worldkey.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Discussion of Disney history, theme parks, music, movies, and related topics.

Administered by:

Server stats:

101
active users

#rant

10 posts10 participants1 post today

I might have actually figured out how to break into #youtube now:

#scoopz signal boosting essentially.

Because my Scoopz is going viral, and then I mention I have a YouTube page on my bio, and it's been getting me far more attention than the YouTube Algorithm ever gives me.

Sad when the systems of ANOTHER PLATFORM are required to break into YouTube honestly.

Sometimes the algorithm decides I get NONE.

Fix your BS YouTube, it's garbage.

Jon Ossoff campaign sent out a campaign text message saying why he was voting against the CR, the problems with it etc. I said I'd donate when the tally confirmed that. He voted "No". So I just gave his campaign some money. The eight Democrats who voted for it, the entire Senate Democratic leadership, and the national Democratic Party leadership who sat on their hands on the other hand can go pound sand. I'll be giving my time and money to throw them out of office and replace them with people that have backbone, courage, and fight in them. I've had enough of these "Do Nothing Democrats" when there are plenty of people across the political spectrum who actually want the job. May those eight and the supposedly moderate Republicans who always vote for this shit like Collins and Murkowski never know a moments peace and never win office again. #uspoli #rant

Non #Brits can ignore this from the start but I am taking advantage of my new character limit to rant about The Archers and racism :)

This week’s BBC Radio 4 Feedback had a fun segment on the new Muslim characters in The Archers and their celebrations of Ramadan, which this year happens during Lent. It’s really brought out the little-Britain brigade, and shows why Nigel Farage is so popular – And why I left. There wasn’t a single non-racist caller-inner.

Here’s a summary of the calls to the BBC (whose mission from 1922 is to: “Inform, educate, entertain”) in case I ever decide I want to go back there in some mad moment of thinking I miss the place.

From Jackie in Surrey (It's always a Jackie in Surrey):

"I am a regular Archers listener, and I do want to pick the Archers up on the current focus on fasting for Ramadan. I am all in favour of diversity in explaining about Ramadan in this context but what about mentioning it is also Lent? I am an Orthodox Christian, and we also fast during the whole of Lent by cutting out meat, fish, dairy products, and cutting down the amount eaten. This has been the practice for centuries, and only the Western Christians over many years reduced this so that now fasting is almost unknown. But at the very least, Lent should be mentioned. Where is the vicar?"

[Note: Lent was very much mentioned, Linda and Mr Malec had a little verbal spar about which religion had to give up the most, and which was hardest: Lent or Ramadan – And all the other religious show characters are still doing Lent stuff.]

Hello, feedback. I'm Judith Conzen, and I'm phoning from Ilford in East London (And my racist tool for the day will be sarcasm, please Bob):

“I'm intrigued to note that Linda Snell is embracing religious practice and fasting for Ramadan. I'll be listening intently to hear if she follows up on Yom Kippur, which this year will fall on October 2.

From Patricia Farrell:

“I am shocked that during the time of Lent, a time that is sacred to followers of Jesus Christ, There is no mention at all of our Christian religion during this important period. It's very upsetting that the program supports Ramadan, but absolutely sidesteps any mention of lent. BBC bias? I think so.

Hello. My name is Morris Press, and I am from Teddington in Middlesex. [I could have guessed that within about 20 words]:

“I have been an Archer's listener for over sixty years. However, I never thought the BBC would impose their new woke policy on Ambridge. Last week's episode of the Malecs and Linda sitting down to a Ramadan meal and prayers was a real low for me.

Richard, Dumfriesshire (Aah! Finally a famously unsectarian and tolerant area):

“The Islamization of the Archers proceeds at pace with the Snells fasting for Ramadan as Easter approaches is Alan the vicar joining in with his Hindu wife Usha? We've always been told how racist the countryside is. Perhaps all will be resolved for the tearoom's pancake eating contest.”

Now some listeners echo the views of Sylvia Delico from Northamptonshire (Are we ever going to get any from Birmingham or Leeds?):

“Well, I'm not offended by the Muslim characters observing Ramadan [That’s nice of you!]. I do find it offensive that two Christian characters are being woke by fasting alongside them. This is supposedly a story of everyday country folk who live in a farming community; and are not led to promote the BBC's woke identity.”

From Andy [Who it seems has never listened to The Archers]

“The idea Linda Snell would fast is nonsense. It's one thing to introduce them to the village. No one could object to that. But the prayers and doctrine have no place in an everyday story of country folk.”

[“Them” – Yes Andy, we see, turn down that dog whistle won't'cha?]

[Narrative: In this case, it's not the inclusion of Ramadan, but the fact that one of the best known couples in Ambridge, Linda and Robert Snell, are joining in. How convinced are you, Cara, by Linda Snell's involvement? Some of our listeners are saying that it feels a little out of character. I disagree. I think this is absolutely something that Linda would do, and I kinda smirked when she, admittedly, a bit like a boy in the china shop, just went in and goes, I'm doing Ramadan with you.

Linda's a very curious person. She's somebody who's very interested, and she's also somebody that when they're in their guest house, she wants to make them feel as comfortable and at home as possible. And that, for me, I wasn't at all surprised when Linda said this. And, actually, within our group as well, people have really welcomed how this story line has played out, because they've learned quite a lot along the way as well about their neighbours or friends and their faith practice.]

----------------

As you were! Rant over!

#BBC#Radio#Drama
As a citizen of the United States, after hearing more and more stories like this I have to say it's probably best if people don't travel here. ICE has been bad from day one (created-post 9/11) but it's like horror stories from the Soviet Union I remember hearing as a kid now. It doesn't matter if you are coming from countries MAGA considers "good" like this German lady or "bad" ones. It doesn't matter if you have your documents in order and your nose clean. No one is safe from this sort of secret police style treatment. I'm sorry half my country voted for these monsters and cheer this shit on. We've failed ourselves and the rest of the planet. #uspoli #rant
German Thru-Hiker Detained, Deported, and Banned From US - The Trek
The Trek · German Thru-Hiker Detained, Deported, and Banned From US - The TrekAn experienced thru-hiker traveling to the US to hike the AZT last month says she was treated inhumanely and deported without justification.

There should totally be a "no asshole allowed" license agreement for open source software.

This guy complains of one error that is shown in both the hint and the error message how to solve...yet he decides to be a entitled fucker and bash it just because it does not meet his expectations.

It was actually planned to make that area more friendly on a future release but stuff like this is just demoralizing.

chromewebstore.google.com/revi

chromewebstore.google.comCharles Griswold's review

Vancouver Island had better snow removal than Edmonton.

Yeah, I said it. #HotTake 🔥 🔥

(Also in before anyone says VanIsle doesn’t get snow - yes, we very much got snow. Especially at elevation.)

They’ve been plowing for days now to remove a shit ton of ice on the roads where we live … if it had been properly maintained all winter, they wouldn’t need to do this right now - yet. ¯\_(ツ)_/¯

Rant time.
I take a bunch of random photos, of in process projects with the thought it would be cool to post them. I rarely do, I rarely put them all in an album. Because modern cameras on phones are so good, I can't get away w/out post processing (making quality web size), if I try to just dump them to a blog post, I end up blowing up my storage on my site, and causing my backups to get too large.

There has to be a workflow to make them blog friendly.

It's weird how wrong impressions people have of 3D printed stuff to this day. Almost like a clockwork, each post with 3D printed something in big social media or video sites results in claims that it will never last, even when the example part is in very light physical stress. Another crowd favorite seems to be the idea that 3D prints melt like a candle if subjected to a tiny amount of heat.

And if that's not enough, someone will chip in with the concept of 3D printing being useless and it's only being used to print coat hooks and novelty pen holders or something.

I get a lot of it is drive-by commenting, but the whole ignorant attitude just never ceases to amaze me. Do they expect me to just make a shitload of parts that have snowball's chance in hell working?

US date format is utterly stupid at the best of times, but while writing the blurb for one of Thursday's photos, I just found myself staring blankly at the screen wondering if something happened in June or July of one year.
Have a look at this.
rzjets.net/aircraft/?reg=45159
Towards the top, we have this line.

"returned 11/92, dbr ARN 7/6/1997"

In UK date format, dates get more precise the further to the left you go - today is 24-02-25, the year is 2025, then the month is 02 (february), then the actual date - the further to the left you go, the more precise you can date somethin.
In this case, the date this plane returns from lease (11/92) makes perfect sense.
The date it is damaged beyond repair is given as 7/6/1997 - which would be 7th June 1997 in UK format, or 6th July in US -0 which is which?
Looking further thriough the page, we find it was first delivered to tarom 8/25/1977, since there aren't 25 months in the year, this is obviouskly written in US format, so 25th August 1977.
So - and yes, I am literally just about to make my point - WHAT MONTH WAS THIS RETURNED OFF LEASE?
Because the 2 fields given, in the US format, denote date and year.
It makes perfect sense in UK format, but is entirely nonsensical in US format.
It was returned on the 11th of... some month, who knows... 1997
Oh, wait, you drop the middle field?
Is that... but... wait...

**insert obligatory Capt Tightpants .gif**

Why would you drop the middle field like that, why would you effectively start using the other format, when it just doesn't! make! sense!!

And yes, ISO8601 makes more sense than either of the other formats, and is what I use myself, but the format commonly used here in the UK makes far more sense than that used in the US, especially when you go and drop fields like that!
GRRRRR!!

The least secure TOTP code possible

shkspr.mobi/blog/2025/02/the-l

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

What makes it so crap? There are three things which protect you when using TOTP.

  1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
  2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
  3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

  1. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

  2. Please don't! ↩︎

  3. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎

Terence Eden’s Blog · The least secure TOTP code possible
More from Terence Eden