Hi folks. Want to stop hearing about the bird site? Stop visiting it, stop linking to it, stop driving engagement, mute keywords, temporarily mute folks whinging about it. Just like the other commercial "social" networks, they thrive on misery and conflict, not community. Stop feeding it. It won't kill it, but your circle may stop talking about it.
home > posts
Every few years I seem to forget that slightly different base64 strings can decode to the same bytes, even after excluding whitespace and the = padding.
For example, 0xd5 is the decoded result for 1a=, 1b=, 1c=, 1d=, 1e=, and 1f= -- it makes total sense given the encoding algorithm, but sometimes throws a curveball into testing, especially if you assume different inputs are always going to lead to different outputs.
I chased a "broken" test for an hour tonight before it clicked again. Happy Friday!
Tobias Petry's free (e)book "Next-Level Database Techniques For Developers" is eerily spot on - he addresses almost all of the painful and confusing bits I have bashed my head into while launching and scaling runZero. Recommended reading for any developer that touches PostgreSQL (or MySQL): https://sqlfordevs.com/ebook
There are many advantages to using a vendor-managed PostgreSQL (AWS Aurora), but the black box nature of diagnostics is not one of them. For anyone else fighting with index performance going suddenly sideways (10x slower queries) on Aurora PostgreSQL - the root cause seems to be that new reader replicas can sometimes have horrible index performance, but this only shows up when there are tons of concurrent requests, and running a full `reindex database concurrently <db>` resolves it. All of the standard diagnostics (looking for invalid indexes, trying manual queries on each endpoint with explain, checking seq scan stats, etc) pointed to everything being just fine.
Unrelated, but hilarious, it seems like that somebody is uploading sketchy AWS database snapshots and marking them public. Is this just a troll, or can a backdoored snapshot do anything interesting if you load it into a sensitive environment? (via extensions, triggers, etc).
In which Ian Carroll casually compromises a Turkish root CA trusted by most browsers: https://ian.sh/etugra
runZero 3.3 is live with support for pulling in users, groups, and assets from Google Workspace. This release also rolls up our TLS fingerprinting work (OpenSSL 3.x detection, along with SChannel, and GnuTLS, and others).
Still free (via Starter Edition) for folks with less than 256 assets.
@blacktraffic @satan thanks! i wish i had a reason to work on that stuff again, it was a lot of fun, but became a legal minefield in the US
This is probably an unpopular opinion, but I would love to see ActivityPub implementations not tied to a GPL/AGPL license. After poking at WriteFreely, the only thing stopping me from PRing a half-dozen improvements is the weird license choice.
AGPL/GPL is terrible if you want to write stuff that you can reuse for other projects (commercial or personal). Viral licenses tie the hands of the original authors as much as those of contributors. Folks tend to figure this out only when it is really difficult to fix (ie. getting (C) reassignment or CLAs in place for all past contributors).
You can work around it by putting code into freely licensed subpackages instead, but it forces weird design decisions. I get that some folks are concerned about being SaaSed, but the AGPL choice still has a cost.
Anywho, MIT/BSD licenses are your friend now, and a friend to your future self who needs to reuse that code for something else in a decade.
Big thanks to @todb for handling a private vulnerability disclosure to a pharmacy chain for me. It's great to see that their website no longer leaks PHI and it is even better that I didn't get sued, threatened, or arrested as part of getting it fixed.
It would be fantastic if organizations like HackerOne offered this as a service; their current rules require the researcher to contact the organization directly first, defeating the point of working through a less-suable intermediary :)
All the same, hurray for one less exposure!
Everyone loves https://canary.tools and I wholeheartedly recommend that you take a look (and adopt the free tokens if nothing else); but there is another amazing free+awesome toolkit that most companies would benefit from without a privacy audit requirement: https://healthchecks.io - they do exactly what they say, really well, and are both cost-conscious and nerd-savvy. This is almost the opposite of a canary - it reports things that didn't fire - you can find all kinds of creative ways to make this security relevant while staying super inexpensive.