I feel that if you have multiple sets of application logic that need to access the same data, there should be an internal API between them and the database that keeps that access to spec.
Only allow clients to execute stored procedures?
Readit Newsmlfreeman commented on You want microservices, but do you need them? docker.com/blog/do-you-re... · Posted by u/tsenturk
mlfreeman commented on US Defense Department will stop providing satellite weather data text.npr.org/nx-s1-544612... · Posted by u/drewr
Are the satellites being turned off, or could people with SDRs pick this up directly from space and offer it up for free?
This is why I have begin to prefer languages with comprehensive, batteries-included standard libraries so that you need very few dependencies. Dep Management has become a full time headache nowadays with significant effort going into CVE analysis.
I think this is the root of the problem.
I think library/runtime makers aren't saying "let's make an official/blessed take on this thing that a large number of users are doing" as much as they should.
Popular libraries for a given runtime/language should be funded/bought/cloned by the runtime makers (e.g. MS for .NET, IBM/Oracle for Java) more than they are now.
I know someone will inevitably mention concerns about monopolies/anti-trust/"stifling innovation" but I don't really care. Sometimes you have to standardize some things to unlock new opportunities.
There has been new information since that blog post which has reaffirmed the "this is much ado about nothing" takes because Ofcom have said that they do not want to be a burden on smaller sites.
https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
"We’ve heard concerns from some smaller services that the new rules will be too burdensome for them. Some of them believe they don’t have the resources to dedicate to assessing risk on their platforms, and to making sure they have measures in place to help them comply with the rules. As a result, some smaller services feel they might need to shut down completely.
So, we wanted to reassure those smaller services that this is unlikely to be the case."
The use of "unlikely" just screams that Ofcom will eventually pull a Vader..."We are altering the deal, pray we don't alter it any further".
Deleted Comment
mlfreeman commented on · Posted by u/impish9208
It appears to literally just be their main page. Menu options bring up content and I logged in and and can still see an in-progress complaint I opened on Jan 7th.
mlfreeman commented on Framework for Artificial Intelligence Diffusion federalregister.gov/docum... · Posted by u/chriskanan
What do the regulators writing this intend for this to slow down/stop?
I can't seem to find any information about that anywhere.
mlfreeman commented on Why we use our own hardware fastmail.com/blog/why-we-... · Posted by u/nmjenkins
1. hoping to have a JMAP archive format at some point which should cover that. I'd hope that normally you'd be fetching a delta update rather than the whole thing. We've got enough bandwidth for a few people do to it, but I wouldn't want every customer pulling their entire archive every week of 99% the same immutable data; that would be kinda sucky.
2. yeah, I'd love that too - we're keen to integrate with everything else that people are using. We have a basic in-house IdP thing for our own staff to authenticate against our hosted services, but haven't scaled it out. This will happen eventually, though I've been burned enough times I don't want to promise a timeframe.
When I back up machines I only pull a full backup 3-4 times a year and then I stack weekly deltas on top of those.
I'd start with that and see how it seemed to work when trying to look through backups and test-restore things.
I think it's a terrible idea, because it dramatically decreases the attack surface area needed to compromise accounts. 2FA is supposed to be "something you know' and "something you have"; putting your 2FA seeds into your password manager reduces your 2FA to "something you know", and, significantly worse, it's "something you know in the same place as the other thing you know".
The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.
The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".
If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.
> it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution.
You can mitigate this risk by not depending on your password manager app to do cross-device sync..keep a file on Dropbox/OneDrive/iCloud Drive/SFTP/etc and use an app like KeePass/Strongbox/etc that just deals in managing credentials.
My KeePass file storage provider doesn't know what the hell I store there because it's encrypted (I hope there are no known issues with KeePass's crypto)
As a bonus, you can keep offline backups to mitigate other risks like house fire, lightning strike induced EMP frying things (happened to me), storage vendor goes out of business, and more.
-------------
I think in the end, there is no universal solution - you really have to try to be reasonable about estimating your own personal threats and risks (such as asking "am I more likely to suffer a password manager compromise or more likely to break a device?") to decide whether to keep 2FA next to passwords or not.
mlfreeman commented on Why we use our own hardware fastmail.com/blog/why-we-... · Posted by u/nmjenkins
I absolutely love Fastmail. I moved off of Gmail years ago with zero regrets. Better UI, better apps, better company, and need I say better service? I still maintain and fetch from a Gmail account so it all just works seamlessly for receiving and sending Gmail, so you don’t have to give anything up either.
I moved from my own colocated 1U running Mailcow to Fastmail and don't regret it one bit. This was an interesting read, glad to see they think things through nice and carefully.
The only things I wish FM had are all software:
1. A takeout-style API to let me grab a complete snapshot once a week with one call
2. The ability to be an IdP for Tailscale.