I leave another one of my opinions here and go to bed to wake up to an onslaught of hate...

But, salting passwords is problematic.
I'll do it, I am a hypocrite. I don't want to explain to my customers why I haven't done it.

But the issue with a salted passwords is that we defend our users' data against a possible leak. Plus a tiny bonus against timing attacks. It is not defended against us. We can just log the password in clear text or refuse to hash it or hook inbetween reverse proxy and application.

1. When they are salted, we make rainbow table attacks harder. More compute intensive.
2. When they are salted, we cannot quickly identify people with the same password. Therefore not quickly isolating people with a simple password.

And that's bad.

Let me first start to explain one thing. Imagine you have a generated password. Random characters. Like 50 of them. And you used that password on one website. Not on any more. With a password manager. And now you hear that this website leaked their database. Do you worry? Well, no... If that website itself was not embarrassing. You just log in, set a new one, done. You don't care about it.

We only care about salting because upstream users have not used good passwords. Salting is only there to mitigate password reuse. And because it is good at doing that, people keep reusing passwords.

If we didn't mitigate it, the dangers of reusing passwords would be so widely known. Everyone and their grandmothers knew how to keep good passwords. But sadly, we mitigate and most of us are trust worthy.

Users don't meet us. They don't know who we are, they shouldn't give us their everywhere password. But they do. Because we are too trustworthy, we take good care of it and we mitigate the bad outcomes. If a user leaked their password to us, it is too late. They gave it to a party they shouldn't have trusted. Sadly, we turn out to be trustworthy too often.

And if I wanted to steal a huge amount of passwords, I just create a quick website that turns images into gifs or something stupid. Converts webp into png. For free. Just sign up. We conditioned them to trust website services.

Yea, so, basically, my daily PSA, we have done our users a disservice by mitigating damage at a point after the mistake has already happened.

Okay, I get so annoyed by all these comments I read everywhere akin to "just because it is legal doesn't mean it is moral."

Legality is morality. Claiming that it isn't, is amoral.

The problem with morality, I can easily decide on two completely contrary points of view. Can I take your stuff if you have more than I do? Morally? Sure, it is unfair that you have more. No, you earned it, you have a right to possessions.

Laws, at least some of them, are morality put into writing. A little more stiff, but still morals. Some laws just help us not bump into each other by telling us we have to drive on the left side of the road. But many of them are negotiations of a common morality.

If your personal morality doesn't align with that, you're free to take it and to start the negotiation process anew. Get support, change the law. It's arduous and annoying and work intensive, but possible.

But just fucking declaring that what was done is amoral despite being legal, not planning to do anything, just declare the other person amoral is fucking intolerant bullshit and if you do that, you're an asshole.

It's so funny how customers like the small and unimportant things. They are impressed by a display of skill rather than skill.

For instance, I needed to quickly create a password. So, I opened my terminal, typed in as always

dd if=/dev/urandom count=500 | base64 -w 0

Then I copied a random chunk of some 200 to 500 chars and copied it as the temporary password and sent it around.

I was told later on that I impressed with my technical know-how and skills...

But I guess, now that I impressed, I can profit of the halo effect.

Guess, take this as PSA. Sound confident. That's more important than being confident. They have no idea what's going on.

Code tells a story.

It is usually not especially interesting. It is not captivating. But it is a story.

The story often goes like this: Instead of using the class directly, an interface was used. Someone expects this implementation to change a lot. Or they want to break the logic of the code apart. Speed up compilation times. Maybe they plan on having multiple different implementations.

That's, well... no, it is not exciting. But sometimes you look at it and wonder why. And you muse to yourself, what could be the reason for this curious choice. Is the whole project written like that? Maybe two developer developed the feature together and they agreed at the very beginning to write the interface in order to be able to cleanly work in parallel. I did this with a colleague. We worked on a common feature. We decided to write an interface first, then we worked separately and in parallel on the two sides of the interface. In the end we left it in and we were asked why we decided to use an interface.

Code tells a story. But so very often now, the story I hear when I ask why is "copilot did it." Fuck you. And fuck your "hey, copilot says you could do something better" in merge reviews.

I don't care if you want to use AI. I don't think it is good. You dull your skills. But hey, I don't really care about it. I don't care if you decide to use a plastic fork to remove your left eye. I mean, I would have recommended a sharper instrument, but fuck, if you want to mutilate yourself. Go for it. But when git blame tells me it was you who wrote the code, then don't fucking excuse any decision with "copilot did it." And when copilot tells you there is an improvement in my merge request, you don't need to tell me that it came from copilot. That is no authority. If you think copilot is right, you argue for it, and you give me arguments and reasons. But if you don't even understand yourself why it is supposedly better, just fuck off.

Is it just me or is typeorm broken as fuck. I am trying to save an object that is nested a few layers deep. It has all the options. Delete on cascade. Orphan. But it is just not working. It doesn't add new items.

Fuck, I am in no fucking mood today. I am feeling like punching a hole through my wall. And I already spend hours on a fucking piece of shit software that does not do what it promises.

It's always like this.. I read the documentation. It is supposed to do it. Now what? Work around it? Write tons of logic? Dive into the library code? That's fucking bullshit... In the end, if a library doesn't work, you're fucked. You just signed up for days of work if you have to fix it.

Fine... I'll take a fucking look. Who needs sleep anyway

Help me out, am I right wing or left wing?

- I am okay with closed borders and throwing people out who are here illegally.
- I am even okay with open borders and letting everyone in who wants to come.
- I am not okay with dozens over dozens of ways of staying in a country and becoming a citizen after arriving illegally which are just a backdoors, so that we can still claim that we don't have open borders while they are defacto open.

Reddit is so very dead... Today, I read a post in /r/webdev or /r/rust, not sure which one, but both are full with AI bull, that was clearly written by AI. Then most answers were also clearly written by AI. And some of them had answers written by AI.

I wish that was the dead internet theory. But that requires bots to answer to bots. I believe those are people who answer other people, by putting a few bullet points into AI and have it generate their comment.

And yes, I think so little of my fellow humans that I do strongly believe that most of them are unaware that they answering AI with AI.

Got a customer right now who constantly finds new technologies with which the whole app will be built faster and be more flexible.

Oh joy...

Wait wut?
Haven't been here for a while..

Had a rant. Someone replied to me in a new rant. And I thought, what a nut.

However... comments are broken? It just became normal to make new rants? How long already? Anyone already built an aggregator tool?

Honestly, I hate AI.

At least the current push to have to use it.
Companies believe it is the powerhouse of efficiency. I rather code on my own. At least tomorrow I will know what I did.

The reason is quite simple. A code auditor is a harder job than writing code. And AI makes me an auditor. I want more money for a harder job.

So, just to spite the world, I asked a question on Stack Overflow, like the old fart I am. No answers for hours... Then someone was like: "I asked chatGPT for you, that's what it said."

Well, fuck you. It was one of the cases where GPT was right. Still, fuck you.

Found a nice house I want to buy. It is at the moment in foreclosure. So, we need the documents for it, to see if it worth it.

Documents are held by an agency. They want 360 € as an annual subscription service to share it with us. Sure.. No issue, let's contact the court.

Oh, the court says they cannot give us a copy, we can just look at it. After making an appointment in person and driving down there. How is the agency getting it, then? After all, the agency promises access to all foreclosure documents Germany wide. They can give me a fucking copy. Court states on its website, there won't be any answer via email. I need to call them and go down in person.

Well, this is why the game is rigged. I have nothing against a service that accumulates all these information from around the country. That's a fair business model. But then the enshittification started and everyone else gets worse service so I have little choice but to use their service.

I realized that I am old enough now that the first answer to "name a toy adults use in the bedroom" that comes to mind is: Kindle

A thing that I am annoyed that people are getting wrong is security by obscurity.

You have heard of it and being told it is bad. It is so bad that it alone is a counter argument. Let me set you straight:

>>>Security by obscurity is the best security you will ever have<<<

There is an asterisk: It is probably not right for your business. But that is for the end.

Security by obscurity means to hide something away. Most security is based on hiding. You hide your private key or your password or whatever other secret there is. If you had a 2048 long sequence of port knocking, that would be fine, too.. Or it would be fine if it wasn't observable. You could write this down in your documentation and it wouldn't be security by obscurity. It would just be security. Weird, but fine.

The real meat of obscurity is: No one knows that there is someone. The server you port knock looks like a harmless server, but suddenly has an open port to a bad application for an IP, but only if that IP went to 25 other ports first.

In the animal kingdom, there are different survival strategies. One of them is being an apex predator or at least so big and lumbering that no predator wants a piece of you. That's our security. It is upstream security. It is the state.

But what is the rest of the animal kingdom going to do? Well, run away. That works. Not being caught. And those not fast enough? Hide! Just be invisible to the predators. They cannot triple check every leaf and expect to be done with the tree before starving. That's security by obscurity. Or hide in the group. Zebras. Easy to see, hard to track in the group. Look like everyone else.

There is a reason why drug smugglers don't have vaults in the carry-on. Arrive at the customs and just refuse to open the vault. If the vault is good enough. Nope, they lack the upstream security by the state. The state is there enemy, so they need obscurity rather than cryptographic safety.

And so, for a private person, having a port knocking solution or disguising a service as another service is a great idea.

Every cryptography course happily admits that the moment they can catch you physically, cryptography is useless. They also teach you about steganography. But they omit to tell you that obscurity is the second best solution to having a stronger army when you cannot rely on your state as upstream security.

Why did I say, not a good idea for companies?
1. It is self-defeating, since you have to tell it to all employees using it. A shared secret is no secret. And therefore it cannot be documented.
2. It makes working with different servers so much harder if there is a special procedure for all of them to access them. Even if it were documented. (See 1.)
3. You're a company, you are advertising your services. How to hide that you run them?

Do you see how those are not security relevant questions? Those are implementation relevant questions.

Here is an example:
Should you have your admins log into servers as normal users before elevating to root or is that just obscurity? Well, not for security purposes. Because that foothold is so bad, if compromised, it makes little difference. It is for logging purposes, so we have a better server log who logged in. Not only always root. But if our log could differentiate by the used private key, there is no issue with that.

If it is your private stuff, be creative. Hide it. Important skill. And it is not either, or. Encrypt it your backup, then hide it. Port knock, then required an elliptic curve private key to authenticate.

It is a lot of fun, if nothing else. Don't do it with your company. Downsides are too big. Cheaper to hire lawyers if needed.

I am waiting for shoulder buttons for my xbox controller to be delivered from China. Need to wait another week, approximately.

I really need to repair my 3d printer. But even if I did, where to put it. My wife wouldn't be amused if the baby breathes its vapors... Well, need to find a bigger place, I guess.

So, I need to buy a house, so that I can repair my 3d printer, so I can avoid a 2 weeks wait on a replacement part from China.

Hey everyone, I want to showcase today a master class in divisiveness.

The topic, the white house has just reacted to the "Elon is not elected" allegations. Explaining in a "civics lesson," that only the president is elected, the rest of his staff appointed. A good point, on the surface.

But also, a master class of divisiveness. From both sides.

May I introduce our characters: We have Smart Left (SL), Dumb Left (DL), Smart Right (SR), and Dumb Right (DR).

And me, Tray, your omniscient (read, unreliable) narrator.

Scene 1, act 1 - The left side:
SL enters stage, below him a crowd of DL.
SL: "Elon is not elected!"
Tray: "SL was not malicious, he did mean it. He knew how government works. It is but an ironic jab, pointing out his believe Elon having more influence over Trump than vice versa. Looking down at the DLs, they did not understand it."
DLs take up the chant: "Elon is not elected."

Act 1 Scene 2 - The right side.
DRs irritated about the accusation.
SR: "It is called an appointment."
Tray: "SR is aware what SL meant, however an explanation is warranted for DL. Yet, is it already misleading not to point out that SL knew? The original accusation remained unanswered. That doesn't mean it is correct, nor incorrect. It only means that it is most advantageous to not draw attention to it."
DRs chant: "Lefties need civic lesson."

Act 1 Scene 3 - The left side.
DLs: Outraged about being lectured at.
SL: "Of course we know about appointments, that is just a straw man attack."
Tray. "SL is aware that many of their own do need a civics lesson."
DLs chant: "Straw man Trump, straw man Trump."

Act 1 Scene 4 - The right side:
SR: "The accusation of straw manning is insulting. They make claims and do not stand to them."
Tray: "Also here a malicious act. They could explain their original target audience. But they do not want to give an inch, not admitting a point the other side made.
DRs chant: "Straw manning left. Straw manning left."

And that's the drama in 4 scenes. We are at scene 2 right now. But that's just a single act. The original accusation was not debated. Neither by L nor by R. The accusation was always dominated by the chants of those who carry the the prefix "D" in the name. "S" doesn't speak to "S." "S" only speaks to "D." Has to be, they have to react to the loudest.

It is in the nature of democracy. If all of our voices are worth the same, then bigger clusters of voices are more important. We should not assume that truthfulness and scientific rigor will prevail. After all, in human's evolutionary history, science and engineering was hampered by people and only developed to this degree because the environment positively selected for it. After all, being correct is a survival advantage. Democracy does not select for being correct, but for creating the biggest unity.

My university sent me a signed paper. The signature was the ugliest, handwritten, version of a name. It was like a child signing their name for the very first time.

I am so happy, I am not alone with that problem. Thank you, university administrator, for sharing my plight.

Installing applications on Linux became more like Windows. It's not something new, something that went on for years. But I just realized right now, when I tried to go to the minicube website.

I go to the website, because I want to see which install methods they actively support and keep up to date.

Is it Snap? Flatpak? Do they have a private repository for deb? Maybe some rpm? An AppImage? Maybe they keep their nix version up-to-date.

I have gone with the integrated searches of all of those and have gotten Software that barely works, just to find out, it is horiffically outdated. And I just realized, going to the website and checking how they offer the newest software is now normal for me.

Soon, they will only offer AppImages and integrate updaters into their softwares. And we will have gone full Windows. Funnily in a time in which Windows Store and 3rd party tools like chocolatey finally become really viable.

I hate quotes.

Just handed out a quote. Had to look through the project, guesstimate everything. Hard to do anyway accurately. Write bunch of stuff up. Easily took me in the end around 4 hours.

4 hours just to have someone tell me, I am too expensive. I mean, at this part it is a gamble. The other side accepts my quote or denies it. But, if they deny it, I worked for free. And that's bugs me.

But hey, next company, guess what, the hourly rate, there is the quote for the last company hidden inside and for all other companies who rejected my offer divided by all the companies who hired me. You're not only paying my fee, but for all quotes that got denied. Surprise!

Anyway, it is sent off. Now, the waiting begins. Time to find some work to fill the waiting.

How the fuck is that a thing.

I understand when you're application requires a lock file. But put it in temp. I get it, you want it user specific. You can put it still in temp. Just add the user to the lockfile's name.

Don't put it in the config. Yea, had to reboot without letting my applications close properly. After a reboot, a lockfile should be automatically removed.

Here's an idea, if you're really that terrified of leaking the information, that the application is in use, to other users of the computer, which could probably just look at the processes to figure that one out, check the lock file's last modified timestamp and compare it with the uptime.

Because, it is just annoying when I reboot the computer and I cannot start the application because the fucking lockfile is still there.

Looking at you, datagrip. I really need to find a good open source alternative for my databases.

I hate the idea of dog whistles.

For those who do not know what I am talking about: A dog whistle, next to being a physical object you blow in that makes a sound dogs can hear, but is too high in frequency for most humans to hear, can also refer to a hidden sign for a group or ideology that is supposed to be only known by its members.

Here, in Germany, we usually use it for Nazi groups. Hey, 88 is a dog whistle for Nazis, because, the 8th letter in the alphabet is the 'H', and 'HH' stands for Heil Hitler. Alright, got it.

But how the fuck am I supposed to know it? I am not a member of those groups. Well, other people, who look at them tell closely, told me. In a way, you want me to keep up with them, so I can know the newest dog whistles to avoid them?

Another famous one is the attempt to claim the okay sign is a symbol for white power. But here I stand and say, no. I was making this sign all along. I did not signal white power. I was signalling that everything is okay.

And isn't that racist in the first place. Black people cannot swim stereotype. And then they choose the white power signal from diver's sign language? Because they knew, no black person was a diver? Don't mind me, I am just taking the piss.

Then there was Elon Musk. I don't like Elon, I think he's an idiot. I also think that he made it possible for lots of tax money to flow into SpaceX and pay really smart people to work on rockets, which I like. Somehow, in a modern world, we have to do that instead of just funding NASA. Anyway, he is accused of doing a Nazi salute.

But if that was a Nazi salute, that was the sloppiest Nazi salute ever. It was akin to a dog whistle to a Nazi salute. Every proper Nazi should tell him how embarrassing his salute was. But instead, the Overton window on a Nazi salute widens.

We should make fun of him not being capable of doing it right. He would then obviously publicly state he is no Nazi. And some Nazis will believe them.

Ever wondered why in war some national leaders will tout obvious lies? That's because, often due to an information bubble, sometimes because of confirmation bias, many will believe them. If they said the truth, every single one listening would know the truth. If they lied, there is a substantial part of the population ill-informed or invested enough who wants to believe them. And if that's a preferable state, a leader will lie.

Why do we assume that dog whistles are just something we don't understand, but somehow, without writing publicly available guides or news broadcast spelling it out, the subgroup that uses that dog whistle, perfectly understands its meaning.

Recently AfD, German right wing party, had a party conference, and the number and position of the flags on stage was somehow aligned with the number of... what was it... SS branches or something in the third reich? Come one, you're reaching now. You tell me that right wingers are so well informed history buffs that they would ace any history exam about it and equate every subliminal message?

I probably had a dozen dog whistles in this text that I don't know of. Do you know how those groups actually learn about their own dog whistles? Standard media tells them that is their groups dog whistle and they copy it. Copy cat. Funny side note, that's how satanism actually started. Copy cats from stories from the church. They tried to scare people about those evildoers. At least that's one popular hypothesis. Aleister Crowley, not Church of Satan satanism.

Anyway, I hate dog whistles. We commit them constantly, we cannot avoid it and it incriminates everyone. It keeps broadening the definition of every forbidden/frowned upon action. It's shit. If you argue dog whistle, I think you're a moron.

I don't know why you guys would voluntarily choose this piss yellow as the banner of your rants.

But no longer will it hurt my eyes. Thanks tampermonkey.

It's okay around a profile pictures, but having it stretched through the whole screen is just painful.

We're fucked.

I was having a debate on Reddit. A topic I brought up here already. Genetics and the mommies in my local baby group.

I was downvoted to hell for my conclusion those mommies cheated. Don't get me wrong, my conclusion was, they most likely cheated. I use high school genetics as heuristics, saying that its outcomes aligns with the question often enough to be a good decision maker.

A strategy manifested. Some people wrote long scientific correct arguments, just to block me the moment they sent it. For me it looks just like they deleted themselves and their account. I can still read it when logged out.

I just created a new account to reply to them. Went without a hitch, except that when I checked back in incognito, my replies weren't there. I assume they don't allow accounts that are too new. Reading from incognito, it was like they had the last word and I couldn't answer. The problem, they actually admitted to my points and built a straw men to the other points and I cannot point that out anymore.

I also thought, I should find a few people to hang out online with. So I started to play an MMO. After all, I am a daddy now, not so much time to find people. Only have nights. Besides the discords always being empty, all guilds I joined had the same thing in their rule set: "Do not discuss religion or politics."

Let me explain you something about democracy. It lives on debates. If you think you do not want to speak about your political opinions, then you're anti-democratic. Why are we allowed to vote? So, that everyone with a political opinion will find a decider. If we do not discuss, we are just at the mercy of advertisement. Most of us do not look deeply into topics, but some do. We trust them, because we know them. We have those smart people around it. Democracy is based upon "My neighbor has said and I trust him." That's how it works.

Forbidding political discourse, hiding downvoted opinions and using tricks, so the other party cannot reply in time or only with troubles is the death of democracy. That's how it ended. Because we're too butt hurt to even talk to each other, have the conversations. And I am sick of it.

And no, you cannot say, this is just a friendly group about knitting. The price of democracy is that all groups are political forums. And jobs. Everything. We do expect you to be adult enough to work with someone who has a different opinion from you. Who might even dislike you. Otherwise, the outcome is that all spaces where you would meet people that have different opinions are non-political and all political spaces are echo chambers in which you meet those people who are at best the staunchest warriors of a side instead of the normal person.

I bet two people of two different ideologies, who aren't deeply ingrained in it, have more in common than a person deeply ingrained and one that is not from the same ideology. But you wouldn't know that in today's echo chambers.

Just finished setting up immich on my server. Using the prepared docker compose file. But I renamed the docker image of the database. It was called postgres. I renamed it to immich_postgres. After all, I want to know that this container belongs to immich.

Half an hour troubleshooting later, I figured out why I get a login failed error message. Login did not fail, connection did. Why? Because, they rely on the postgres name as an alias. They could have put an explicit alias for dns, they could have used the configuration name, after all they used it in the depends_on section. But they decided to refer to it via the automatically assigned name. Really? Container name? That one thing in the configuration that is supposed to be unique?

Did you really think that was the only postgres database on the server? Maybe I should centralize it into a single database, but I like when my applications can run without outside dependencies. Proper documentation would have been nice. I am sure they mention it somewhere.

Got a child. Little under a year old.
We go to a little baby group nearby. We visit it from time to time. Just like 6 different babies there.

One baby has brown eyes. Mommy and daddy have blue eyes. Oh...

Next baby is blonde. Mommy is blonde. Daddy is blonde. Someone commented, that blonde was very likely with mommy and daddy. She said, no, her mother-in-law is black haired. She proves it by saying, her oldest son has black hair.... Oh....

Out of 6 parents pairs, we had 2 cheating. 1/3. And for the other 4, well, we only ever met the mother and they have not told us anything about their husbands.

This leads me to only one conclusion: People are terrible in high school level genetics. I know, it is not 100% correct, there are special cases and exceptions. But it it 99% correct.

To quote Rex Harrison: "This is what the British population calls an elementary education."

I am still salty that git master was renamed to main... I mean, the rename is stupid, but when you remain it, why not bough? Bough was the obvious and perfect choice...

Procastinator's tricks to be productive: Schedule messages

I hate to write people. They could answer. My whole plan might be thrown off. But when is the best time to answer them? The day after tomorrow? Too late. Tomorrow. Around 10? Thank you to all messengers that allow me to schedule a message. Instead of procrastinating, I answer, I schedule, and if I am in a bad mood, I later come back and abort and rewrite the message nicer.

Went perfectly swimmingly with my happy new year messages. Everyone got them at 00:00. Yes my friend, you're obviously the most important thing in my life, first thing I did was writing you!

All the crypto bots and hire a hacker adverts make no sense. After all, they still need to either go through the API or make a selenium script. Will still take them 1 to 2 hours at least to build it. For what?

To advertise to a dying platform that has a dwindling community, which is on top of it well-versed in programming and technically affine, so that the probability of profiting of it is tiny...

My conjecture: A devrant member is pulling a long running prank.

I bet it's someone like theRealJase. Or someone like that.

Anyone already had a more unrealistic deadline than the writer for the question of week wk386?

Just a quick follow up. I told you guys after rebooting my server by accident, I'll color in the terminals for my ssh connections.

Normal terminal in white. With the code to do it. Just a shell script with the name ssh earlier in the path than the actual ssh. That was the only solution that didn't fuck my auto-completion. compdef was somehow useless. But it is simple.

For some reason I had to hardcode the return color to white. Alacritty was not happy with just a no-color code. But whatever. Super useful. I won't accidentally restart non-host computers now.

Planning on extending this to have different colors according to the host. Like my homelab could be green. Live servers would be red. Dev servers blue. But that's for the future.

Just wanted to share my little improvement that will make my computing saver.

I just rebooted my server by accident because I wanted to play Space Engineers.

Long story short, dual booting. Needed to boot into windows. Typed reboot into my terminal. My terminal was not local. When am I finally getting around to set up my terminal color as red when it is connected to another host?

But two things are good here. This was my own server.. Well, bunch of stuff is running on it, including for my bachelor's thesis. But if that was a server of my company, that would have been worse.

Second thing, my systems are fault tolerant. I reboot once per week at the latest and for systems with fail overs once per day. I know they are coming back up. I don't worry. My Gitlab will be back in 5 minutes at the latest. I am going to reboot and play Space Engineers now.

Reboot your servers guys. Only way to make sure they'll survive reboots!