, -1
  end

  local tab = { [0] = 'yay', [1] = 'huzzah' }
  for i,v in zpairs(tab) do
    print(i,v)
  end

There - now instead of using ipairs(), you can use zpairs() with zero-based indexes.

As far as using like objects, that's getting into metatables and stuff but - basically lua has a syntactical sugar to make object-orientation nice.

If you write "obj:func()" - that's the same as writing "obj.func(obj)" - assuming "obj" is a table, Lua will fetch the "func" key from the table, then call it as a function with "obj" as the first argument (this can be referred to as self within your function definition).

If Lua tries to fetch "func" from your table and it doesn't exist - it will check to see if your table has a metatable defined with an __index metamethod (or table) and pull func from that. So - your table could just have your object's actual state data on it, and functions are referenced in a separate metatable.

Observe:

  local dog_methods = {
    bark = function(self)
      print("bark bark I'm a",self.breed)
    end
  }

  local dog_metatable = {
    __index = dog_methods
  }

  local huskie = setmetatable({
    breed = 'huskie'
  }, dog_metatable)

  local collie = setmetatable({
    breed = 'collie'
  }, dog_metatable)

  huskie:bark()
  collie:bark()

huskie:bark() is equivlanet to huskie.bark(huskie). bark doesn't actually exist on huskie, but huskie has a metatable with an __index table where bark is defined. So the function call is really more like dog_methods.bark(huskie).

Anyways wow that was a lot. Highly recommend going through the Lua manual. It's not a long read.
jprjr_
·há 3 meses·discuss
There's already a stenographer recording the proceeding, right? I'd think you could project what they're recording onto a display somewhere.
jprjr_
·há 4 meses·discuss
> at first boot up as a parent should be your job to setup a child account.

Something I would be 100% OK with is some regulation that at first boot, you have to present information about what parental controls are available on the device and ask if you'd like them enabled.

I haven't set up a phone in a hot minute, I only do it once every few years, is this something they already do?

I'd imagine there's a lot of cases where a parent buys a new phone and hands down the old one to their kid without enabling safety features. I don't know if there's a good way to help with that - maybe something like, whenever you go to set a new password, prompt "hey is this for a kid?" and go through the safety features again?

Just spitballing, that last one may not be a good idea, not really sure.
jprjr_
·há 4 meses·discuss
Basically these age attestation/verification laws are being pushed as a "save the children!" scenario. But if you read the laws - all they really do is shift responsibility around.

Currently, websites and apps are supposed to ensure they don't have kids under 13, or if they do - that they have the parents permission. That's federal law in the US.

These laws make the operating system or app store (depends on the particular law) responsible for being the age gate.

This doesn't stop the federal law from being enforced or anything, but the idea is apps/websites don't handle it directly, that's handled by the operating system or app store.

So now - companies like Meta can throw up their hands and say "hey, the operating system told us they were of age, not our fault." It also makes some things murkier. Now if Meta gets sued, can they bring Google/Apple/Microsoft in as some kind of co-defendent?

I think that murkiness is the point. They don't need to create the most bullet-proof set of regulations that 100% absolves them of all responsibility, they just need to create enough to save some money next time they get sued.

I can think of a ton of regulations we could create to better help protect kids. We could mandate that mobile phones, upon first setup, tell the user about parental controls that are available on the device and ask if they'd like to be enabled. Establish a baseline set of parental controls that need to be implemented and available by phone manufacturers, like an approval process that you need to go through to hit store shelves.

We could create educational programs. Remember being in school and having anti-drug shit come through the school? It could be like that but about social media (and also not like that because it wouldn't just be "social media is bad," hopefully).

Again all these laws do is take what should be Meta's burden, and make it everybody else's burden.
jprjr_
·há 4 meses·discuss
I cannot express how disappointed I am to see open source projects giving in to complying with age attestation laws.

I feel like complying really undermines any first amendment arguments. Software is a first amendment protected form of expression, giving in before getting any actual threats from the state makes your participation seem voluntary.

Systemd's participation puts the entire world into compliance with a California law
jprjr_
·há 4 meses·discuss
I think a better approach would be incentives versus punishments.

Like - you don't make it illegal to not do age attestations, but you provide a mechanism to encourage it.

You get a certification you can slap on your website and devices stating you meet the requirements of a California Family-Friendly Operating System or whatever. Maybe that comes with some kind of tax break, maybe it provides absolution in the case of some law being broken while using your OS, maybe it just means you get listed on a website of state-recommended operating systems.

That certification wouldn't necessarily have to deal with age attestation at all. It could just mean the device/OS has features for parents - built-in website filtering, whatever restrictions they need. Parents could see the label and go "great, this label tells me I can set this up in a kid-safe way."

Hell, maybe it is all about age certification/attestation. Part of that certification could be when setting it up, you do have to tell it a birthdate and the OS auto-applies some restrictions. Tells app stores your age, whatever.

The point is an OS doesn't want to participate they don't have to. Linux distros etc would just not be California Family-Friendly Certified™.

I wouldn't have to really care if California Family-Friendly Certified™ operating systems are scanning faces, IDs, birth certificates, collecting DNA, whatever. I'd have the choice to use a different operating system that suits my needs.
jprjr_
·há 4 meses·discuss
Looking back I'm still perplexed about why he never just linked to the original thing he was responding to.

I mean listen I understand - I'm not owed anything. If he wants to take posts from elsewhere and share them to his blog with all context and background removed that's his business. And he doesn't have to respond to any comments he doesn't want to.

But if he gets a question he doesn't want to answer... He could just not answer it. Just leave my comment hanging. Hell - he could delete it even. I'd be perplexed but would probably shrug it off.

The whole lying thing is what bothers me. I'd rather somebody just not respond than try to feed me bullshit.