varx @varx@infosec.exchange

It makes me a little sad and a little amused to see regexes being used incorrectly in this context: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cccccccccve-2016-2829.9999999

It would be super fun to gather stats by customer, or look at breakdowns of password badness by user-account age, but we'd have to be super careful in how that was done; I don't actually want to end up with a list of email addresses that have vulnerable passwords!

I integrated the Pwned Passwords dataset into our login server at work and oh man, our customers are *terrible* at picking unique passwords.

Like, it's not perfect data, and obviously I have no way of cleaning it because we don't get to actually *look* at them, but... probably around 20% of the passwords are bad in some way.

@cwebber It would be helpful if the Granovetter diagram better matched the text—Alice vs. Alyssa, Bob vs. Ben. Perhaps replace "foo" in the diagram with something meaningful, maybe "introduction". (It took me a while to understand the diagram, and I think that would have helped.) Would be sad to lose that Geocities aesthetic, though. 😛

Typo: « We’re intentionally pairing down this example » s/pairing/paring/

@cwebber On the problems of reputation scoring, I keep being hopeful that someone will invent cryptographically blinded, distributed reputation networks that allow a meaningful and non-dystopian representation of community trust.

It's a problem in meatspace too, though; if someone gains a reputation as an asshole in one town, then can just go to another town and get a clean record. But by the same token, you can escape a nasty, hateful town and start a new life.

Maybe I'm hoping for too much!

@cwebber I just finished reading your OcapPub draft and really enjoyed it. I like the direction you're going.

I've been doing some writing and coding on my own project, https://gitlab.com/timmc/cavern; it's very different in approach, but you might be interested in comparing them. In particular, when you wrote

« If the problem is users receiving unwanted messages, perhaps the solution comes in making intentional social connections. »

it reminded me of the "socially-local" privacy level I'm using.

A Tumblr called "Accidentally Quadratic", dedicated to showcasing instances of software that did just that: https://accidentallyquadratic.tumblr.com/

I'm looking at the XDG Base DIrectory specification, and while I think it's a lovely idea to use ~/.config/MyApp/ and ~/.cache/MyApp/... I really can't get behind storing important documents in ~/.local/share/MyApp. That feels like a recipe for dataloss and/or user confusion.

https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

Ah, I think it still asks me about *me*, but not any of the actual market research questions that might reveal Top Secret Initiatives or whatever. Boring.

> Invited to fill out a market research survey

> "By clicking Yes, you agree to keep all Dropbox Information confidential."

> Click "yes" by accident, click "back", then "no"

> Survey continues as before

🤔

With all the "here are my URLs, please dereference them" that ActivityPub involves, there've *got* to be some implementations vulnerable to SSRF.

On various anti-patterns in open source language:

« A maintainer accidentally cuts a bad release. The next morning, their inbox overflows with user complaints. None of the complaining users were known to the maintainer before the breakage. In fact, the maintainer’s shocked by the suddenly-apparent popularity of their project. Where did they all come from?

Apparently “adoption” was high. But in no meaningful sense did users “adopt” the project. They merely used it. »

https://writing.kemitchell.com/2017/10/15/Unsustainability-at-Scale.html