Mikina @ Mikina @programming.dev

Posts

5

Comments

482

Joined

2 yr. ago

What happens if the prisoner just refuses to work?

I did switch around a month ago due to a thread similar to this, and I have booted windows like twice since then, and im really glad I made the switch. So, yes, threads like this did help me, while also providing good starting tips.

If you use nvidia, make sure to choose a distro that deals with their drivers by default. I havent manage to get Nvidia drivers and ingame cutscenes to work on Fedora, but after switching to Nobara all is well now. (And switching to KDE on X11, since wayland was freezing occasionally and some apps wouldnt work)

Aside from HDR, I still havent managed to get HDR working and its starting to look like it wont really be possible. And Unity. Unity simply doesnt work both in a VM and on Linux, so I annoyongly still have to dualboot.

Other than that, ive switched around two months ago, and aside from the first pains caused by me choosing Fedora instead of Nobara, everything mostly works without issues.

I see. IIRC from school, "factor" actually has a definition - it's either something you have (keycard, phone), something you are (biometrics) or something you know (password).

For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that's also why I.e email isn't really a MFA.

So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).

Is that second factor, though? If I understand it right, you are basically generating your MFA from your password manager, is that so?

I'd recommend going for the app dev. I always knew I will be workig in gamedev, but choose my bachelors degree in general software engineering, and only went for Masters in gamedev.

I've been out of school for around 5 years now, and I'm really glad I chose SWE instead of anything more specialized - because it has given me the broadest outlook on IT as possible, from documentation best practices, through UMLs, to various obscure languages from Smalltalk through Lisp, assembly and Prolog to C, Java and C#, while also having some optional classes focused on cybersecurity or AI.

Most of what I've learned, I don't really remmeber or use daily - but, the information has somewhat stuck with me, and I can quickly recall the general concept every time I enounter a similar problem, which makes research a lot faster. If I need to write something in a language that's not my main focus, I can be certain that no matter how unknown, I've already worked in something with similar concepts. And that makes it so much easier to quickly understand syntax and start writing code.

I can't imagine how difficult it would be for me to grasp how the hell is something like Prolog supposed to work, but having to sit through classes on it that I barely remember has left me with a vague recollection of what's the purpose, so if I encounter anything similar, I can just pick it up almost immediately. And this goes for most of styles of languages or problems - I've already dealt with something similar.

Not to mention that while UML diagrams and general documentation practices may sound pretty boring (and they are), I've already encountered situations where the diagram was integral to understanding what are the docs going for - and I was able to get it instead of having to figure it out by myself, because I've already worked with them at school.

Also, having options is nice - After the school, I went to work in Cybersec, even though I had only like one optional class on the topic, and I can see how much it has helped me having a borad overview in comparison to colleagues who didn't have it. I can write scripts in whatever we encounter, I have a deeper understanding of how other developers write code, what could be wrong, and have a better educated quess at how exactly does the stack we're black-box testing works. And looking up the more specialized cybersec knowledge is way easier, than researching a stack of technologies I've never seen or work with in my life. And that's where the broader degree has helped me the most with.

Also, you can probably enroll into optional classes that are outside of your field of study, which I really recommend - I was doing that a lot during my studies, and it were the most memorable and usefull lectures I've had.

This is so sad to read... It makes me so angry that even when they won several lawsuits, Sony could just drive them out of business by suing them some more, and threatening stores that wanted to sell their software.

I don't think surface would make for a good work laptop, but I have amazing experience so far with using it for the ocassional traveling, or just as a carry-on.

I just Parsec into my desktop at home, and can comfortably work without having to deal with performance, and Surface is amazing for that.

I also really like the pen support, so I can make notes or draw bascially anywhere.

And I also use it for DJing, where it works pretty well and is compact enough to not be a bother carrying it around.

For anyone considering the game, there's a relevant quote from the developer in one of their blog posts, that I think could help them decide whether it's a game for them or not:

Although Pal World is a very interesting game, I would like to add one point: it is not at all suitable for players who prefer single-player games and want to enjoy the story, so please be aware of that. There's almost no story, so those people won't enjoy it. Fans of survival craft genres such as Minecraft and Valheim will enjoy this game.

I think he should reconsider his stance on signing commits.

I make second factor public, effectively reverting to 1FA.

I work as a Red Teamer, and I heavily disagree with this approach. MFA has been a bane of so many engagements. We usually end up with a lot of credentials from the target company that we can't really use for anything (unless you already are in the network, where some of Windows services don't require it), because each one is under MFA.

There's so many different ways how can you solve the problem of not loosing access to you account. Make offline back-ups of recovery keys, back up your Aegis vault to different places.

Also, you may have a pretty good level of security awarness, highly reducing the risk of any kind of breach happening to you. But that's something you can only affect to a degree. Supply chain attacks happen, zero days happen. An extension you are using in your browser may get compromised, and someone pushes a info-stealer instead (which has already happened, i.e with Nano Defender). MFA is what will help you in cases like these.

Ooh, you are right, I can actually file bug reports or try to fix it myself now that I switched to FOSS from Windows. Tbh that didn't really occur to me, since I was switching only like a month ago. I'll look into it, so far I suspect that it's actually covered by one of those troubleshooting cases mentioned in their FAQ, and I'm not really confident enough to start recompiling libraries with additional flags. Especially since I'm on Nobara and don't want to break anything, AFAIK that OS is pretty customised from the start and figuring out what I can safely touch isn't something I have the guts for yet.

It's also important if you're checking hashes (at least, it was - if you're using correct hashing algorithm that isn't ancient, you will not have this problem).

Because if you take for example "0e462097431906509019562988736854" (which is md5("240610708"), but also applicable to most other hashing algorithms that hash to a hex string), if("0e462097431906509019562988736854" == 0) is true. So any other data that hashes to any variantion of "0e[1-9]+" will pass the check, for example:

md5("240610708") == md5("hashcatqlffzszeRcrt")

that equals to

"0e462097431906509019562988736854" == "0e242700999142460696437005736231"

which thanks to scientific notation and no strict type checking can also mean

0^{462097431906509019562988736854} == 0^{242700999142460696437005736231}

which is

0 == 0 `

I did use md5 as an example because the strings are pretty short, but it's applicable to a whole lot of other hashes. And the problem is that if you use one of the strings that hash to a magic hash in a vulnerable site, it will pass the password check for any user who's password also hashes to a magic hash. There's not really a high chance of that happening, but there's still a lot of hashes that do hash to it.

I was using LibreWolf before, but I really like the idea of bundling VPN + Browser, and also the way they handle payments - not only is Mullvad VPN kind of cheap, I can just pay with crypto and don't need any account (kind of - you just generate username that also serves as an password, without any other contact information required).

But what I like the most about it is the idea of making a browser with the goal of having the same fingerprint between users (as much as possible), and offering it with a VPN - becuase that means that most of other users of the VPN will probably also have the same fingerprint from the browser, so you will blend in with them. I wasn't really sold on the idea of VPN before that and didn't use one, but this was what convinced me.

But tbh I haven't done much research into the company, or into the effectivness of their implementation. I'm kind of betting on their cooperation with Tor Browser, which should have most of this stuff already figured out. But it's possible that other browsers are just better at it, I never checked.

I do however still use LibreWolf for the occasional site that breaks with Mullvad, but it's not something that happens too often.

I use(d) the VPN alongside it and found the add-on “hints” regarding the correct DNS settings more frustrating than helpful, too.

Hmm, I don't think I've ever noticed anything about DNS. I think I've actually never click on the browser vpn extension, though :D Is it the encrypted DNS hint?

EDIT: Found this, apparently it's doing pretty well https://privacytests.org/

I've been having a pretty good experience with Mullvad, however I don't hear many people talking about it. I wonder why is that, IIRC it's being developed with Tor Foundation, and is basically a Tor browser for clear web, and that sounds perfect. So far, I didn't run into any issues, so is there a catch, or are they just not well enough known yet? Or, maybe people are turned away by their optional VPN?

This made me wonder - is there any active Best Of community on any instance? This would be a perfect candidate.

For anyone wondering - why would I need it? I'm already signed in to github, the commit is commited using my ssh-key, Github knows it's me. Why would I need another verification?

Here's why. https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g . If someone commits with your email (or github noreply email, which is public), it will get attributed to you. I was just trying it with colleauges account, and so far I haven't found any way how to tell that it really wasn't him.

If it has my username, on GitHub, you’re confident it’s my commit.

Apparently, that's not true: https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g

However, it's a pretty old article - maybe it's already fixed? I'll have to try that.

EDIT: It still works, and you can just use the github noreply address, which is ID+username@users.noreply.github.com . The commit gets linked to their profile, and is shown on their profile page, has their username and profile picture. I haven't figured out any difference between legit and impersonated commit so far, but maybe it's hidden somwhere in the repo administration.

So, there you have it. That's what PGP signing is for.

I use comment signing as some kind of a multifactor.

I have my signing key saved on YubiKey, so it's pretty difficult that an attacker could gain access to it.

However, you can still commit through git web browser, and usually have a session for it open when working. If I slipped up and someone got to my PC while I have github open (or managed to steal my session cookies somehow - i.e a rubber ducky driveby), his options are:

• Commit without signing through SSH. I have ssh key password in my password manager that auto-locks after a minute, so that shouldn't happen, plus the commit wouldn't be signed since I have the key with me.
• Commit something though the browser - he can't sign it.
• Add SSH or a new signing key through the browser - I get immediately notified.

So, the end result should be that thanks to the signing mechanism, I should immediately know that something is wrong. Is it neccessary? Probably not, but I still think it's worth it, at least for me.

Now I'm wondering whether it wouldn't be better to have the ssh key on the Yubikey instead. Hmm. I did only discover commit signing later, and didn't have ybikey before, so it never occured to me.

You are probably right, it wasn't really a great example. I think that's probably because Russia is already deep into dictatorship and indoctrination, so the fear-inspired loyalty is deep enough for them to not really need an AI autonomous weapons to do whatever evil they need.

But the point I was trying to make is that with AI weapons, it's definitely easier in a more stable and democratic army to get there and cause massive amount of damages, stage a coup or just do domestic terrorism, because you don't need to convince large amount of people to fight for you. You just need a few who can operate the swarm, and getting loyalty of few people is way easier than convincing an entire army.

The same can be said about weapons of mass destruction, but most of them are also really difficult to get, and pretty hard to operate - or you can be easily stopped. If you unleash a swarm of murderous autonomous drones, it will not be pretty. And that's why I hope they will get treated with the same level of respect as nukes do, and not used as a part of common conventional warfare.