(long thread, soon a blog post)
Thinking about setting up a little cooperative called #nerdcert. Where we use letsencrypt style certificate generation, renewals and distribution, with ACME support, but only for certificates that have EKU (Extended Key Usage) entries that go beyond serverAuth, the only thing Google will accept from mid next year 😀 Context: Thread and replies at social.wildeboer.net/@jwildebo…
reshared this
The majority of people in Washington fired by Microsoft this week are software engineers. This is reverberating through the ranks as it challenges the idea that SWEs are the most valuable class of workers that would be least likely to get cut.
Ironically, they are the easiest to replace with AI.
Kotes reshared this.
@GhostOnTheHalfShell •Are• software engineers actually being replaced by AI? I have yet to hear credible reports from the field — that is, reports from people who are neither executives nor AI vendors, and who actually understand how software gets built — of AI helping to write code with a net time/cost benefit across the whole arc to production that comes anywhere •close• to justifying the job market shrinkage we’re seeing. Most of the reports I hear amount to “it helped me learn a new thing” but “little or negative net benefit once the code has to actually •work•.” Say what you will about the future, but the •present• just ain’t there.
I tend to think AI is an excuse for the layoffs, not a reason.
![APS En ANY
UE: SAN
Za Ne RO
Ki Bt } 3% Sl
ZN DAS
Wo! 2
a) (SN
NT | __ A ASI 3
ola
Js SL we LSS . \
ARS
/ 5% \& \
Fd 3 wa
* x »
Your power is so strong that whatever you
believe comes true. You are the way you
are because that is what you believe about
yourself. Your whole reality - everything
you believe - is your creation.](https://poliverso.org/photo/preview/640/46343291 "APS En ANY
UE: SAN
Za Ne RO
Ki Bt } 3% Sl
ZN DAS
Wo! 2
a) (SN
NT | __ A ASI 3
ola
Js SL we LSS . \
ARS
/ 5% \& \
Fd 3 wa
* x »
Your power is so strong that whatever you
believe comes true. You are the way you
are because that is what you believe about
yourself. Your whole reality - everything
you believe - is your creation.")
Infortunio in porto: operaio 27enne in codice rosso
Incidente sul lavoro su una nave ormeggiata nel porto di Marina di Carrara. Un ragazzo di 27 anni è stato colpito alla schiena da una fune in tensione di grande diametro mentre stava operando sull'imbarcazione.
Last week, Sunday, so... not even quite a week ago, we had to put our #dog to sleep. It was rough, my wife had her for over 16 years and I've been around for 12 of those years. Daisy was legitimately the best dog I've ever had in my life. Figured I would share some stories about her, and also a little bit about the last years.
Sensitive content
Over 10 years ago, I began crafting a story about Kelpies and a morally grey character—Greer. In 2023, I finally brought it to life in comic form for the Pagaverse. Thank you to everyone who's supported and encouraged me along the way! 🌊✨ Here's a glimpse into 10 years of sketches and story fragments.
patreon.com/posts/128351092?ut…
Free for members
#mermay #scottishfolklore #mastoart #short comic
I shared how science survives in Ukraine — through care, not just access.
#SUPRR #OpenScience #UkraineScience
TKP-ML IB Statement On The Commemoration Of The Nakba abolitionmedia.noblogs.org/191…
TKP-ML IB Statement On The Commemoration Of The Nakba
Resistance Until Liberation: The Unfinished Return
On the 78th anniversary of the Nakba, we stand with Palestinians everywhere to shatter the silence that hides ongoing dispossession. In May 1948, more than seven hundred thousand lives were uprooted so that colonial powers could plant their flags in the Middle East. The violence of 1948 did not end with history; it echoes today in Gaza’s relentless blockade, where families endure chronic shortages of food, water, fuel, and medicine; in the West Bank, where airstrikes and sniper fire stalk children playing in the streets; and in Jenin and other refugee camps, where bulldozers raze homes by night and soldiers carry out mass arrests at dawn.We fully expose, in all its brutality, the settler-colonial Zionist ideology that legitimizes the genocide against the Palestinian people. Imperialist states arm occupation forces, spin tales of “peace” and “stability,” and look away as bombs fall on refugee tents and entire neighborhoods are flattened. Their calculated silence is part of a broader strategy of re-division, an ominous prelude to a new imperialist world war in which Palestine is but one battlefield among many. Yet their plots only bind us more tightly together in solidarity.
Our solidarity is rooted in everyday acts: workers refusing to service weapons factories, students organizing divestment campaigns on campuses, and communities hosting Palestinian artists and speakers. We bring Palestinian voices into our unions, our neighborhoods, and our classrooms, offering spaces where their stories are heard, learned, and passed on. Through these actions we make clear that the right to return is not a distant hope but a shared responsibility and collective mission.
As long as checkpoints still choke movement, blockades starve families, and imperialist powers scheme fresh carve-ups under the threat of a third world war, our solidarity will pulse through every corner of the globe. We are bound together in struggle until every Palestinian can walk home again, unhampered by colonial walls.
Long live the struggle of the Palestinian People!
Long live International Solidarity!
Free Palestine!
TKP-ML International Bureau
May 2025
Source : tkpml.com/statement-of-the-tkp…abolitionmedia.noblogs.org/?p=…
#guerrilla #iraq #kurdistan #nakba #palestine #resistance #rojava #Solidarity #syria #tikko #tkpMl
Statement of the TKP-ML International Bureau on the Commemoration of the Nakba - TKP-ML Resmi Internet Sitesi
Resistance Until Liberation: The Unfinished Return On the 78th anniversary of the Nakba, we stand with Palestinians everywhere to shatter the silence that hides ongoing [...]editor1 (TKP-ML Resmi Internet Sitesi)
“A woman is like a beer. They smell good, they look good, you’d step over your own mother just to get one.”
Who said it: Homer Simpson or Pete Hegseth? trib.al/f00kUIj
Who Said It: Homer Simpson or Pete Hegseth?
They’re both unqualified for their jobs and love to drink. Can you tell them apart?The New Republic
Sensitive content
Fire at Kumho Tire’s Gwangju Plant in Korea Halts Production
https://www.bloomberg.com/news/articles/2025-05-17/fire-at-kumho-tire-s-gwangju-plant-in-korea-suspends-production?utm_source=flipboard&utm_medium=activitypub
Posted into Bloomberg @bloomberg-bloomberg
Transgender Coloradans receive new discrimination protections as Gov. Polis signs bill into law
Colorado law now explicitly protects transgender people from being “deadnamed” or misgendered in certain places under legislation signed into law Friday by Gov. Jared Polis.Seth Klamann (The Denver Post)
Turkey’s Celebi Says It’s Cooperating After India Revokes Clearance
https://www.bloomberg.com/news/articles/2025-05-17/celebi-says-it-s-cooperating-after-india-revokes-clearance?utm_source=flipboard&utm_medium=activitypub
Posted into Bloomberg Asia @bloomberg-asia-bloomberg
Wie die Smartphonenutzung der Eltern Kleinkinder beeinflusst
Sind Eltern viel am Handy, kann das auch deren Kindern schaden - und das mehr als den meisten bewusst ist. Eine neue Studie zeigt: Allein das Checken von Benachrichtigungen könnte einen Einfluss haben. Von Anja Braun und Emily Burkhart.
Fakt ist, dass #BigTech alles unternimmt, um die Verweilzeit in Apps zu erhöhen. Und das MIT WISSENSCHAFTLICHEN METHODEN.
Warum?
Um ihre Kaufangebote platzieren zu können.
#WirtschaftMussWachsen
#Tracking
Gesellschaftliche Auswirkungen spielen keinerlei Rolle mehr. Es geht nur noch um #GewinnMaximierung .
Und die Politik spielt seit Jahrzehnten mit.
Und dann wird berichtet, die #Wissenschaft hätte noch keine ausreichenden Ergebnisse zum Beleg der neg. Folgen.
Leider nicht das #Weltklima sondern das #Konsumklima !!!
Privater Konsum findet in der #Freizeit statt. Und der wird angeheizt #KosteEsWasEsWolle .
Aufmerksamkeit wird mit allen Mitteln auf den #Konsum gezogen.
Da wird #Aufmerksamkeit für das Wesentliche im Leben MIT WISSENSCHAFTLICHEN METHODEN abgesaugt. Und da gehören halt Kinder und die eigene psychische Gesundheit auch dazu.
#Awareness #Werbung
Wie gefährlich beim Fliegen Powerbanks im Handgepäck sind
Im Januar brach an Bord eines Airbus A321 der südkoreanischen Air Busan ein Feuer aus. Die Ursache: eine verschmorte Powerbank. Erste Airlines ziehen Konsequenzen. Was Reisende beachten müssen. Von Jens Eberl.
Inside every QA tester there are:
- Two wolves
- One wolf
- Zero wolves
- 0.5 wolves
- 2,147,483,648 wolves
- -2 wolves
- Beer wolves
- Two coyotes
- 🐺🐺
- Два волка
- '); DROP TABLE WOLVES;--
- <script>alert('Awooooo')</script>
Hypolite Petovan likes this.
reshared this
I installed Fedora on a Raspberry Pi—see how it measures up to the official OS!
that’s an article I’ve been waiting for quite a while 🙌🏻
P.S.: not much has changed since I tried that myself. Still no support for Pi 5, still boots for ages, still looks great though (especially with #KDE 😈)
I am reliably informed by Google Shield that my site krebsonsecurity.com on Monday was the target of the biggest DDoS attack Google has ever had to deal with, clocking in at ~6.3 Tbps. This is not quite a record; apparently, an attack Cloudflare had to deal with in April is the largest known DDoS to date -- at ~6.5 Tbps.
It's been a while since we've seen a big DDoS. For reference, this one was about 10x the size of the Mirai botnet attack that launched a record DDoS against my site in 2016, knocking it offline for nearly 4 days until I got the site behind Google Sheild.
I'll know more in a bit. Below is the CF blog about their April attack.
blog.cloudflare.com/ddos-threa…
Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
DDoS attacks are surging. In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks. And that's just the beginning. Read more in our latest DDoS Threat Report.The Cloudflare Blog
reshared this
Through the Glass
📷 Canon Elan 7e, 100mm 2.8 | 🎞️ Fuji 200 (developed in Cinestill) | 📍Minnesota Arboretum
#FilmPhotography #35mmFilm #AnalogPhotography #ShootFilm #FilmisNotDead #BelieveInFilm
#Photo #Photography #FilmPhoto #AnalogVibes #Nature #Window
#SpringVibes #BloomSeason #SoftLight #PeacefulMoment #EverydayBeauty #Stillness #Bloom #Flowers #Plants #Meditative
#Minnesota #mnastodon
msn.com/en-xl/africa/kenya/cou… #cleansport #antidoping #datajournalism
Gardener shares ultimate hack for seemingly endless supply of green onions: 'Magical' - All For
Did you know you can regrow produce from lots of your kitchen scraps? One gardener showed how they are working on a never-ending supply of green onions.Gardening (All For Gardening)
Moraes vai relatar processo da Câmara que interpela decisão do STF sobre Ramagem - Paulo Figueiredo
Casa rebateu entendimento da 1ª Turma contra o ato dos deputados O ministro Alexandre de Moraes, do Supremo Tribunal Federal (STF), vai relatar a ação apresentada pela Câmara dos Deputados para interpelar a decisão da 1ª Turma do STF que suspendeu, p…Suhely Bueno (Paulo Figueiredo)
Deadly Israeli strikes pound Gaza
Israeli strikes on Gaza have killed more than 250 people since Thursday morning, local health authorities said on Friday, one of the deadliest phases of bombardment since a truce collapsed in March, with a new ground offensive expected soon.
reuters.com/pictures/pictures-…
📝 O programa Bolsa Família enfrenta um dilema: mesmo com o custo de R$ 28 bilhões, o ajuste de R$ 100 foi desconsiderado. Descubra como essa decisão pode afetar milhões de brasileiros e qual é a repercussão no cenário econômico atual. Clique para entender tudo sobre essa polêmica!
.
.
.#BolsaFamília #Economia #Política
inkdesign.com.br/bolsa-familia…
Bolsa Família ignora ajuste de R$ 100, custo de R$ 28 bi
São Paulo — InkDesign News — O Ministro da Fazenda, Fernando Haddad, reiterou que a proposta de aumento de R$ 100 no benefício do Bolsa Família, que elevaria o pagamento mensal de R$ 600 para R$ 700,Tiago F Santiago (INK|DESIGN NEWS)
ClojureScript 1.12.42
Link: clojurescript.org/news/2025-05…
Discussion: news.ycombinator.com/item?id=4…
Forse sono di quelli a cui bastano quattro ore di sonno a notte.
O forse non avrei dovuto mangiare cinese.
rag. Gustavino Bevilacqua reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •nerdcert.eu
nerdcert.euLord Caramac the Clueless, KSC reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •nerdcertMirror
Codeberg.orgJan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Collecting more input on EKU (Extended Key Usage). While there are several proprietary extensions, the more logical source of EKUs is OID (1.3.6.1.5.5.7.3)
That defines 44 EKUs, of which 5 are declared to be obsolete. Now for browser communication, Google wants to reduce that list to the first entry only, id-kp-serverAuth. Any other EKU in a cert means no trust by Chrome in future.
iana.org/assignments/smi-numbe…
Structure of Management Information (SMI) Numbers (MIB Module Registrations)
www.iana.orgJan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •And now for the coop part. First the definition I use, because that is important:
"A cooperative is an autonomous association of persons united to meet common economic, social, and cultural goals. They achieve their objectives through a jointly-owned and democratically-controlled enterprise."
[1]OK. With that out of the way, let's see what this means for the CA idea behind nerdcert.
[1] single-market-economy.ec.europ…
Cooperatives
Internal Market, Industry, Entrepreneurship and SMEsJan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •There are a lot of interesting terms in the definition. It is an autonomous association (jointly-owned, not by a single person or investor) of persons (not companies) with a defined (set of) goals, a coop however acts as an enterprise (so doesn't have to be a non-profit) and is democratically controlled (transparent by definition).
This makes a coop a better fit than a foundation. In a coop people focus on building solutions, not on managing a foundation, which is a very different skillset.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •For an idea/project like nerdcert, but also more general for open source projects, the coop reflects in its construction the values I hope it can represent.
But there is a bigger advantage. The jointly-owned means that you have to create a trusted registry for owners/members. That you have to manage the money they owe the coop.
So, by accident, more or less, you have to solve the same problem for the coop that you need to solve for running a CA/PKI: KYC — Know Your Customer.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •And by solving the same problem for two tasks, you create (buzzword ;) synergy effects. Now that you have to establish proof of ownership/identity for coop owners/members, you can use all of that in the CA/PKI context too. Extended Validation certificates are suddenly in reach, more or less as a by-poduct of being a coop.
You could even run member-specific CAs as part of the goals of the coop. And reinvest. Actually make money and donate that to the FOSS projects you use. Etc.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •You could create a network of coops that each run their specific CAs and establish trust between these coops, thus growing the network.
I guess you get the idea by now. I'll take a break here to sort my thoughts, because they are overflowing and need some time to settle into coherent sentences. I hope you like the story so far 😀
Lord Caramac the Clueless, KSC reshared this.
Jeroen Massar
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jeroen Massar • • •@jeroen It's only a problem when being accepted in the root pool is your goal ;) This whole idea started because Google has decided to un-trust all root CAs that allow more than just the authServer EKU in certificates from mid next year on. Becoming included in that club is definitely not the goal.
The consensus in the CA/PKI world seems to be anyway that for anything but browser acceptance, a private CA is the better and preferred approach. A cooperative approach to that — that's my idea.
Lord Caramac the Clueless, KSC reshared this.
Jeroen Massar
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jeroen Massar • • •Jeroen Massar
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Jeroen Massar • • •@jeroen Here's my logic (which might be flawed, that's why I share in the open):
- For web/mail server certificates letsencrypt exists and works just fine.
- For M2M, mTLS, device certificates having more EKUs that just authServer makes a lot of sense
- Consensus in the industry is that for those use cases you should run a private CA/PKI
- That's however a big ask for many projects/groups out there
- So why not build that as a service, as a coop?
HTH (Hope This Helps)
Jeroen Massar
in reply to Jan Wildeboer 😷 • • •Can be good.... but...
A cert is mostly meaningless (untrusted) if you do not trust the CA that signed it, as then anyone could make a CA and cert and claim to be a given host.
DANE TSLA circumvents that problem by putting the "CA trust" into DNS/DNSSEC (which is not a bad way IMHO, but requires participants to use/support that...);
thus either everyone needs to trust the new CA or everyone support DANE; egg meet a hard problem (distros could sneak in a new CA)
Jeroen Massar
in reply to Jeroen Massar • • •The Sunlight CT Log
sunlight.devFilippo Valsorda
in reply to Jeroen Massar • • •@jeroen @benjojo FWIW, folks using the WebPKI for non-Web purposes has been a massive issue (since they tend to scream "noooo you will break my 1998 PoS clients if you do that and people will die" every time you try to improve things), so requiring WebPKI-only (and so serverAuth-only) hierarchies is a great thing for the security of Web users, not some abuse of power.
I don't know enough about non-Web non-mail use cases to tell if a coop-run domain validated (?) CA will make sense.
Alfred J. Kwak (audiokontor) ☕
in reply to Jan Wildeboer 😷 • • •let me check where i can help....
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •nerdcert.eu
nerdcert.euFilippo Valsorda
Unknown parent • • •@jeroen @benjojo I am not making fun of anyone here, I explicitly said "I don't know enough about non-Web non-mail use cases" because I don't know enough.
I am complaining about folks using *a specific PKI designed for browsers and managed by browsers* and then asking that it comply with their non-browser requirements. But it doesn't sound like that's what you are planning, quite the opposite!
Jan Wildeboer 😷
Unknown parent • • •Filippo Valsorda
Unknown parent • • •@jeroen @benjojo Google is not stopping Let's Encrypt from doing anything. They are just requiring that the WebPKI roots they trust on behalf of their browser users only issue certificates for browsers, so they can more easily update to future browser requirements. This is good basic PKI hygiene.
Let's Encrypt decided not to spin up non-browser roots, which I respect, since they are a non-profit that can choose what they focus on.
You can make roots for other purposes.
Jan Wildeboer 😷
Unknown parent • • •Filippo Valsorda
in reply to Jan Wildeboer 😷 • • •@jeroen @benjojo It's right there, "split [...] into separate PKIs". TLS and X.509 are not browser-only, the WebPKI is.
I think this conversation has run its course, I wish you the best building the infrastructure you need!