Readit News logoReadit News
earenndil commented on Ask HN: Mobile devs who added Apple Sign In, what conversion changes?    · Posted by u/davidajackson
buzzerbetrayed · 5 years ago
Just to expound on what you're saying, won't there always be a single point of failure? For example, for the majority of people there are only a few options.

1. Use the same password for all logins because you don't know how to manage unique passwords for all your logins. Obviously this is about as unsecure as you can get.

2. Write your unique passwords down somewhere. This can be in a notebook, or a password manager (1password and the like). In this case, there is still a single point of failure (as you pointed out) if someone finds your book or compromises your password manager.

3. Use some sort of SSO service. Still a single point of failure (Apple, Google, Facebook).

I feel like using Apple SSO with 2-factor authentication is just as secure as any of these options.

Is there any "secure" system that doesn't have a single point of failure?

earenndil · 5 years ago
You. You are the single point of failure; if you are compromised, then all your accounts can be accessed by the compromisor.

If you're looking for a point outside yourself, then memorising all your passwords would be an option.

But beyond that, I don't think your criticism is warranted. There's always a single point of failure - sure - but we can still consider gradations of how centralised that point is, and how likely it is to fail.

With a hosted password manager, you're at the mercy of their server code; specifically, at least for 1password, I think they have a 'dead man's switch' which lets you get at the encrypted content without the master password. This is more likely to fail than a password manager which stores all its content locally and really encrypts it (e.g. keepass). In this case, human error outside of yourself can't compromise you. But technical error can, which is why there are more steps that can meaningfully increase your level of security. Like running your password manager on a separate, air-gapped computer; or sandboxing everything you run a la qubes.

Are any of these especially likely to compromise you, as a user? No, but reducing centralisation and dependency still improve your chances, and are definitely worth considering if you are e.g. running a drug smuggling ring.

earenndil commented on Ask HN: Mobile devs who added Apple Sign In, what conversion changes?    · Posted by u/davidajackson
DerJacques · 5 years ago
Interesting. Wouldn’t that allow someone to sign up for service Y with an email address associated with an account in your system using service X, in order to get access to the account in your system?

Maybe there’s something I’m not seeing, but it seems dangerous to rely on the identity provider’s email address to authenticate the user.

earenndil · 5 years ago
It's assumed that, if you're signed up for a service with an email address, you control that email address.

This is generally a reasonable thing to assume, and can be verified for whatever account providers you support.

earenndil commented on JITs are un-ergonomic   abe-winter.github.io/2020... · Posted by u/awinter-py
kizer · 5 years ago
You seem to have more familiarity than me with Java :). So I guess V8 JITs some kind of p-code then? If V8 allowed full AOT comp. to the internal bytecode, then the perf would theoretically be around Java’s avg perf?
earenndil · 5 years ago
Nope, because java is statically typed.

Deleted Comment

earenndil commented on A history of roguelike games   arstechnica.com/gaming/20... · Posted by u/aww_dang
earenndil · 5 years ago
This is not that great of an article, IMO. A prominent developer of one of the roguelikes mentioned says:

> you can immediately see that this article was stitched together by throwing some wikipedia articles together if it references the Berlin interpretation

> it's also hilarious if the guild of disgruntled adventurers is referenced as fun addition :)

> I'm not sure if I should feel insulted [by the article's description of my roguelike]

I mostly agree with these. I also feel a bit slighted by one of the descriptions. I'm also not sure quite what to make of the fact that they don't mention the two most prominent recent roguelikes: caves of qud, and cogmind.

earenndil commented on A history of roguelike games   arstechnica.com/gaming/20... · Posted by u/aww_dang
allan_s · 5 years ago
Funny I'm trying to make a rogue-like game with my son these last days. Anyone has experienced using the C library `notcurses`, or some demo project ? (the library seems to be made to on purpose break curses API compatibility for the sake of sanity)
earenndil · 5 years ago
Notcurses is ok, not great.

Tickit[1] is much nicer, and comes with what is possibly the only good way of reading modifier characters from a terminal (seriously).

Alternately, if you're ok with not running in a terminal, check out bearlibterminal[2].

1: http://www.leonerd.org.uk/code/libtickit/

2: http://foo.wyrd.name/en:bearlibterminal

earenndil commented on A Defer Statement for C   github.com/moon-chilled/D... · Posted by u/pcr910303
rwmj · 5 years ago
Why not use __attribute__((cleanup))? It's widely used in real code (eg. systemd has been using it for years) and there's effort going on to get the mechanism standardized in the next C standard.
earenndil · 5 years ago
You need to use nested functions if you want to have nontrivial behaviour in a cleanup, and nested functions are awful in c.
earenndil commented on A Defer Statement for C   github.com/moon-chilled/D... · Posted by u/pcr910303
mhh__ · 5 years ago
And for that concept generalised see scope statements in D
earenndil · 5 years ago
Raku has something similar.
earenndil commented on A Defer Statement for C   github.com/moon-chilled/D... · Posted by u/pcr910303
devit · 5 years ago
Moving to C++ seems wiser than using a dubious hack like this.
earenndil · 5 years ago
I wrote on reddit[1] about why I prefer this over c++:

> It's not a technical problem, but a social problem. Yes, I would definitely prefer the c++ RAII (and refcounts would be nice too). If you say 'my project is in c++', that sends a certain message to prospective contributors, about what your priorities and ideals are. It can attract certain kinds of contributors and discourage others. Then you have the problem of how to define your subset of c++. It's easy to say 'no exceptions, no RTTI, no STL'. But there are subtler things. As you mention, templates are occasionally useful. But sometimes they're completely superfluous. Do you allow virtual functions? Multiple inheritance? The answer is almost invariably 'maybe'; you have to exercise taste. I can do that by myself, for my own project. But if I want to be able to accept contributions from others, I need a clearer set of contribution guidelines than 'wherever my whimsy takes me', and for such a purpose 'whatever the c compiler accepts' is the best I can do.

> Also, tcc is about 10x faster than gcc and clang, which makes development a joy.

1: https://www.reddit.com/r/programming/comments/f4gb6n/i_made_...

earenndil commented on A Defer Statement for C   github.com/moon-chilled/D... · Posted by u/pcr910303
earenndil · 5 years ago
Author of the library here; AMA.
e

u/earenndil

KarmaCake day1974June 21, 2017
About
Account no longer in use; see 'moonchild'
View Original