The Shelves

Jun. 7th, 2025 09:20 pm
azurelunatic: Operation 'This will most likely end badly' is a go. (end badly)
[personal profile] azurelunatic
I got the standards and brackets for that shelf system, and we are currently at Home Depot, after buying what I sincerely hope is the right configuration of board feet for eight shelves. It's secured to the roof and we're using surface streets.

It's too close to bedtime to start on repair plating the 8 foot boards to the 2 foot boards, probably.
siderea: (Default)
[personal profile] siderea
2025 Jun 7 11:40 am: [profile] benjalvarez1 on Twitter:

WATCH THIS: https://x.com/BenjAlvarez1/status/1931375699786334704

Click through to see the video. You really, really should. Sound is irrelevant.

Text: "Tanks, fighting vehicles and howitzers arrive in Washington, D.C. ahead of next week's military parade. They departed from Texas on June 2." Two minutes and forty seconds.

Allegedly that train is a mile long and is transporting:

• 28 Abrams tanks (M1A2 main battle tank)
• 3 armored recovery vehicles (M88)
• 28 Bradleys (M2A3 infantry fighting vehicle)
• 5 Paladins (M109A7 self-propelled howitzer), and
• 28 Strykers (infantry carrier vehicle)

Source: 2025 Jun 6: @USAMilitaryChannel on YT [not official military channel]: "1-Mile Military Train -Texas to D.C. with Tanks, Armor, and More for Army's 250th Parade". I do not know if that source is reputable or if that inventory is accurate.

USA Today is reporting that "The military vehicles will be joined by 1,800 soldiers". (Source: 2025 Jun 6, USATODAY on YT: "Watch: Tanks, fighting vehicles head to DC for Trump's military parade", CW: face full of Trump, alt: screenshot).

I dunno, maybe it's just me, but I'm thinking that maybe the guy who attempted one coup already bringing a well-armed military force into our capitol city and, crucially, within artillery-range of the Pentagon, is just throwing himself a birthday party, but also maybe not.

ETA: For those of you confused by this, thinking, but doesn't he already control the military? You might want to watch this video about the rise of Xi Jinping.

Now, obviously, Trump would never play a long game like Xi did. But, 1) there are other ways to achieve the same end and 2) he doesn't have to, because his buddies, the Dominionists, did.
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
This time it's: "Draw a pony trotting // Draw a pony on a scenic walk ". It's like we're back to prompt 2, pony on the move and walking the walk. It's déjà vu all over again. I should draw a pony dragging a cut-out of a walking pony from the previous prompt.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock is still not specifying a prompt there, but otherwise it's as expected: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well. I use Flickr and Imgur is said to work too. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 8th. The URL pattern is changing each time but since I'm keen to guess, I think that it will be this: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv-prompt-5.html .

So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). Last time King Grimlock was at least an hour early taking what had been submitted so far and compiling it into the gallery posted with the next prompt announcement. I missed that deadline. Eventually KG will go back and edit in the late submissions, but it could be a while. The grace period is getting longer, the submitter isn't set to close for prompt 4 until June 25th! That's, like, 16 days past the deadline. I don't think there will be any late submission catch-up days in this NATG.
altamira16: A sailboat on the water at dawn or dusk (Default)
[personal profile] altamira16
Britney Griner is 6'9". At the beginning of this book, she is rushing with her bags out the door to catch a plane to Russia to play basketball. She forgot some nearly empty vapes in her bag, and that leads to being incarcerated in Russia for nine months. Her passport is confiscated at the airport. She is moved to pretrial detention, and she has to return to court over and over until trial and sentencing.

Because she is such a tall person, nothing fits. Her legs hang off the end of the bed until they make a bed that is the correct size for her. The gulag uniforms don't fit until she has a seamstress who makes her a new one.

After reading this and To Build a Castle by Vladimir Bukovsky, I am pretty sure that to survive your time in a Russian gulag, you are just supposed to take up chain smoking. It is mandatory.

She lost nearly thirty pounds while in the gulag.

Her wife Cherelle, the WNBA, and others advocated for her release, and it was great to see the love of the community shine through. But in Russia, lesbianism seems to be treated like a mental disorder so everyone is incredulous that she has a wife.

Her wife was finishing law school and attempting to pass the bar exam while advocating for Griner's release.

I thought that this book was really well done, and the warmth of Griner and her community balanced out the part about being in a Russian gulag.
[personal profile] mjg59
As I wrote in my last post, Twitter's new encrypted DM infrastructure is pretty awful. But the amount of work required to make it somewhat better isn't large.

When Juicebox is used with HSMs, it supports encrypting the communication between the client and the backend. This is handled by generating a unique keypair for each HSM. The public key is provided to the client, while the private key remains within the HSM. Even if you can see the traffic sent to the HSM, it's encrypted using the Noise protocol and so the user's encrypted secret data can't be retrieved.

But this is only useful if you know that the public key corresponds to a private key in the HSM! Right now there's no way to know this, but there's worse - the client doesn't have the public key built into it, it's supplied as a response to an API request made to Twitter's servers. Even if the current keys are associated with the HSMs, Twitter could swap them out with ones that aren't, terminate the encrypted connection at their endpoint, and then fake your query to the HSM and get the encrypted data that way. Worse, this could be done for specific targeted users, without any indication to the user that this has happened, making it almost impossible to detect in general.

This is at least partially fixable. Twitter could prove to a third party that their Juicebox keys were generated in an HSM, and the key material could be moved into clients. This makes attacking individual users more difficult (the backdoor code would need to be shipped in the public client), but can't easily help with the website version[1] even if a framework exists to analyse the clients and verify that the correct public keys are in use.

It's still worse than Signal. Use Signal.

[1] Since they could still just serve backdoored Javascript to specific users. This is, unfortunately, kind of an inherent problem when it comes to web-based clients - we don't have good frameworks to detect whether the site itself is malicious.
[personal profile] mjg59
(Edit: Twitter could improve this significantly with very few changes - I wrote about that here. It's unclear why they'd launch without doing that, since it entirely defeats the point of using HSMs)

When Twitter[1] launched encrypted DMs a couple
of years ago, it was the worst kind of end-to-end
encrypted - technically e2ee, but in a way that made it relatively easy for Twitter to inject new encryption keys and get everyone's messages anyway. It was also lacking a whole bunch of features such as "sending pictures", so the entire thing was largely a waste of time. But a couple of days ago, Elon announced the arrival of "XChat", a new encrypted message platform built on Rust with (Bitcoin style) encryption, whole new architecture. Maybe this time they've got it right?

tl;dr - no. Use Signal. Twitter can probably obtain your private keys, and admit that they can MITM you and have full access to your metadata.

The new approach is pretty similar to the old one in that it's based on pretty straightforward and well tested cryptographic primitives, but merely using good cryptography doesn't mean you end up with a good solution. This time they've pivoted away from using the underlying cryptographic primitives directly and into higher level abstractions, which is probably a good thing. They're using Libsodium's boxes for message encryption, which is, well, fine? It doesn't offer forward secrecy (if someone's private key is leaked then all existing messages can be decrypted) so it's a long way from the state of the art for a messaging client (Signal's had forward secrecy for over a decade!), but it's not inherently broken or anything. It is, however, written in C, not Rust[2].

That's about the extent of the good news. Twitter's old implementation involved clients generating keypairs and pushing the public key to Twitter. Each client (a physical device or a browser instance) had its own private key, and messages were simply encrypted to every public key associated with an account. This meant that new devices couldn't decrypt old messages, and also meant there was a maximum number of supported devices and terrible scaling issues and it was pretty bad. The new approach generates a keypair and then stores the private key using the Juicebox protocol. Other devices can then retrieve the private key.

Doesn't this mean Twitter has the private key? Well, no. There's a PIN involved, and the PIN is used to generate an encryption key. The stored copy of the private key is encrypted with that key, so if you don't know the PIN you can't decrypt the key. So we brute force the PIN, right? Juicebox actually protects against that - before the backend will hand over the encrypted key, you have to prove knowledge of the PIN to it (this is done in a clever way that doesn't directly reveal the PIN to the backend). If you ask for the key too many times while providing the wrong PIN, access is locked down.

But this is true only if the Juicebox backend is trustworthy. If the backend is controlled by someone untrustworthy[3] then they're going to be able to obtain the encrypted key material (even if it's in an HSM, they can simply watch what comes out of the HSM when the user authenticates if there's no validation of the HSM's keys). And now all they need is the PIN. Turning the PIN into an encryption key is done using the Argon2id key derivation function, using 32 iterations and a memory cost of 16MB (the Juicebox white paper says 16KB, but (a) that's laughably small and (b) the code says 16 * 1024 in an argument that takes kilobytes), which makes it computationally and moderately memory expensive to generate the encryption key used to decrypt the private key. How expensive? Well, on my (not very fast) laptop, that takes less than 0.2 seconds. How many attempts to I need to crack the PIN? Twitter's chosen to fix that to 4 digits, so a maximum of 10,000. You aren't going to need many machines running in parallel to bring this down to a very small amount of time, at which point private keys can, to a first approximation, be extracted at will.

Juicebox attempts to defend against this by supporting sharding your key over multiple backends, and only requiring a subset of those to recover the original. I can't find any evidence that Twitter's does seem to be making use of this,Twitter uses three backends and requires data from at least two, but all the backends used are under x.com so are presumably under Twitter's direct control. Trusting the keystore without needing to trust whoever's hosting it requires a trustworthy communications mechanism between the client and the keystore. If the device you're talking to can prove that it's an HSM that implements the attempt limiting protocol and has no other mechanism to export the data, this can be made to work. Signal makes use of something along these lines using Intel SGX for contact list and settings storage and recovery, and Google and Apple also have documentation about how they handle this in ways that make it difficult for them to obtain backed up key material. Twitter has no documentation of this, and as far as I can tell does nothing to prove that the backend is in any way trustworthy. (Edit to add: The Juicebox API does support authenticated communication between the client and the HSM, but that relies on you having some way to prove that the public key you're presented with corresponds to a private key that only exists in the HSM. Twitter gives you the public key whenever you communicate with them, so even if they've implemented this properly you can't prove they haven't made up a new key and MITMed you the next time you retrieve your key)

On the plus side, Juicebox is written in Rust, so Elon's not 100% wrong. Just mostly wrong.

But ok, at least you've got viable end-to-end encryption even if someone can put in some (not all that much, really) effort to obtain your private key and render it all pointless? Actually no, since you're still relying on the Twitter server to give you the public key of the other party and there's no out of band mechanism to do that or verify the authenticity of that public key at present. Twitter can simply give you a public key where they control the private key, decrypt the message, and then reencrypt it with the intended recipient's key and pass it on. The support page makes it clear that this is a known shortcoming and that it'll be fixed at some point, but they said that about the original encrypted DM support and it never was, so that's probably dependent on whether Elon gets distracted by something else again. And the server knows who and when you're messaging even if they haven't bothered to break your private key, so there's a lot of metadata leakage.

Signal doesn't have these shortcomings. Use Signal.

[1] I'll respect their name change once Elon respects his daughter

[2] There are implementations written in Rust, but Twitter's using the C one with these JNI bindings

[3] Or someone nominally trustworthy but who's been compelled to act against your interests - even if Elon were absolutely committed to protecting all his users, his overarching goals for Twitter require him to have legal presence in multiple jurisdictions that are not necessarily above placing employees in physical danger if there's a perception that they could obtain someone's encryption keys
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
Onwards: "Draw a pony making a funny expression // Draw a pony putting on a brave face ". Oh! What's this? Maybe KG got my email! There is an idiom but mostly those are art prompts! The submitter for the previous prompt is open until June 7th so late submission are possible, the late submissions will be added to the posted gallery some time later. It was 2 days later for the first prompt pair.

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock forgot to specify a prompt but otherwise it's as expected: you can enter six different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well. I use Flickr and Imgur is said to work too. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 6th, here: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv.html

So be sure to get your drawings in before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC) June 6th to get posted when to next prompt pair appears, otherwise it could be a while: this time KG set the submitter to close on June 15th!

Things said to cats

Jun. 4th, 2025 12:21 pm
azurelunatic: Hacker-Kitty (aka Yellface) snuggling with Azz. (Hacker-Kitty)
[personal profile] azurelunatic
Cat: "Me-ow!"
Me: "Me-ow! You-ow! We all ow!"
azurelunatic: Vivid pink Alaskan wild rose. (Default)
[personal profile] azurelunatic
The usual mess of interesting things I've read, most of them quite out of date, in approximate order of my having read them. Brought to you by my browser crashing twice when I tried to start it after my most recent reboot.

As always, I use Export Tabs to wrangle this. And maybe my current 1,625 tab count will decrease some after I close all these?
https://chromewebstore.google.com/detail/export-tabs/odafagokkafdbbeojliiojjmimakacil?hl=en

Some good news from the south:
Woman who went on the lam with untreated TB is now cured | Ars Technica
https://arstechnica.com/science/2024/07/woman-who-went-on-the-lam-with-untreated-tb-is-now-cured/

Mechanical Watch – Bartosz Ciechanowski
https://ciechanow.ski/mechanical-watch/

How a North Korean Fake IT Worker Tried to Infiltrate Us
https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

How I Got My Laser Eye Injury - Funranium Labs
https://www.funraniumlabs.com/2024/07/how-i-got-my-laser-eye-injury/

Read more... )
[syndicated profile] sumana_feed

Posted by Sumana Harihareswara

Twenty-one years ago, Leonard Richardson created the now-popular open source tool Beautiful Soup. He's maintained it ever since. In 2024, the Python Software Foundation recognized his contributions with two service awards, naming him a PSF …
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
spirit_high_by_Soobel
spirit high by Soobel
Source: https://www.deviantart.com/soobel/art/1202455472

The next pair of prompts is: "Draw a pony on the move // Draw a pony walking the walk". I'm skipping calling this "Day 3" as King Grimlock has labeled it on EqD, that's just confusing. The submitter for the previous prompt is still open and late submission haven't been added to the posted gallery yet, so King Grimlock isn't burning the midnight oil keeping up. The gallery generated by the submitter for the first prompt pair (which is here) is still locked under password, invisible unless you can guess the username and password. Admin admin doesn't work. 8^D

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock forgot to specify a prompt but otherwise it's as expected: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well. I use Flickr and Imgur is said to work too. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 4th. My URL guess was wrong, KG switched to counting prompts, not days. This is the URL KG used and where the art got posted: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-prompt-3.html .

So be sure to get your drawings in before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). I don't know if King Grimlock is up to the task of editing in late submissions, so even though the previous submitter hasn't been closed yet, there might not be a grace period past the deadline. I don't know if there will be any late submission catch-up days this time around.

The 2nd prompt resulted in 63 submissions. The total so far for NATG XV stands at 145 submissions.

I also liked these ones:

trotting_across_the_moor_by_cahandariella
Trotting across the moor by Cahandariella
Source: https://www.deviantart.com/cahandariella/art/Trotting-across-the-moor-1203014840

and

chill_walk_by_dusthiel
Chill Walk by Dusthiel
source: https://www.deviantart.com/dusthiel/art/NATG-2025-D3-Chill-Walk-1202272368

Artist Training Grounds XV, Day 1

May. 31st, 2025 08:32 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
derpy_by_tankpone
Doing As Instructed by Snow (Tankpone)
Source: https://www.deviantart.com/tankpone/art/1202198597

Hokey smokes, it's NATG time already! We have a task! It's: "Draw a pony standing // Draw a pony planting their hooves". King Grimlock is doing the heavy lifting this year (since Calpain left EqD in a huff last year) but Calpain is going to be whispering into his ear, thus the idiom masquerading as a prompt. Well, gardening... Are the hooves still attached to the pony burying it?

As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's not live yet but it will probably be activated soon, in time for the deadline at least. 9_9 Also, the prompt's wrong, "holding it's ground" was last year's prompt, my 2024 pony was holding a cup o' joe. When it gets straightened out, you will be able to enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well. I use Flickr and Imgur is said to work too. Eventually the pictures will be visible on EqD and we'll see if there is a pattern to the URL like in year's past. King Crimson counted the days and baptized the URL thus: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv-day-3.html .

I expect the deadline to be at 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC), Monday-ish, with a three hour grace period past the deadline during which the submitter would still be open. I don't know if there will be any late submission catch-up days this time around.

For this first day of NATG XV there were 84 submissions.

I liked these ones:

mare_oil_by_aaronmk
Mare Oil by Aaronmk
Source: https://www.deviantart.com/aaronmk/art/1201743536

and

drawing_yipee_by_Chira
drawing yipee by Chira
source: https://i.imgur.com/l9eedpz.png (imgur gives me a blank page. This is why I don't use imgur, even though I have an account there.)

and

Here_I_stand_by_In3DS
Here I stand by In3DS
Source: https://bsky.app/profile/in3ds.bsky.social/post/3lqjoznwh2c25 Yup, Bluesky works in a pinch, somehow.

Not as it was [early music, MA]

May. 31st, 2025 12:23 am
siderea: (Default)
[personal profile] siderea
Back in 2013, I winnowed down the entire listings of Boston Early Music Festival events, official and fringe, to a curated concentrate of just concerts and other events featuring music from before 1600 AD. There were about 35 of them.

The 2025 BEMF is just nine days out and the Fringe Concerts listings updated today has a total of fewer than 30 listings.

Pony Collection Deadline and NATG XV

May. 29th, 2025 08:06 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
MLPcollect2025

It's that time of year when Equestria Daily sends out the call for people to assemble their pony swag for photo shoot. Easy for you if you only have like four things. Not so easy if you have like 400 items scattered hither and yon. Some people even have what looks like a pony store in one room. That looks like a lot of work. I just spent a few hours piling mostly plushes on a couch. No way am I going to get everything I own into one picture.

The deadline for sending in your picture(s) is 1st of June at 1:00 AM PST (Pacific Standard Time) and the submit link for sending your swag photo(s) is here: https://poniloader.equestriadaily.com/index.php?task=competition&competition=452

Meanwhile, a 15 prompt Newbie Artist Training Ground is set to begin June 1st with the first prompt to be posted on EqD at 8 PM PST/ The submit link isn't live yet but it should be https://poniloader.equestriadaily.com/index.php?task=competition&competition=453 when it does go live. Each prompt should allow you 48 hours this time so the event will last all month despite there only being 15 prompts.

Unlucky

May. 29th, 2025 04:39 pm
azurelunatic: Vivid pink Alaskan wild rose. (Default)
[personal profile] azurelunatic
A hundred years from now, chroma key colors are going to be considered unlucky to wear in a set of professions like newscasting, and nobody is going to quite realize why.

Recaf

May. 27th, 2025 01:09 pm
azurelunatic: "beautiful addiction", electron microscope photo of caffeine (caffeine)
[personal profile] azurelunatic
We know about Decaf, where by some process, caffeine is removed from coffee or whatever.

I present: Recaf. Where maybe decaf isn't doing it today so you add in a bit of caffeine powder or something.

(I have a flask of decaf on me today, and then we stopped for breakfast and got Coke, and I said "recaf" and had to make the definition.)

Profile

terriko: (Default)
terriko

May 2025

S M T W T F S
    12 3
456 78910
11121314151617
18192021222324
252627 28293031

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 9th, 2025 05:30 am
Powered by Dreamwidth Studios