The #XMPP Newsletter for Feb '23 is out!
Read about the latest XMPP universe updates and the latest updates on our #Standards!
Enjoy reading! 📰 ☕
xmpp.org/2023/03/the-xmpp-news…
#jabber #xep #interoperability #federation #decentralization #chat
reshared this
Nicola Fabiano e J. Alfred Prufrock reshared this.
reshared this
J. Alfred Prufrock e filobus aka hecatonchiri reshared this.
meh.
The Samsung Galaxy S23’s bloated Android build somehow uses 60GB of storageLink: arstechnica.com/gadgets/2023/0…
Discussion: news.ycombinator.com/item?id=3…Bloatware pushes the Galaxy S23 Android OS to an incredible 60GB
Samsung's Android build is 4x bigger than Google's—twice the size of Windows 11.Ars Technica
governo.it/it/articolo/attacco…
Nota pubblicata sul birdsite oggi. Primo commento? "Togliete lo #SPID". Ma cos...
Attacco informatico, nota di Palazzo Chigi
Il Governo segue con attenzione, aggiornato dall'Agenzia per la Cybersicurezza Nazionale, ACN, gli sviluppi dell'attacco culminato oggi tramite un ransomware già in circolazione nei server VMware ESXi.www.governo.it
@roughnecks sì, e inoltre: se funziona male spid puoi sempre scegliere un altro provider.
Mi sorprendeva più che altro che Palazzo Chigi abbia pubblicato un comunicato citando #ESXi e la prima reazione sia stata prendersela con #SPID
@Jun Bird @roughnecks io uso due provider: poste e sielte
Poste è più "facile" finché funziona: app più friendly ecc, ma nel mio caso non c'era modo di attivare l'autenticazione con app. In teoria doveva essere unpin unico per bancoposta/spid (chiamato PosteId), ma in pratica ne ho due diversi, il che manda l'app in confusione. Ho aperto ticket e tutto, ottenendo in risposta un invito all'uff. Postale per riattivare il tutto al costo di 10€. Presagendo lo smarrimento dello sportellista alla presentazione del mio bug e volendo sfuggire all'estorsione, mi sono registrato con Sielte su consigli sotto un bel post di @quinta :ubuntu: .
App spartane ma funzionanti, finora nessuna sorpresa
reshared this
quinta e Uovo_di_coniglio reshared this.
ho una curiosità sistemistica, sicuramente molto ingenua:
due macchine virtuali ospitate dallo stesso server e in rete tra loro, per scambiarsi dati devono far passare il flusso attraverso la scheda di rete "fisica" del server?
Vieni a lavorare
Scarabocchio realizzato per il congresso regionale della @filtcgil_milanoelombardia, tenuto il 16 gennaio presso l'aula magna dell'@unimib di Milano.
#gliscarabocchidimaicolemirco #maicolemirco #filtcgil #lavoro #lavorare
cage likes this.
reshared this
Antanicus, nikol e J. Alfred Prufrock reshared this.
like this
brittani schneider, Quatta Quatta, Friendica 'Yellow Archangel' 2024.08-1571, MiKlo:~/citizen4.eu$💙💛, Allen Crider, Jean-Philippe Baril, Richard, ⅅℒℚ, randygalbraith, Hypolite Petovan, smellsofbikes, know, OldKid ⁂, Tobias, Noam Bergman, Darren Poulson, Scott M. Stolz, Antonino Campaniolo 👣, J. Alfred Prufrock, Friendica Entwickler Marek, mc, Sam, Raroun, Cătă, Clara Listensprechen, Brittani 🍂🔙🌠🥀🍃, Schmaker, Shane Rogers, Expert Plus 🍀, Michael Vogel e gdiak like this.
reshared this
Roob, ☄️~Stardust Diving~🌌, joene 🏴🍉, Aquarius Otter, B. A. Balackus, sqncs, Haplogroup News :autistic: :ace: :n95: :p_pride:, Andreas Kilgus, ij, DeltaLima 🐧, Sarah Grisham, Hypolite Petovan, darth_tiktaalik, Darth Tiktaalik, Kathleen Day, 🄳🄾🄽🅈🄴🄻🄻🄴, Kermode, Bam, m0bi, HïMY SYeD🟩, Trenton Matthews, FrogPog, Brome, jefframnani, Dani 🍁🌻, Allen B. Skye, 时变局正宗青柠派🍋🥧, natbas, hjhornbeck, plague-of-grackles 😷🍉🐈⬛, Ernst, Anonymous, OldKid ⁂, Debbie Goldsmith 🏳️⚧️🏳️🌈⧖, spla, Tim 👨💻, TENET, Expert Plus :verified:, MrPink, Stefan Tifa, Silmathoron ⁂, Antonino Campaniolo 👣, Magick Man, Iαη, Pascal 🎸 🧗♂️ 📷 🐡 💻, jan, Leo, gilde ⁂, Jaddy, muznyo, Leonardo Ferreira Fontenelle, J. Alfred Prufrock, Brooke Campbell, Sam, Donovan Palmer, Till, Mike | Raymond Tec, BlueBoomer, Friendica 'Yellow Archangel' 2024.08-1571, Clara Listensprechen, FLOX Advocate e Expert Plus 🍀 reshared this.
m0bi likes this.
like this
Cord, Scott M. Stolz, Darth Tiktaalik e Clara Listensprechen like this.
Marcel G likes this.
Cătă likes this.
Hank G ☑️ likes this.
@Seph Harrison♊ ✅ Yep, I resorted to DiCa since it is the lightest, but it has so many missing features!
Hank G ☑️ likes this.
like this
Cătă, Darth Tiktaalik e Clara Listensprechen like this.
Darth Tiktaalik likes this.
Cătă likes this.
Hank G ☑️ likes this.
Outside of that, I like what I see, but it'll be a while before I get to trying it out as I usually don't hit Friendica from my tablet.
Hank G ☑️ likes this.
Darth Tiktaalik likes this.
Hank G ☑️ likes this.
afraid it won’t pass the HTML sterilizers that prevent malicious code from being injected into a post. Worth trying though.
like this
Hank G ☑️, Cătă e Darth Tiktaalik like this.
Darth Tiktaalik likes this.
Hank G ☑️ likes this.
“It crashed” was one of the example of bad feedback I put in the beta notes lol. I should probably put why the various examples are bad though now that I look at it.
Be happy to have you as a tester. The Mac build and all non-iOS platforms are available for direct download now. For iOS it has to go through TestFlight so just DM me you email address and first/last name (or first name and the preferred Friendica account handle). I’m still waiting for app approval from Apple though.
PS sorry if you already DMd me. The Friendica Message systems is one of the big features I need to implement still in the app (which I’m using to write this).
Cătă likes this.
Cătă likes this.
What can I say? Congratulations.
Hank G ☑️ likes this.
Expert Plus 🍀 likes this.
Quelli con portalampada sono una selezione ridotta, scarsamente disponibile anche perché giustamente preferita quando si trova in negozio.
Come può essere una scelta sensata un lampadario da buttare via quando muore il led?
Antonino Campaniolo 👣 likes this.
(1/4)
reshared this
J. Alfred Prufrock e Alex 🐘 reshared this.
(2/4)
First list of codes for box name execution (Pokémon Emerald) - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.Pastebin
Dopodiché, l'esecuzione si inizializza facendo schiudere un certo uovo buggato (generarlo è la vera parte laboriosa di questo processo).
PS: Il forse eccessivo entusiasmo era dovuto al fatto che questa era la terza volta che ci provavo lmao
(3/4)
Questo codice in particolare sblocca il "dono segreto" che permette di andare sull'Isola Suprema a catturare Mew.
Non so cosa avrei fatto da bimbo pur di venire a sapere di questo bug. Cimentarmi in questa cosa mi è servito a vendicare il me piccino, che non ha mai potuto completare il Pokédex perché abitava decisamente troppo lontano per andare ogni Estate a Mirabilandia (mi mancavano solo i Pokémon evento) 😡
Se volete saperne di più, questo video è ECCELLENTE: youtu.be/Kb0CjqeNWNY
(4/4)
GODLIKE Emerald Glitches Unlock EVERY EVENT!
Thanks to the hard work of glitch hunters like merrp and Sleipnir17, we now have FULL ACCESS to Arbitrary Code Execution in Pokemon Emerald. merrp originally...YouTube
Aspettando il 100° lancio a Verdeazzupoli.
Iconico il fatto, che ogni versione di gioco abbia un Deoxys diverso. Smeraldo ha la forma velocità, mentre Rubino e Zaffiro quella attacco e difesa (non mi ricordo in che ordine). Idem per Rosso Fuoco e Verde Foglia.
Solo dalla 4° generazione hanno introdottto i meteoriti cambia forma.
che problema abbiamo in Italia con i prezzi dei computer?
Guardo spesso gli annunci dell'usato, e trovo prezzi sensati solo da annunci esteri (perlopiù Germania o UK). Gli Italiani riempiono le piattaforme di annunci pensando di riuscire a vendere il loro amato laptop stracotto con intel core i5 da 2 gen (fuori produzione dal 2011) a 4 gen (fuori produzione dal 2014), dai 200€ in su. Con batteria morta, tastiera e porte I/O usurate, spesso qualche piccola noia al display.
Quando le catene a ogni volantino propongono almeno un laptop nuovo a 250€ (nel caso di Chromebook) o 350€ ("entry level" ma comunque incomparabilmente più veloci di una macchina di 10 anni fa e coperte da garanzia).
Le catene, poi, per l'Italia propongono macchine meno performanti a prezzi più alti rispetto a quello che si compra all'estero per lo stesso ammontare. Qui lo standard sembrano ancora essere i pc con 8 gb di ram, e quelli con 16 li passano come "gaming" o "workstation".
Eppure non mi sembra che qui la tecnologia sia poco gradita. Forse vogliamo "il meglio" solo in ambito smartphone, e siamo un mercato di serie b per i pc?
sono contro l'hate speech;
per cui mi limiterò a dirmi indispettito nei confronti di UPS, che segna tentativi di consegna andati a vuoto per assenza del destinatario senza essere mai passati.
reshared this
rag. Gustavino Bevilacqua, J. Alfred Prufrock e Zeppe reshared this.
Oggi dicevo a un amico che quando è soleggiato basta resistere quelle due orette massimo la mattina, poi il sole scalda tutto, puoi persino aprire le finestre fino al pomeriggio e non hai bisogno affatto di riscaldamento.
Lui mi dice che vabbè, io che lavoro da casa si, però che lui prima di uscire di casa per lavarsi, vestirsi vuole la casa calda...
E in effetti mi ci ritrovo col suo discorso, prima che scaldarsi diventasse quasi un lusso pure io la mattina accendevo il riscaldamento, anche se sapevo che poi verso le 9.30/10 avrei spalancato I balconi (non perché sono masochista, sempre 4 gradi in meno ci sono fuori, ma per fare asciugare la condensa notturna).
Che poi sentivo più freddo quando avevo 20 gradi fissi in casa durante il giorno che adesso che ne tengo 117/8 di giorno che calano fino 16 la notte.
J. Alfred Prufrock reshared this.
#xmpp spiegato male
Una delle cose più difficili per me è convincere gli amici a usare sistemi IM diversi da WA o Telegram.
Ed è difficile soprattutto perché tutto è così "appificato" che qualsiasi cosa vada oltre lo "scarica quest'app" per funzionare, viene bollata come "cosa da nerd".
E forse non è errato pensarla così, se pensate a come presentare xmpp. Intanto, come lo nominereste? Icsempipì? Jabber? Poi: quale app? Dove scaricarla? Quale provider? Se queste parole suoneranno familiari nel contesto di chi ha scelto il fediverso come social, per la maggior parte degli altri possessori di smartphone sarà ostrogoto. "I provider... Oddio!".
Non si è parlato ancora di OMEMO, selfhosting, ragioni etiche e di privacy, decentralizzazione, alternative a gafam, libertà di scelta del client: anche l'approccio più semplice e pronto all'uso è già troppo, troppo difficile.
Mi sono cimentato nella scrittura di un post col numero minimo di istruzioni terra-terra per fare provare XMPP a qualche amico, ma non sono riuscito a farla semplice come avrei sperato. È pieno di passaggi delicati che, probabilmente, faranno desistere anche chi avrebbe desiderato assecondarmi e provarci.
Che poi: facile lo è davvero, da usare. Ma manca qualcosa che renda il tutto davvero autoesplicativo, che permetta di dire "toh, scarica quest'app" e il resto sia un percorso guidato dove fare pochi passaggi per impostare tutto.
reshared this
ndo, Leo e rag. Gustavino Bevilacqua reshared this.
@roughnecks capisco cosa intendi!
E aggiungo che è un vero peccato: XMPP funziona davvero bene, secondo me se si riuscisse a trovare un modo per abbattere la "difficoltà" iniziale potrebbe avere un discreto successo.
Al momento le istruzioni minime (ma proprio minime al punto di essere anche grossolane) prendono una pagina intera di spiegazioni. Non può essere attraente, se puoi "fare le stesse cose" con altre soluzioni che puoi spiegare con frasi di due parole tipo "Installa Telegram".
Conversations - Jabber/XMPP client for Android
An open source instant messaging client. Easy to use, reliable, battery friendly. With built-in support for e2e encryption, group chats and media transfer.conversations.im
1- individuare un server Snikket. Se ne mantenessi uno io e mandassi l'invito, ok, è molto semplice. Spiegare a qualcuno che deve scegliere un server esistente tra quelli elencati su xmpp.net e registrarsi, diventa già lunga.
2- trovare Conversations. Se aprono play store, vedono che è a pagamento e desistono. L'altra via prevede di spiegare l'esistenza di store alternativi
J. Alfred Prufrock likes this.
comunque spiegarlo più semplicemente di così mi sa che è impossibile.
Blabber non è gratuita? O non c'è proprio sul play store?
@Leo @mario @roughnecks
Stando a quanto leggo qui, non più:
blabber.im/en.html
Ci sono molte app più che valide (ptincipalmente fork di Conversations come Monocles, Cheogram e lo stesso Blabbler se non sbaglio), ma nessuna su Play Store. Lì si trova qualche client non aggiornato da molto tempo. Forse AstraChat, ma ho dato un'occhiata rapida e non mi sembra molto "user friendly"
è un peccato. Senza una buona app sul play store non si va da nessuna parte, il passaggio a un catalogo di applicazioni alternativo (f-droid) non è cosa da tuttə.
L'unica è trovare degli sponsor a Daniel, così può mettere Conversations gratuita.
J. Alfred Prufrock likes this.
I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)
So, here are my responses to all of these concerns!
Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.
But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:
- LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...
- LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...
- LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...
- LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...
- LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...
- LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...
- LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.
You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.
So, why do I recommend Bitwarden and 1Password? It's quite simple:
- I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, *deep* desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.
- Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.
Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.
I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!
reshared this
Paul Sutton, Hobson Lane, Cristiano M. Gaston, Shriram Krishnamurthi, Emanuele, El Salvador, J. Alfred Prufrock e Asta McCarthy reshared this.
@rymdkraft godsdamnit. It took me years to get my fam onto LP. If anyone has a rec for which has a good family plan and the best UX, either 1P or BW, lmk.
Thank you for the security review. It was sufficiently techy, but layman as well.
@vincent @rymdkraft 1Password has a good family plan, but most of all the UX... It's simply excellent.
You can add any kind of custom field to any login element. It's a killer feature.
It handles login forms with two different password fields gracefully (which is great on some Italian state websites).
It also supports other kinds of elements (such as software license, server and so on).
@scotclose I have said exactly zero words about the source code being leaked
But I think the point is not the source code itself, but rather their ability to control access to secret information. Which, as a password manager vendor, is pretty fuckin critical.
I have one non technical user thought.
I recently tried Dashlane, in a small way, for some new sites I was trying.
Then when I was out and about it logged me out because I was changing IP. And it wouldn't let me back in.
Now this happens in rural Wales. You're often a distance from the nearest transmitter, so switching is common.
This might be an added security check. But it's damned imconvenient. Too inconvenient. I wouldn't recommend it to Welsh people.
@charlesroper @marqle @cirriustech
I have used LastPass for numerous years and feel their UX has actually gotten *worse* over time. Maybe they want to push users towards their browser plugins, which I don't want to use for security reasons.
Their macOS desktop vault software is terrible in So. Many. Ways. I can't even count. And it's gotten worse. Their UX on Android has *rudimentary* flaws. Etc.
I'm pretty much done with them as of this week.
As a programming languages researcher, I'm intensely curious what your complaint about garbage collection is.
My only speculation is that you're unhappy that data might linger on the heap longer than one wants until the GC kicks in. But that's a problem of not zeroing out the data, right, not of GC per se? Unless you feel it lets programmers ignore this issue?
The flip side is that that code is likely has fewer exploits due to memory mis-management bugs.
Totally agree. That's a known weakness.
But you've also gotta admit the flip side, which is that reduction of seg faults is a thing, too. Programmers have not shown themselves to be terrific at avoiding those either, and it's a pretty straight line from seg fault to p0wned.
(This is not a defense of GC, so much as "we need all of this, and more".)
@hayley
Oh yeah, for sure. I think these kinds of failures have been documented for a while now.
Another is "optimizing" "redundant" instructions added to then/else branches, thereby leaking bits from a crypto computation, thereby leaking keys.
The flip side is that what a compiler taketh, a compiler can, uh, giveth, too. I'm excited by projects like Everest [project-everest.github.io/]. Eventually these will go farther than most humans on their own can.
Project Everest
Project page for the Project Everest. The page features information about the project, blog covering interesting developments, paper references and everthing...project-everest.github.io
GitHub - PLSysSec/FaCT: Flexible and Constant Time Programming Language
Flexible and Constant Time Programming Language. Contribute to PLSysSec/FaCT development by creating an account on GitHub.GitHub
@hayley
Right. I've seen a few projects like this and I'm excited about them.
The problem is that crypto created a bunch of new safety constraints that languages had no been designed around.
That just means we have to design around more of them, not that we have to put all that burden on programmers.
Thanks for that info. I'm afraid I don't quite understand it. GC should be a semantic no-op, so how can GC have "copied it under the hood" but have missed your zero-out? (Unless you mean it was a bug in the GC.) So I'd appreciate if you could elaborate a bit.
@neilmadden
Also, perhaps relevant is that the OP and others and I had a brief exchange already:
mastodon.social/@epixoip@infos…
But the "GC copied under hood" still feels different.
Oh: maybe you mean that your zero-writes went to the new version of the data, while the stale version still had the secrets? That is, the former from-space and current to-space still have the secrets until it gets written over in to-space?
Jeremi M Gosney :verified: (@epixoip@infosec.exchange)
@shriramk@mastodon.social @sc00bz you pretty much nailed it. Typically in crypto applications it is highly desirable to have direct control over buffers, and sometimes even registers, to ensure we know exactly what is happening with the data and to e…Infosec Exchange
Keeper vs LastPass: What's the Difference? - Keeper
From price to product offerings, this comprehensive guide takes you through the key differences between the password managers Keeper Security and LastPass.Craig Lurey (Keeper Security)
@KeeperSecurity folks considering Keeper as a password manager should be aware of their litigious history with the security community: techdirt.com/2018/03/09/keeper…
They have a bug bounty now (bugcrowd.com/keepersecurity ) but it does not allow researchers to disclose bugs (see “Disclosure” section) which to me represents a failure to engage with the security community. No amount of acronym certifications will make that ok for such a critical piece of security infrastructure.
Keeper Security Reminds Everyone Why You Shouldn't Use It; Doubles Down On Suing Journalist
Gov Uscourts Ilnd 347440 15 0 (PDF) Gov Uscourts Ilnd 347440 15 0 (Text) Gov Uscourts Ilnd 347440 17 0 (PDF) Gov Uscourts Ilnd 347440 17 0 (Text) Gov Uscourts Ilnd 347440 24 0 1 (PDF) Gov Uscourts …Techdirt
I cannot keep this to myself. There is a website (radio.garden) where you can listen to radio stations all over the world for free. No log in. No email address. Nothing.
When the site loads, you are looking at the globe. Slide the little white circle over the green dots (each green dot is a radio station) until you find one you like.
I have been listening to this station in the Netherlands and it absolutely slaps.
EDIT: Replies tell me that this doesn't function in the UK without a VPN.
alysonsee (Fca) likes this.
reshared this
rag. Gustavino Bevilacqua, MrFreeman, Aurin Azadî, Lasse Gismo - 🇮🇱🇺🇦🇸🇩, Maike, Paul Sutton, software_libero_e_dintorni, nikol, Post, Free Software 4 Climate, Leo, Stefano Marinelli, Thomas Blechschmidt, J. Alfred Prufrock, Catharina Bethlehem ☑️ Cath, Cap. Pizzocchero 🇺🇦 :verified:, Shriram Krishnamurthi, Anonymous, StroomAfwaarts 🌱, Rolery, Ca_Gi, 🇪🇺 Yet Another Owl 🕯️🕊️, Salvatore detto Rino, filobus aka hecatonchiri, ThisStarChild, Michał "rysiek" Woźniak · 🇺🇦, Quincy, Sio, stux⚡, Paolo Redaelli e Yaku 🐗 reshared this.
@kristinHenry This is sort of a powerful #SerendipityEngine.
Is there a special place in the Fediverse for national/regional/local radio stations, @aral?
@koherecoWatchdog @otterlove
radio.garden/api/ara/content/l…
I was able to find this buried in the page not sure what the string of digits after the ? is but it seems to have an api that streams an mp3
reshared this
Daniele Verducci, manto, Zeppe, Leo, Manuel, Marco Iannaccone e J. Alfred Prufrock reshared this.
Fedfree is live! fedfree.org/
Fedfree is a website aimed at teaching people how to run their own servers, of various kinds, on libre operating systems e.g. Linux and BSD. It aims to do this, using libre software exclusively, teaching people about the importance of libre software and hardware as it pertains to freedom; the right to use, study, adapt, share. The right to read. Universal access to knowledge… education. Education is the goal.
One tutorial so far, but more are coming.
Poliverso - notizie dal Fediverso ⁂ likes this.
reshared this
Shamar, Algot, J. Alfred Prufrock, Nelfaneor e Andrea reshared this.
Writing DNS server tutorial now. Specifically: authoritative name server e.g. ns1.domain.com, ns2.domain.com
A lot of webhosting guides online tell you to log in to some registrar's name server to set records in some web interface. That's lame.
I've run my own DNS for years. I directly edit zone files in Vim.
That is how it should be done.
The guide that I'm writing will show you how to do it too.
Learning a lot, in the process of writing guides. I'm writing a guide about DNS (ns1, ns2.domain.com, etc).
I audited my httpd; I was still supporting TLS 1.0 and 1.1! According to qualys SSL labs, my grade was B; removed TLS 1.0 and 1.1 and now I get A+. tested on av.vimuser.org (now only does TLS 1.2 and 1.3) - will do the rest of my sites in a little while
My preferred way to handle tutorials is: provide tar archives with working sample configs, for the user to adapt, and explain each part.
More fun while writing guides: I'm writing DNS and httpd guides simultaneously, not yet published, and I found one very important thing:
I had forgot to set IPv6 Glue records, for my name server! IPv6 glue and ns delegation with reverse lookup...
anyway, mythic-beasts.com/ipv6/health-…
mythic-beasts.com/ipv6/health-…
i get perfect scores now
i previously had dual stack IPv4+IPv6, and still do, but I *previously* did not have IPv6 glue configured for my DNS even though the name server itself responded on v6
Un fumetto dell'amico Dan Perkins, in arte Tom Tomorrow, con lo script generato da una IA.
Cartoon: They write themselves
dailykos.com/story/2022/12/26/…
Cartoon: They write themselves
As always, if � you find value in this work I do, please consider helping me keep it sustainable by joining my weekly newsletter, � Sparky’s List! � You can get it in your inbox or read it on ...Daily Kos
reshared this
J. Alfred Prufrock e AnnaKappa reshared this.
Rotary Keyboard
Link: squidgeefish.com/projects/rota…
Discussion: news.ycombinator.com/item?id=3…
J. Alfred Prufrock reshared this.
rag. Gustavino Bevilacqua reshared this.
Ho letto una caratteristica di #GrapheneOS che trovo meravigliosa: quella di poter impostare dei profili utente isolati.
Per me sarebbe la soluzione perfetta per avere un solo device e separare le app che sono costretto a tenere per lavoro (WA, voip aziendale, Teams) in un profilo, mantenendo l'altro pulito e senza servizi Google.
Purtroppo questo significa dover acquistare un Pixel dal 6 in su, i cui prezzi del ricondizionato sono tristemente vicini al nuovo.
Mi chiedevo: si tratta di una caratteristica esclusiva o ci sono altri OS #android che permettono di ottenere uno scenario simile?
@macfranc quello che permette di fare Graphene da quanto ne so è soprattutto avere i servizi di Google in un profilo separato per non "intaccare" il proprio.
Conosci già Shelter? lealternative.net/2022/04/22/s… permette di fare esattamente quello che dici tu sfruttando il profilo di lavoro Android
Shelter - Le Alternative
Grazie a Shelter potrete sfruttare il profilo di lavoro di Android per installare le applicazioni di cui fareste volentieri a meno.skariko (Le Alternative)
J. Alfred Prufrock likes this.
Se così fosse, potrei ottenere il risultato orientandomi anche su device più abbordabili
Leggo che #lineageos implementa SELinux, ma serve a imporre delle policies su cosa possa fare o non fare un processo. Molto importante, ma mi sembra un concetto diverso; immagino che sia così anche per /e/, che lo deriva
@matchboxbananasynergy really useful insights and advice, thank you!
I am very much oriented towards GrapheneOS, it seems to me that it is a well-designed system, and that it offers concrete and efficient solutions to have (a little) more control over one's device.
So I'm starting to keep an eye on the ads for a Pixel 😁
The Rise of User-Hostile Software
[2021]Link: den.dev/blog/user-hostile-soft…
Discussion: news.ycombinator.com/item?id=3…
The Rise Of User-Hostile Software
Or why software we get today is not the software we should strive to be getting tomorrow.Den Delimarsky (den.dev)
J. Alfred Prufrock reshared this.
strano bug in Firefox - post lungo
Nei miei pc uso #firefox installato via #Flatpak, per un paio di motivi: mi piace avere sempre l'ultima versione del browser, mi piace poter controllare (tramite #flatseal) quanto FF possa interagire col resto del mio sistema, e infine per me è stato il modo più semplice e indolore per avviare FF in modalità #wayland senza strani script (sempre grazie a Flatseal).
Tuttavia sto avendo esperienza di uno strano bug. Quando, in Gnome, apro firefox dall'icona, ho esperienza di continui crash, riproducibili. Di solito, basta aprire il browser e andare nelle impostazioni, o aprire due o tre bookmark, e il programma crasha e si chiude. Non viene proposto il tool per esaminare l'errore o inviarlo a FF e a volte riparte in safe mode, con tutte le estensioni disabilitate.
A questo punto ho lanciato il programma da terminale, usandoflatpak run org.mozilla.firefox
per vedere se almeno, al momento del crash, fosse prodotto qualche output indicativo. Ma lanciandolo da terminale il crash non avviene.
Così apro Alacarte e scopro che il launcher grafico di FF è un po' più complesso di quello che avevo digitato in terminale:/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=firefox --file-forwarding org.mozilla.firefox @@u %u @@
copio-incollo la stringa in terminale (senza la parte finale, da @ in poi) per capire se il problema fosse in una delle opzioni passate dal launcher; ma, anche in questo caso, firefox lanciato da terminale è il solito vecchio firefox, solido come una roccia, zero crash, anche con tutte le estensioni attive.
Ho provato anche a fare il contrario, cioè a togliere dal launcher grafico le opzioni aggiuntive, ma aprendo FF da icona continuo a ottenere questi crash dopo le prime interazioni.
Ho cercato su DDG e financo su GGL, ma non sono riuscito a trovare segnalazioni simili.
La situazione si ripresenta in modo identico su entrambi i laptop su cui io abbia questa configurazione (Gnome, Firefox da Flatpak).
Le mie capacità di indagine si fermano qui. Se ci fossero suggerimenti, sarebbero molto graditi!
A questo punto mi viene da sospettare di tutta quell'abbondanza di @ e di u nel launcher. Non dovrebbe essere solo un %u?
A meno che non sia una sintassi particolare per passare argomenti a un flatpak
Edit: a quanto sembra è proprio così
docs.flatpak.org/en/latest/fla…
AGGIORNAMENTO
Probabilmente non sarà utile a nessuno e sarò il solo ad averne avuto esperienza (su ben due pc!), ma credo di essere riuscito a risolvere il problema in un modo tanto anti-scientifico da vergognarmene quasi.
In pratica ho riaperto il fido Alacarte, copiato la stringa del launcher creato dal flatpak e fatto un nuovo launcher con la stessa identica stringa.
Se lancio #Firefox da questo nuovo launcher, il programma non crasha.
Se uso il launcher originale invece sì.
Lascio qui la "soluzione", magari torna utile a qualcuno.
Non senza disappunto per non aver capito il mistero dietro tutto questo
Friendica 2022.12 released
We are very happy to announce the avail-ability of the new stable version of Friendica. Wrapping up the sprint from the 2022.10 release of Friendica we closed 73 filed issues and had almost 300 pull requests by 19 contributors.
A special thanks goes out to Christian Pöschl from usd AG and Matthias Moritz who have found a CSRF- and XSS-attack, that is fixed with this release.
In addition to fixing this bug, the highlights of the changes since the 2022.10 release are
- The default theme of Friendica (frio) got many improvements and some old themes got deprecated.
- The calendar saw some improvements and can now be made visible to anonymous visitors.
- The homepage mentioned on the user profile is now automatically verified via the rel-me backlink.
- Images attached to a posting are now shown in a grid at the bottom of the posting.
- A moderation corner was established from the admin panel where a future release will add more moderation tool and bundle them with the current once.
For details, please the CHANGELOG file in the repository.
Since version 2022.06 the lowest required PHP version Friendica needed on the server was raised to PHP 7.3 and PHP 8.0 is supported.
What is Friendica
Friendica is a decentralized communications platform, you can use to host your own social media server that integrates with independent social networking platforms (like the Fediverse or Diaspora*) but also some commercial ones like Twitter.
How to Update
Updating from old Friendica versions
If you are updating from an older version than the 2022.06 release, please first update your Friendica instance to that version as it contained some breaking changes.
Pre-Update Procedures
Ensure that the last backup of your Friendica installation was done recently.
Using Git
Updating from the git repositories should only involve a pull from the Friendica core repository and addons repository, regardless of the branch (stable or develop) you are using. Remember to update the dependencies with composer as well. So, assuming that you are on the stable
branch, the commands to update your installation to the 2022.12 release would be
cd friendica
git pull
bin/composer.phar install --no-dev
cd addon
git pull
If you want to use a different branch than the stable
one, you need to fetch and checkout the branch before your perform the git pull.
Pulling in the dependencies with composer will show some deprecation warning, we will be working on that in the upcoming release.
Using the Archive Files
If you had downloaded the source files in an archive file (tar.gz) please download the current version of the archive from friendica-full-2022.12.tar.gz (sha256) and friendica-addons 2022.12.tar.gz (sha256)) and unpack it on your local computer.
As many files got deleted or moved around, please upload the unpacked files to a new directory on your server (say friendica_new
) and copy over your existing configuration (config/local.config.php
and config/addon.config.php
) and .htaccess
files. Afterwards rename your current Friendica directory (e.g. friendica) to friendica_old
and friendica_new
to friendica
.
The files of the dependencies are included in the archive (make sure you are using the friendica-full-2022.12 archive), so you don’t have to worry about them.
Post Update Tasks
The database update should be applied automatically, but sometimes it gets stuck. If you encounter this, please initiate the DB update manually from the command line by running the script
bin/console dbstructure update
from the base of your Friendica installation. If the output contains any error message, please let us know using the channels mentioned below.
Please note, that some of the changes to the database structure will take some time to be applied, depending on the size of your Friendica database.
Known Issues
Regarding the update process none as of writing.
How to Contribute
If you want to contribute to the project, you don’t need to have coding experience. There are a number of tasks listed in the issue tracker with the label “Junior Jobs” we think are good for new contributors. But you are by no means limited to these – if you find a solution to a problem (even a new one) please make a pull request at github or let us know in the development forum.
Contribution to Friendica is also not limited to coding. Any contribution to the documentation, the translation or advertisement materials is welcome or reporting a problem. You don’t need to deal with Git(Hub) or Transifex if you don’t like to. Just get in touch with us and we will get the materials to the appropriate places.
Thanks everyone who helped making this release possible and have fun!
like this
ginAd, Шуро, and2099, Falgn0n The Wizard, Hans-Peter Gauster, Kristian (inactive/moved), elrido, Marc, Mathias Hellquist 🤘, Iron Bug, Lex Publica, Andreas vom Zwenkauer See, Raroun, Tio, mrostu, Michael, Marek Bachmann, Tim Schlotfeldt ⚓🏳️🌈, Hypolite Petovan, Alexander Barton, Paula Gentle on Friendica, Aaron, Wandering Thinker, Philipp Holzer, Philipp Holzer, Joe Slam, Xiku Francesc, Weltraumeindringling, Salva Pl e Roland Häder like this.
reshared this
Poliverso - notizie dal Fediverso ⁂, ricardo, butterflyoffire ⏚ꝃ⌁⁂, Wayne Mackintosh 🇳🇿🐧, Шуро, Ritinha, wakest ⁂, rag. Gustavino Bevilacqua, Todd FOSS alt, and2099, Falgn0n The Wizard, Debbie Goldsmith 🏳️⚧️🏳️🌈⧖, Pen² L, Aaron Winston Smith, 新中国哈密瓜🇨🇳🍈, HerrThees, halfey ✅🎮🎨🔬🔭🐈🇲🇾🇺🇦🇹🇼, Robin Hüskes, Marek Bachmann, Wandering Thinker, Hypolite Petovan, Wouter, Philipp Holzer, Philipp Holzer, Michael, JyrkiKuoppala, J. Alfred Prufrock, Leo, Hiro, Jonathan Blackshire, Ramon van Belzen, tunda e Roland Häder reshared this.
using WP + elementor for my personal home page.
Added rel=me to a link in the page pointing at my #Friendica profile per the elementor instructions.
Not working?
Most likely I am doing it wrong.
Or else - where do I send my $8 to get my blue check!?
rel=“me”
presence is checked once on profile form submission, and then once a day. Please resubmit the profile edit form first.
Thanks.
Didn't seem to do anything.
Don't worry about it, not all that important, just thought I'd try out "the cool new feature"
Falgn0n The Wizard likes this.
@Hypolite Petovan strange I don't see it (yet?)
But thx - #Friendica is still the best fedi server and updates are a breeze
@Friendica News
I think your speed experience of old was more based around that specific instance and its configuration (and it is no longer running). My Friendica installation is as quick and responsive as my Akkoma instance.
On the topic of Friendica I was also somewhat surprised to notice the new (beta) app Mammoth is showing my Friendica instance quite well. Surprised especially since Mammoth does not show my Akkoma (i.e. Pleroma) instance (which the app MetaText does though).
@news
Depends how you define speed. I run my instance for several years now and I think Friendica became much faster and easier on server resources in last three or so versions.
However obviously it depends on the instance and how loaded it is.
Also certain operations in Friendica are slower by design compared to some other platforms. E.g. when you post a comment it isn't fired to other servers almost immediately like in Mastodon but is sent on next worker run which typically is every several minutes. In that regard Friendica feels less like chat and more like email 😀
Ach Quatsch, heute Abend. Ich habe doch so eine schöne VM-Infrastruktur ! SnapShot machen und schon konnte das Update durchrutschen. Danach noch 5 Minuten das DB-Update abwarten und schon ist die "Zwenkauer Flaschenpost" wieder aktuell.
Danke Leute !
With a table of pics at the end of the post it'll would look like fucking FB. 🙁
@AndiS 🌞🍷🇪🇺 The change we added to .htaccess-dist
must be applied manually by node admins to their respective .htaccess
file because we don't have access to them from the official Friendica repository.
If you paste the contents of your .htaccess
file, I'll be able to give you the updated version.
like this
Hypolite Petovan e Shallow Water like this.
was raised to PHP 7.3 and PHP 8.0 is supported.
I'd say 8.1 is supported, not sure why you kept 8.0.
Hypolite Petovan likes this.
Cătă likes this.
@Hypolite Petovan @Friendica News I see. I got no personal webpage to try, so I checked all the options I had in order not to create an additional account somewhere just for this. So I found that Gravatar also provides Mastodon verification and decided to try it out here as well.
It's been more than one day already and it's still not showing up the checkmark on my profile here. I wasn't sure if I mistook something or if Gravatar is simply not the right tool for this.
@Александр @Cătălin Petrescu I don't see it either, grmbl.
It would show the error in the Friendica log, though, you can grep for "CheckRelMeProfileLink" for more information.
I did some testing on my server and seems some links indeed don't pass verification. Perhaps the parser is too strict. I noticed that one of non-working links has link
HTML tag instead of a
and the other has several values in rel
attribute - maybe this is what breaks the check?
Hypolite Petovan likes this.
That's what I was trying to point out 😁 Thanks, @Александр!
@Hypolite Petovan, It's not my server, I don't know how to access these logs. Is there an option in the settings or anything?
Cătă likes this.
@Hypolite Petovan @Александр Thanks. For now I tried to change the link and modify it a couple of times, however gravatar seems to have some limits in the number of verifications, so I failed verification on Gravatar as well now, haha.
Thanks for using my profile as a guinea pig, hope this will help others tho.
Edit: here's the message I receive now, haha, oups
Edit2: Just managed to add the link back on Gravatar side. Not gonna edit any longer for now unless there is a sure fix for it. Looking forward for this 😁
Hypolite Petovan likes this.
@Jonathan "Mastodon" Lamothe just pull/update and then quickly look in the shipped .htaccess-dist or so and there is a rewrite rule line with an additional B compared to your current version, so only one capital letter B needs to be added.
.htaccess
file, yes.
nel 2017 metà delle carte elettroniche estoni furono sospese per rischio di furto di identità a causa della scoperta di un bug nei microchip.
erano 760mila (l'Estonia è più piccola di Milano) sistemarle non fu un gran problema.
immaginiamoci nel 2030 in Italia con 50 milioni di CIE emesse, usate per autenticazione, e che si scopra un bug. vanno sospese e riemesse (per l'uso online, non per mostrarle al vigile)
quanto ci si mette ? 3 anni ?
e intanto torniamo a carta bollata e sportelli ?
./
reshared this
filippodb, nicolaottomano, Oblomov, Tommi 🤯, Giorgia Lodi 💜, Flavia Marzano, J. Alfred Prufrock, brozu ▪️ e Paolo Redaelli reshared this.
ora immaginiamo che siamo nel 2030 e si scopre un bug in un'app di uno dei 12 identity provider (oggi sono già in 10)
si aggiorna l'app e si riscarica
quanto tempo ci si mette a ripristinare? ore,qualche giorno e solo su una parte
brutto disservizio ma non blocca il paese
Ecco perché molti verificatori di credenziali (chiamati "identity provider") ê più resiliente di uno solo e perché una soluzione software che si basa su smartphone sistemicamente offre più garanzie di antifragilitá
./
la cie è utile, offre un livello 3 che per lo SPID normalmente non c'è, ma IMHO ê meglio che conviva con mezzi software basati su smartphone che prescindano da smartcard.
migliorare SPID e CIE si deve.
come prima cosa il sistema di deleghe SPID, per consentire ad un anziano di delegare il figlio o il CAF, l'amministratore di delegare la segretaria, il cittadino di delegare il commercialista o l'avvocato, va portato a regime, dalle attuali 3 città
./
va semplificato automatizzando la scelta del verificatore di credenziali ("identity provider") durante la fase di login
va esteso l'accesso tramite SPID ai gestori privati di servizi pubblici (es. ospedali privati, laboratori privati, ecc.) come previsto nella norma che ha istituito SPID.
e varie altre cose minori.
il sistema CIE va arricchito con le garanzie per il cittadino che oggi ha solo SPID
./
StatusSquatter 🍫 reshared this.
col tempo,moltissime attività avverranno online con identità digitale
una credenziale digitale non è come un documento cartaceo:se lo mostri per comprare liquori in un negozio,il ministero dell'interno non viene avvertito
quando usi la CIE online,il gestore lo sa
i gestori SPID sono frazionati, non possono toccare i dati, sono vigilati da AgID, garante privacy e magistratura
la vigilanza su CIE deve essere rafforzata, non lasciata al solo ministro degli interni pro tempore
IMHO
/end
reshared this
Sabrina Web e quinta reshared this.
Che è lo stesso motivo per cui non vogliono/hanno in programma di rinnovare l'invio in forma elettronica delle ricette mediche.
La CIE può essere letta direttamente dal sito richiedente come certificato client, senza che venga trasmesso nulla al ministero.
Il problema è che questa modalità, funziona solo su pc desktop con apposito lettore.
Teoricamente, l’app potrebbe fornire i dati della CIE direttamente al sito richiedente, ma è stata implementata per parlare solo con il sito del ministero.
quinta reshared this.
quinta reshared this.
capisco e condivido il tuo ragionamento, ma devi tenere presente che siamo ingegneri. Tu ti sei prestato a fare il politico per un po', dovresti aver capito che la logica non abita nei nostri governanti.
Mia moglie ha rinnovato la CI in Italia e le hanno data di carta perché siamo residenti all'estero. Sospetto, che oltre ad essere più comodo lo SPID, io rischio di non averla mai una CIE.
PS: come posso aiutarti in questa battaglia tra logica e stupidità?
quinta reshared this.
@sc
Robe da pazzi.
Rimaniamo esperti nel distruggere ciò che funziona e peggiorare ciò che non funziona.
@sc in realtà è possibile avere la CIE all'estero ma bisogna essere iscritti all' A.I.R.E
esteri.it/it/servizi-consolari…
Comunque SPID resta di gran lunga più pratico.
in realtà credo che chi ha sviluppato CIE non si sia posto il problema degli italiani residenti all'estero.
Mi sembra che il governo sia molto impegnato a smontare le cose positive che eravamo stati costretti ad implementare a causa della pandemia, non ultima la problematica della trasmissione informatica della ricetta dematerializzata che, per fortuna, resta in vigore per un altro anno, quando la Sanità si basa da anni sul CF sufficiente per ottenere i farmaci.
@claurex @quinta
Luca Sironi likes this.
quinta reshared this.
Da quello che so il CIE è un sistema di autenticazione digitale identico allo SPID.
L’unica differenza è che l’autenticazione tramite CIE è gestito dallo Stato direttamente mentre lo SPID dal privato sotto stretto controllo dello Stato
(Comunque secondo me fanno queste dichiarazioni per spostare l’attenzione, quindi non voglio assecondare e parlarne. Tra 1 anno non sarà cambiato nulla, anche perchè con il chip shortage che c’è, non puoi ordinare da nessuno 50/60mln di chip)
Luca Sironi likes this.
ma che ce devi fà co tutto sto tempo libero se te famo tutto automatico? Poi finisce che te metti a legge quarcosa o, pure peggio, a riflette, metti due idee insieme e poi me diventi n'intellettuale co tutte quele idee da rivoluzione d'ottobbre.
Ennò, daje va. Mejo se te fa un po' de coda ogni tanto, socializzi cor vecchietto, e vivemo tutti più sereni.
Non necessariamente deve usare un certificato client a quel punto.
Basterebbe che il sito richiedente, apra un uri gestito dall’app, e poi l’app risponda con i dati scelti dall’utente.
Volendo l’app potrebbe avere pure delle liste trusted e delle blacklist per informare meglio l’utente.
Poi se parliamo di privacy, non so se è meglio che un sito dove voglio identificarmi legga pure il numero del documento e l’id del certificato, o che un ente terzo veda tutti i miei accessi.
credo sia indubbio il vantaggio di non dover dipendere da terzi per l'assegnazione dello spid.
Dopo di che, in Svezia si va di codice personale (praticamente pubblico) e autenticazione tramite SMS, un sistema che mi sembra veramente fragile eppure lo usano tranquillamente. L'NFC mi sembra abbastanza, e personalmente non ho avuto problemi, impari a capire qual è la posizione migliore e funziona.
@agonio ricordo che in italia si va di invio di copia di un documento di identità (quante volte ci e' stato chiesto "mi mandi una copia del documento"? è per questo.)
è MOLTO più vulnerabile anche dell'SMS
ah ok, pensavo che lo spid fosse alternativo alla CIE, che però ancora non tutti hanno
L'SMS è vulnerabile perché il numero a cui inviarlo l'ho detto io lol
Ho firmato due NDA così: personal number, ed SMS su un numero che gli ho dato io sul momento.
Basterebbe sapere le 4 cifre "segrete" del personal number, e mettere un altro numero, per firmare al posto mio.
Evidentemente si preferisce risolvere i problemi quando capitano, che fare un sistema a prova di exploit
vedi qui mastodon.uno/@quinta/109551280…
quinta :ubuntu: (@quinta@mastodon.uno)
Allegato: 2 immagini Ho aggiornato le mie FAQ su SPID inserendo anche punti rilevanti ai discorsi di questi giorni https://blog.quintarelli.it/spid (sono ben evidenziati gli aggiornamenti) e poi ci sono queste considerazioni sotto, che sarebbeMastodon Uno Social - Italia
Però ti può permettere di depositare documenti o completare moduli in spazi che la PA crea solo inseguito ad una tua autenticazione con lo spid. Pensa, tu potresti validare/firmare un documento in uno spazio autenticato con lo spid, e cosa cambierebbe rispetto ad una firma digitale ? Se ci pensi risponderebbe ai medesimi requisiti del CAD, ovvero avere un autenticazione con password e dispositivo fisico (il cellulare con al sua app).
Il certificato su desktop mi pare funzionasse con i maggiori browser.
@dani1967 @amreo duckduckgo.com/?q=firma+spid&t…
questo sw per amministrazioni fatto dalla società opencontent fa esattamente quello che dici tu, e anche di piu'
qui la demo
devsdc.opencontent.it/comune-d…
bug nel microchip é poco credibile come scusa. robe semplici come una smartcard sono soggetti a verifica formale.
potevano dire "sono stati gli accher" come in italia
purtroppo è tutto vero, noi qualche centinaio di migliaio di carte le abbiamo dovute richiamare.
Tutto a causa della corsa alle fottute performances, si sono inventati un sistema del cazzo per fare test rapidi di primalità.
Ma da qui a dire che le carte sono da buttare a mare, ce ne passa.
Già la sola difficoltà enorme a creare false carte di identità elettriche vale tutto il baraccone.
I comuni fino all'anno scorso erano attrezzati per rilasciare cie, ma adesso è diventato difficile trovare carte sul mercato e credo si stia tornando alla carta di... Carta
Le Carte nel caso nostro erano per dire delle COSMO ID ONE Oberthur. Pensa che avrebbero dovuto ritirare MILIONI di CNS in italia, quando si sono accorti che il sistema di emissione usato non triggerva il problema.
quinta reshared this.
grazie per l'apprezzamento
ti consiglio di leggere blog.quintarelli.it/spid
Uno dei motivi per cui, se possibile, è opportuno unirsi a piccole istanze
BIG NEWS: Pawoo.net, the world's 2nd biggest Mastodon instance, has just been acquired.The entity acquiring them is the Mask Group, a business that also runs mstdn.jp and mastodon.cloud. They are also active in the so-called "Web 3.0" space.
If you haven't heard of pawoo.net, it's because many instances have de-federated from it.
finance.yahoo.com/news/mask-ne…
There were three men came out of the West
Three kings both great and high
And they have sworn a solemn oath
John Mastodon must die.
They took a tank and ran him down
With bullets in his head
And they have sworn a solemn oath
John Mastodon was dead
But when the Spring came kindly on
And showers began to fall
John Mastodon got up again
And did surprise them all...
Booka likes this.
reshared this
Shawna Mac, Carlo Gubitosa, Samatari, proedie, Daniele Tricoli moved to eriol@akko.mornie.org, Sabrina Web, J. Alfred Prufrock, Shriram Krishnamurthi, Randy Noseworthy 😼, burgterder, Sallie Becker, gryps, Tommi 🤯 e filobus aka hecatonchiri reshared this.
this has to be one of the best takes of #JohnMastodon I’ve seen.
Also, we can all sing it together, over a good cup brewed from John’s bones.
I recognise that song! Well done.
😀
I shall have to go listen to John Barleycorn now...
I can't put into words how happy I am to have you in this space to fill our timelines with little gems like this.
Also, can't wait for your next book! 😊
Now, sing this to the tune of the Gilligan's Island theme song...
You're welcome.
"John Mastodon must die"?
Reading that, this inspiration particle just floated into my mind:
Yeah, John Mastodon,
Social media icon,
They put some poison into his wine.
Yeah, John Mastodon,
Federated mighty-mon,
He drank it all and said "I feel fine!"
(I'm sure the tune will stay in my head until I've come up with the whole song.)
John Barleycorn
Provided to YouTube by Universal Music GroupJohn Barleycorn · TrafficJohn Barleycorn Must Die℗ An Island Records recording; ℗ 1970 Universal Music Operations...YouTube
brilliant!
had this track going through my head the whole time reading it too:
youtube.com/watch?v=lYMW24HgGV…
John Barley Corn (Traffic - John Barleycorn Must Die)
There were three men came out of the west, their fortunes for to tryAnd these three men made a solemn vowJohn Barleycorn must dieThey've ploughed, they've so...YouTube
Nice one!
A fine addition to the lore of #JohnMastodon by #NeilGaiman (to help steer people here!)
It just came in that way..
Holy moly! #JohnMastodon origin story incoming courtesy of comic book writer & author of several amazing books turned into television series.
Then we wouldn't be in this mess today
I know we've all gone different ways
But the dues we've gonna pay still the same
It's time to change the script for this old play
You're readin' and not feelin' what you say
Comin' on too strong for me to stay
Interpret what you see in any way
It seems the simple things
Are hardest to explain
Wind is gonna come too soon
And deaden all the pain
Footprints in the snow will show...
"And little Sir John and the nut-brown bowl
And his brandy in the glass;
And little Sir John and the nut-brown bowl
Proved the strongest man at last.
The huntsman, he can't hunt the fox
Nor so loudly to blow his horn
And the tinker he can't mend kettle nor pot
Without a little Mastodon."
There's an old German song just like this.
Auf einem Baum ein Kuckuck, –
Sim sa la bim, bam ba, sa la du, sa la dim
Auf einem Baum ein Kuckuck saß.
#JohnMastodon mastodon.social/@1moremin/1095…
pstmrtm_ (@1moremin@mastodon.social)
Attached: 1 image #JohnMastodon #JohnMastodonMemorialDay #JohnMastodonMustDieMastodon
🎶Soon may the Wellerman come
To bring us sugar and tea and rum
One day, when the tonguing is done
We'll take our leave and go🎶
I'll let myself out
The King of Birds took up his sword
And cast his solemn vow.
No mortal men shall say his name,
Else he be stricken down.
And all his jesters clapped and cheered
For speech was freed that day
Except for all the speech
They didn't want someone to say.
But John Mastodon, his eyes afire
Grinned his tusky grin, elated
"I am no mortal man," said he.
"I am... federated."
for anyone who doesn’t recognise the lyrics:
music.apple.com/au/album/john-…
John Barleycorn (2009 Remaster) by Steeleye Span
Listen to John Barleycorn (2009 Remaster) by Steeleye Span on Apple Music. 1972. Duration: 4:50Apple Music
this is brilliant. Thank you!
Here, a 21st century cyber-medium combined with a great human legacy - humankind's age-old gift of story and allegory to teach, illustrate and illuminate life's most important lessons.
Surprise them we shall.
So glad to be following you here as well.
A trio of murders with a writing utensil
So now I pass down the Mastodon saga
The man, the myth, the Baba Yaga
Victor Jara
Provided to YouTube by The Orchard EnterprisesVictor Jara · Arlo GuthrieAmigo℗ 1976 Warner Bros.Records, licensed by Rising Son RecordsReleased on: 2008-08-0...YouTube
Oh good, I'm not the only one committing such crimes against the British folkloric canon 🙂
Here's mine, for posterity:
cloudisland.nz/@DrCuriosity/10…
Dr. Curiosity 💻🔬 (@DrCuriosity@cloudisland.nz)
There were three businessmen on the internet Businessmen both great and high And they have sworn a solemn oath John Mastodon should die They filtered, blocked and boxed him in Threw trolls upon his head And they have sworn a solemn oath John Mastodo…Cloud Island
Not to belittle @Neil Gaiman's creativity (I am willing to pay money to enjoy the output of said creativity), but I'm even more glad that social media exists so that we can all enjoy the work of other, lesser known, people whose creativity, while great, takes forms that are less marketable (and admittedly, require less time commitment than writing, say, a full novel), and thus wouldn't have a chance of being distributed through traditional media.
Consider Joan Mastodon
Sister Joan found him in the ice
Carried the frozen body to her home
In the nights by the fire
Healed his heart
Meanwhile, Joan prepared weapons
In the first rain of spring
the heroes stood side by side
against the wild kings
Go on
Joan and John Mastodon
And dead is all the innocence of anger and surprise,
And Christian hateth Mary that God kissed in Galilee,
But John Mastodon of Austria is riding to the sea.
John Mastodon calling through the blast and the eclipse
Crying with the trumpet, with the trumpet of his lips,
Trumpet that sayeth ha!
Domino gloria!
John Mastodon of Austria
Is shouting to the ships.
Leaving deep wounds on the Con,
And pipe-smoking "Bob" can't beam as bright
Without a little Masto-
** CORRECTION **
without a little mass .. to... donnnn...
at.tumblr.com/doctorloup/70410…
Another #JohnMastodon song! And already complete with music.
Thank you, Neil.
I called for this specific filking back on #JohnMastodon Day, but never imagined you would be the one to fulfill it.
#JohnMastodon is my heart-throb, my husbando, my one-itis, my top kink!
If I wasn't such a Garbo Goblin, I'd probably swear off all lesser men for John Mastodon!
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 likes this.
reshared this
Michał "rysiek" Woźniak · 🇺🇦, Nick @ The Linux Experiment, J. Alfred Prufrock, LoganHX, lazer_punkX, mooncube, GiacomoSansoni e clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 reshared this.
Newsletter Autistici / Inventati – 2022
----------------------------------------------
Newsletter Autistici/Inventati - Dicembre 2022
----------------------------------------------
[English version below]
Il mondo intorno a noi non ci sembra procedere nella migliore delle direzioni possibili: siamo usciti in qualche modo (potevamo farlo meglio) dalla fase acuta della crisi del covid, per entrare in una tutt'altro che temporanea crisi
cavallette.noblogs.org/2022/12…
reshared this
Leo, VitoCola, diorama ١٣١٢ (demm/ihn), J. Alfred Prufrock, lazer_punkX, ciccio2k, StatusSquatter 🍫 e ale reshared this.
like this
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛, Iron Bug e Amolith like this.
reshared this
J. Alfred Prufrock, Andrea Lazzarotto, Arne Babenhauserheide, gryps, StroomAfwaarts 🌱, joene 🏴🍉, Tom Stoneham, Piratenpartij Delft, Free Software 4 Climate, RFanciola, software_libero_e_dintorni, Amolith, Floppy 💾, jfml - Jonas Laugs, Tommi 🤯, grob 🇺🇦 e Emmanuelle Germond reshared this.
As an addendum to this: most authors are not only genuinely delighted to share their work with you if you request it, some are even moreso delighted to talk to you about it and answer questions!
Especially if they have additional knowledge or information worth sharing that they didn't include in the original paper!
Wait, what even is the purpose of these journals in the age of the internet?
Are you seriously paying to have a PDF put on a website?
reshared this
Chris Trottier, mlcr84, Aral Balkan, J. Alfred Prufrock, Rolery, Tom Stoneham, nikol, Carlo Gubitosa, Zeppe e Nafoet reshared this.
Please stand up, please stand up? 🎵
for context:
chaos.social/@rixx/10953049887…
rixx (@rixx@chaos.social)
Attached: 1 image ok but this could be STRAIGHT UP chatGPT: Mediaite misreading "@joinmastodon" as John Mastodon and claiming that's the eponymous founder? I cannot. https://www.mediaite.com/opinion/hypocrisy-and-fear-all-the-way-down-at-twitter/chaos.social
🤣 🤣 🤣
web.archive.org/web/2022121623…
Hypocrisy and Fear All the Way Down at Twitter
After you’ve drawn such a strong distinction on speech and human freedom, you can’t make any mistake about the side on which you belong.isaac-schorr (Mediaite)
@aral It's already too late…
`echo $(host mastodon.social | grep 'has address' | cut -d' ' -f4 ) 'john.mastodon.social' >> /etc/hosts`
One of the greats, John Mastodon.
reddit.com/r/EnoughMuskSpam/co…
r/EnoughMuskSpam - Comment by u/s4unders on ”Twitter suspends official Mastodon account.”
1,370 votes and 270 comments so far on Redditreddit
Sorry, can you tell them No.
Just that I've already got three John's in my world right now, and it's my John limit
My John
Our John
Uncle Cecil who is called John
(everyone has one of those uncles, right?)
This site is free.
(But do tip your server, Patreon starts at only $1USD/month!)
I'm afraid so. #JohnMastodon is trending #1.
(Suddenly as I type this I realize it originated in a typo or misreading of "Join Mastodon". Because of course.)
Hilariously someone has set up a LinkedIn for #JohnMastodon
Under education "Invented social media. Invented memes." 😂
Seems he works as a penguin rancher.
Using #vim is easy once you learn a few basic keybindings.
h and l - move left and right
j and k - move down and up
η and λ - move backwards and forwards through time
ξ and κ - translation through additional temporal dimension (if applicable)
ᚻ, ᛄ, ᚳ and ᛚ - moving left, down, up, and right through celestial spheres
𐤄 and 𐤋 - switch deity to pantheon member to left or right
𐤉 - supplicate to chosen deity
𐤊 - challenge chosen deity (dangerous)
:q - exit
like this
Elena ``of Valhalla'' e clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛 like this.
reshared this
Federico I., rag. Gustavino Bevilacqua, nicolaottomano, Cédric Eyssette, oemmes, Eugen Rochko, davgian, Tommi 🤯, Jun Bird, Scimmia di Mare, proedie, Prof. Sam Lawler, Guillem Leon, joene 🏴🍉, Dark Vengeance, Klaudia (aka jinxx), Carlo Piana 😼, J. Alfred Prufrock, mamday, gareppa, syaochan, clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛, Giuseppe Aceto, sbarrax aka Marco Frattola, Oloturia e Rouge reshared this.
Thank you for this magical cheat sheet. This once and for all proves that vi is the best editor through space and time! Amen!
:wq!
@Ferdinando Simonetti uooops, right, my instance only received a tiny fraction of it!
thanks
È - UFFICIALMENTE - UNO - SCANDALO!
C'è ancora qualcuno che, nonostante la sua ventennale esistenza, non conosce la Guida alla Musica Elettronica di Ishkur!
Bibbia interattiva, piena di testi approfonditi, multimediali mai noiosi, sta tutta in un'unica paginata: un diagramma a ramificazioni, dove scoprire quale genere ha generato chi o cosa, ascoltando playlist dedicate totali o selezionate per anno.
Se non ci siete stati almeno una volta, non rivolgetemi parola! Tzè!
reshared this
J. Alfred Prufrock e Francesco 🕳️ reshared this.
OsmAnd+++++
Ho qualche difficoltà a capire se sia una buona notizia, comunque...
techcrunch.com/2022/12/15/meta…
like this
cage e J. Alfred Prufrock like this.
J. Alfred Prufrock reshared this.
Guerre di Rete - Apple triplica sulla sicurezza (e agita l’Fbi)
Poi Musk. Clubhouse. FTX. Killer robot.Carola Frediani (Guerre di Rete)
Iran abolishes morality police
Link: hindustantimes.com/world-news/…
Discussion: news.ycombinator.com/item?id=3…
Iran abolishes controversial morality police amid huge anti-hijab unrest: Report
Iran Anti-Hijab Protests: "Morality police have nothing to do with the judiciary" and have been abolished, Attorney General Mohammad Jafar Montazeri was quoted as saying. | World NewsMallika Soni (Hindustan Times)
J. Alfred Prufrock reshared this.
We are undergoing a continuous attack dos.
We urge you to block a.gup.pe
__________
Stiamo subendo un continui attacchi dos.
Invitiamo a bloccare a.gup.pe
reshared this
Samatari, Sir Voe, Leo, nikol, J. Alfred Prufrock, rag. Gustavino Bevilacqua, ModestinoSycamore, manto, Il Gufo. e nikol reshared this.
ma no
anche se rileggendo il sorgente sa un po' di sessista
non gliela manderei la pulisia
qua c'è stato un ragazzo straniero sordomuto gettato dalla finestra da sbirri senza mandato perché qualcun* aveva postato su fb che aveva importunato delle ragazze
se n'è più saputo niente
@kappazeta per fedilab:
- prendi un account da quel dominio, clicchi i tre puntini verticali in alto a destra, clicca blocca dominio
- oppure prendi un post da quel dominio, clicchi i tre puntini orizzontali in basso a destra, scorri un po' il menù, clicca blocca dominio
(tolgo dalla menzione admin@mastodon.bida.im )
J. Alfred Prufrock
Unknown parent • •J. Alfred Prufrock
in reply to J. Alfred Prufrock • •È un peccato, credo che siano bellissimi "pezzi" di tecnologia, di ottima qualità. Ma "numeri" come questi per me sono già un motivo per evitare.
60GB di software che non ho scelto io, che probabilmente non userò mai, si farà gli affari miei e non potrò rimuovere?