Devblr - Tumblr Posts
a dinner date with rust
I’m a programmer and as a programmer I write code. There are a bunch of different programming “languages” that you can write code in, and one that I frequently find myself reaching for is called C. “Ok, cool, why do I care?” Well because C is monster that will eventually consume all of humanity. Created in the void from which all computing was born, it is The One Language that undergirds all the others. Rarely written but subtly permeating every crevice of our technology. It contains deep, dark secrets understood by only those steeped in the occult, the conduits to the souls of our computers, the systems programmers 🧙 (like me!)
oh and also pretty much every piece of software ever relies on it somehow ^.^ Don’t worry though everything is fine!
“Oh, that sounds Concerning!” you may say. Well, yes! Yes it is. And so Rust was born. The sales pitch for Rust goes something like this: “Rust! Because C is Bad and is Literally The Bane Of Your Existence.” Which... well, they make a compelling case! As a C programmer, I was skeptical of a language that claimed to have all the same features without any of the downsides, but eventually I decided to give it a go.
“Mmmmm tasty!” I say, biting into some bounds-checked arrays. I take a sip of the mutability rules and exclaim “Wow! This really is something incredible!”. For desert, I decide to order some of their world renowned ownership/borrowing system. It arrives, piping hot, and I begin to dig in. “Hmmm, this is nice... I think?” Worry begins to slip into my voice. I think to myself, “this does seem useful, but it feels like there’s some trade off being made here”. The waiter tells me how this was made with the worlds finest data race protection and my worry begins to grow.
A brief tangent on data races:
You know the little people who live inside the computer and make everything work? A data race is when 2+ little people are trying to work on the same project at once without talking to each other or making a plan. Things Will Go Wrong.
Data races are generally very bad and Rust does it’s very best to make sure that having one is literally impossible. The problem with that is that sometimes, you can have a data race, but it can actually be safe and fine and good! And by sharing the work, the program can finish it’s work much more quickly! However Rust is very quick to put it’s foot down and say “No! That’s too risky! I can’t allow you to put yourself in danger like that!” whereas C would say “Yeah, sure, go ahead, good luck ;-)”
So, this is where my dinner date with Rust started to go downhill. One of the things I write a lot of in C are “highly concurrent” which means that they have lots of little computer people working on them at once. It’s tricky, but it’s something I have a lot of expertise in. And when I tried to replicate those programs in Rust was fighting me at every turn.
It’s odd because while Rust is very picky about this stuff, and it even provides ways to tell it “Yes, I know what I’m doing, I promise you can trust me.” But these ways are just a little too clunky for my liking and proved to be enough of a pain to manage it really soured my whole meal. And I was so eager about it too!
I still would like to try Rust from time-to-time on smaller projects, but it’s really unfortunate that it’s just so unergonomic in many of the ways that matter most to me. And while it isn’t a great fit for my use-cases, I’d highly recommend it to anyone who wants to make their first foray into systems programming. For nearly everything aside from my specific use-case it seems to be leaps and bounds ahead of C, and C is really the only thing like it.
Rust is cool, tasty, and elegant to C’s old, rickety, and ugly, and it’s a huge boon for the systems programming ecosystem. But I get the sense that Rust isn’t exactly the C-killer it was made out to be and that C still has a place in the ecosystem (and our hearts 💖)
Yes! This is also an excellent point! The issue here is not one inherent in smart devices, it’s created because of how they’re designed and built. It would be very possible (and in some ways easier) to build devices that did not suffer from these issues. If it’s not possible to connect to the device from outside your home network, there’s no way anyone else could get to it! I don’t do this kind of work personally, but my (semi-educated) guess is that the “phone-home” functionality is a substantive proportion of those devices software and it really doesn’t need to be (most of the time).
The issue is that it’s hard (on a technical level) to separate “bad” internet usage (i.e. to send usage data or to grant remote access) from “good” internet usage (i.e. sending a firmware update or re-ordering more soap). While there’s a certain degree that you can manage that on a personal level, at some point you simply have to trust the manufacturer to not be evil. Which... yeah they’re evil :(
So how do we fix this? Well, you can just not buy smart products (that’s what I do!), but what they’re huge quality of life improvements? Or maybe you just think they’re fun and want to play around without putting your privacy at risk.
The only really good solution to all these issues is that companies need to stop creating products that do these things. And the only way to force that to happen is through legislation. We need more legislation like the GDPR in the EU which explicitly describes your privacy rights on the internet (among many other excellent features).
So! Next time you see a call-to-action to “call your legislator” to “protect internet privacy” -- actually do it. It really does make a difference :)
hell world hell world hell world
WHY DOES YOUR SOAP NEED INTERNET
You ever start using a tool for a project and the vibes are just sliiiiightly off? That’s how I feel about actix-web. It seems nice, but I get the impression there may be something more sinister under the surface.
Tomorrow I am going to try out tide as a actix-web replacement and I will report back to you on how it goes. I’m worried because it seems a little disorganized/undirected but I think it’ll work out. I will need to pull in some new components to do connection pooling and the rest. Argh I really wish rocket had websocket support so I could use that :(
Today me and my “significant other” have been having a rough go of it :(
I asked him to move his Windows to a new drive, but he’s been making it really hard for me... I thought that by copying his primary NTFS partition and then recreating a new EFI partition for him, he'd be happy, but alas I think I’ve only made things worse :/ Now, our mutual friend UEFI refuses to acknowledge that we’ve both moved on to a new drive and I can’t seem to convince UEFI to see sense. So Windows is still stuck in his original drive despite our MUTUAL desire to move, and I’m just left feeling lost and confused :’(
Maximum PC - May 1999
Probably a poorly selected query plan for UPDATE Students SET knowledge=“...” :/ Perhaps your prof needs a lesson on query optimization...
just realized i have no idea what we're doing in databases despite attending every single class
...
...
...
oh wait my prof doesnt take classes like a normal instructor oh no he takes 1 out of the 3 scheduled classes per week and then speeds through lectures at 5x speed man could give usain bolt a run for his money 🤦♀️
I tide-ed! The tide! It rise-ed! I tried tide! (ooo that’s a tongue twister!)
So, first impressions were very bad because the docs on cargo.io told me to install a version TWO WHOLE VERSIONS behind the actual correct one which just gives bad juju about the whole entire project. Y’know, if you can’t update something as simple as that, who’s to say any of the other docs are up to date?
And, very basic things like wiring up a database using shared state (across requests) seemed very poorly explained or totally undocumented when I dug around in the tide docs/repo (which in retrospect isn’t actually on the tide people but sssh I didn’t know that when I was getting this bad impression).
See, the tide docs did cover state, but because Diesel has connection pooling (which requires shared ownership), rust really didn’t like to put Diesel’s connection pool into tide’s state. This is the sort of compatibility problems that you hit when you use an unopinionated project like tide, but usually the devs try and smooth it over with good docs and maybe some special compatibility packages to fill the gaps.
It took me a while of digging through random github repos to figure out that actually this was Diesel’s fault, not tides! Diesel just didn’t really document their connection pooling features at all (the creates.io page for that module is nearly empty) and in my confusion I ended up using the wrong struct by accident.
That was the problem that I thought was being caused by tides state! Man, for a community as fast moving as rust and as assertive about how clean code and good docs are important, some major projects are really lacking :/
SO anyways, all that’s sorted now and on the whole tide looks pretty nice! It really reminds me of my early days with Sinatra in ruby, and I think it’ll do, at least until something more mature like Rocket gets websocket support.
Anyways, tl;dr the project is back on the rails 😎 (but not ruby on rails)
Cloudflare lives in an interesting niche on the 'net. When we talk about the internet, we typically think of it as a bunch of "servers" (or "hosts", which "host" websites) and "clients" (like web browsers, which "receive" websites). In this model, a "client" (anyone with an internet connection) connects to a "server" and asks it for a website. The server will then give them that website. But, when we really get down to it, the server is just a computer, much like your laptop/desktop/phone/tablet, but instead of asking for (or "requesting") websites, it's configured to answer those requests.
Now, most people on the internet don't know the intimacies of configuring a computer to answer (or "serve") these request, and so if they want to make a website, they'll pay somebody to run the actual "server"/"host" computer for them. There's a whole industry of "hosting providers" that will give you a computer (or "host") to host your website on. Then, all you have to do is point your domain name at your hosting provider (using a system called DNS, which I've talked about in the past) and everything starts working!
This is not what cloudflare does (ok technically they have recently started doing this a little bit, but 99% of the things they are doing isn't this). Nobody actually uses cloudflare as their hosting provider because it's not really a service they even offer. Cloudflare solves a different problem which I think at this point literally everyone on the internet has heard of: DoS or DDoS attacks.
We've all heard the term thrown around in different contexts, but for our purposes we're going to need to get a little more specific. When a computer is "serving" a website (responding to requests for it), it's like running an application on your computer, let's use a text editor as an example. Answering a request is similar to opening a new document, adding a few words, then closing it. Under normal conditions, this does not break your computer [citation needed]. In fact, your computer can probably handle tens of documents opening and closing at the same time without a hitch. However, if you wrote a program that would open and close document this hundreds or even thousands of times every second, your entire computer would slow to a halt, CPU usage would go to 100%, and it would become totally unusable.
That is what a DoS (denial of service) attack is -- sending far more (phony) requests than the server/host can handle, causing it to no longer be able to answer any requests (legitimate or phony). DDoS is the same idea, but distributed (that's the first "D" in "DDoS"). In that case, the requests are coming from thousands of different client computers so it's much harder to block. The details of how these attacks are actually run isn't super relevant, they'll usually also leverage several very technical tricks to make things even worse and even harder to block but that's besides the point.
It used to be that anyone who could pay for a big enough network of computers could DDoS and successfully take down nearly any site on the internet. Because of this, a new type of service popped up: DDoS protection/mitigation (which is the 99.9% of cloudflares business that I mentioned earlier). There are different ways to do DDoS protection, but the way cloudflare does it is by sticking themselves between the "client" (browser) and "server" (website host). From that position, they're able to scan every request from a client before it reaches the server/host and potentially block it if they determine it to be part of an attack. So, if you're trying to connect to a Cloudflare secured website, instead of directly connecting to the host/server, you will actually be connecting to cloudflare, who will then examine your request and only pass it on to the actual ("origin") server if they deem it to be safe.
This, if you haven't already gathered, is an incredibly valuable and useful service to anyone who wants to run a website. And cloudflare provides it for free. no strings attached. zero dollars. to anyone on the internet. A good metaphor for cloudflare is a home security system, but if those companies just gave out free systems to anyone who asked.
So, now that we all understand what cloudflare is and where they sit in the web ecosystem, I'm going to talk a little about the recent news (the kiwifarms ban) and why it's a much more interesting case than a typical website takedown.
Typically, when trying to get a website taken down, the usual targets are either a) the person who owns and runs the website or b) the web hosting provider that the owner is using. These are obvious targets because they cut the website off instantly and directly. To make an analogy, let's think of a website like a brick and mortar business. The owner of the website is the owner of the business, the hosting provider is the landlord that rents their space to them, and, to bring cloudflare into the picture, cloudflare is their anti-theft system (it could also be the lock on their front door, the alarms when someone smashes a window, etc, it doesn't really matter for the analogy).
If a business is shitty, the only ways to make them shut down would be to target either the owner or the landlord that they rent their physical "platform" from. In this case however, the target was Cloudflare, aka their anti-theft system. This is uncommon mostly because taking down the anti-theft system doesn't actually shut down the business. It just makes it possible for anyone else to break in and destroy things much more easily, which, in the case of kiwifarms, is a large enough group of people that without the anti-theft system, it would likely immediately succumb to attack. I, like most people, would not mind seeing kiwifarms succumbing to these attacks :P
However, what makes this much more interesting is looking at it through the lens of one of the core ideals of the internet: Net Neutrality. "Net Neutrality," in the sense most people are familiar with it, means that an ISP must be "neutral" in how they manage the internet traffic they provide. They're not allowed to treat the traffic differently based on it's source or destination. This means that a company like Hulu couldn't pay your ISP to start throttling all traffic going to Netflix so that Hulu looks better, the ISP is required to be neutral.
This is similar to the posture cloudflare has been trying to build, in that cloudflare have tried to position themselves as a similarly "neutral" operation. They treat all traffic from all of their customers (the websites they protect) the exact same way, similar to how your ISP treats data from all of the websites you visit in the exact same way. If cloudflare kicks a site off its service and forces them to use a different service, it's much like your ISP deciding to start blocking netflix and now instead you can only watch netflix on cellular data (which is usually provided by a different company).
Now, I don't want this to be misconstrued so I'm going to make myself 100% clear: I am so fucking glad kiwifarms is gone. What they did is beyond awful and I want to see them gone through any means possible. I also think that this is a very interesting test of cloudflares posture around neutrality, which is something that has not really been tested before, and I'm curious to see where this goes in the future.
Anyways, hopefully this has revealed a bit more of the nuance around what cloudflare is and why we haven't heard about them banning websites before, despite them serving something like 10% of all internet traffic (that 10% number is from 2016, it's likely much more these days). I just wanted to put together a little explainer because this is a really unprecedented case and I've been watching it with a lot of interest. If you'd like to see cloudflares official positions, those are up on their blog (1, 2) (which, by the way, I would highly recommend, their blog is great, especially for a technical audience).
If I remember correctly, you mentioned using Vim as your day-to-day text editor. I'm also a fan of Vim and I've finally started to customize it to make it my primary Python editor; any particular plugins you'd suggest, or tips and tricks that you can offer?
Alright you asked for it this is going to be long.
vim and its friends are very handy, there's a lot you can do to make it more livable from the get go without any plugins at all.
My neovim config is here, it's a little out of date but if you want to reference what plugins and so on I have, here
Enable the mouse! It's really handy to be able to click between tabs, around a file, resize splits, etc. when you want to. In your config file put:
set mouse=a
Presumably you already have your movement in vim pretty down pat, but it's worthwhile to go over a movement hint list like this one from Bart Kummel to see if there's any you missed, using G and gg to move to the top and bottom of a file is super handy. Knowing that u and C-r will undo and redo is also good.
Learn how vim's integral split and tab features work. You can :sp and :vs to split horizontally and vertically, and C-w+<direction> to move between splits, alternatively use your mouse. To create a new tab, you can :tabedit <filename> or :tabnew <filename> to open or create a new file in a tab, and then use gt and gT to move through tabs (go tTab) quickly, or again, your mouse. With mouse enabled you can even drag to rearrange tabs and resize splits, way easier than memorizing the commands. More detail on tabs here and splits here.
Learn to use ctags in vim. At the top of your current programming project, run ctags -R . to build a ctags database for the project. Then, in the file, you can use C-] to jump to the definition of any function or variable, and C-t to move back up the stack of tags you've followed. You can even C-w+} to preview the definition in a split. There's way more features, you can learn them here.
Get familiar with visual mode, which will let you select a chunk of text and then cut, paste, find/replace, etc. it. Press in Normal mode to enter Visual mode, and then move around like normal, selecting text. You can then d to delete and cut to clipboard, y to copy to clipboard, or you can apply a find/replace on the selection. Of course, if you've enabled your mouse you can also just click and drag to select.
Learn your regexes, they're an unbelievably fast way to find and edit files. You can do /<regex> to immediately search for the next instance of <regex> and then move to the next and previous match with n and N. Your regex can just be the exact thing, but if you get a handle on basic regex features like word boundaries, repeats, and sets, you can construct very fast and effective searches.
With regexes you can also do find/replace, using :s/find/replace to immediately fire that off on the line you're on, or to affect the entire selection in a visual block. Very useful for renaming functions and variables.
Learn tmux, which isn't a vim thing, but is a general purpose terminal multiplexer. With a tmux session you can spawn multiple terminals in one window, each running their own shell, in separate tabs and splits, and you can background an entire session without closing it. Very useful if you want to create a self-contained programming environment, at work I have a separate tmux session for each bug I'm working on which may have a debugger, several code windows, multiple file explorers, etc. I won't cover tmux in detail here, but I wrote about it for some undergrads once and you can find my notes on that in section two of this document. If you're configuring tmux, hit me up, but my config is not suitable for general consumption.
That's about all the vim techniques I use on a daily basis at work, there's way more depth you can get into to go even faster but with those you can do all the things a conventional editor's Edit menu would do without ever leaving your keyboard. Less commonly used features includes the macro system, folds, and using the built-in file browser. I barely touch these.
Plugins:
I don't use a ton of plugins, I stick to a relatively vanilla vim experience because it means that you wont' be so lost when you sit down at someone else's config. I recommend mostly adding rather than changing, although I absolutely do have things like remapping my leader key to ,
I also don't have a ton of my plugins setup because this is a new computer, so I won't have demo photos.
I use neovim, which is a vim fork that focuses on being more modern, having saner defaults, and expanding the programming interface to languages other than vimscript. This is nice, because it means you can write plugins in a modern language like python, rust, or C++. For all intents and purposes to the average end user it is indistinguishable from vim, but the plugins I use might sometimes be nvim specific and I'll try to call out vim equivalents if I remember.
Tim Pope is the most influential vimscript programmer of the generation, having written everything from git managers to plugin installers to the de facto standard aftermarket vim default configuration. Flip through his repos and see if anything strikes your fancy. Many people like vim-surround which enables modern-editor style automatic insertion of matching braces, apostrophes, angle brackets, etc.
Neovim Completion Manager, an autocomplete tool built for Neovim. Combine it with Jedi to do intelligent python completion, pyclang for C/++ completion. The vim equivalents would be YouCompleteMe or Deoplete which is apparently now ddc. I've no preference, having used both a little, but YouCompleteMe is more popular.
Ale by w0rp, a linter that will mark out syntax errors. Nonessential, but a handy little thing, saves a lot of time, gives you relevant compiler errors right where they are.
ctrlp, a clone of sublimetext's infamous ctrl-p fuzzy search, a good way to quickly switch files in vim. Vaguely mash out something that looks like the file you want to open, and ctrlp will usually find it.
IndentLine, especially good for Python, shows vertical lines and leading spaces at your indent levels like you'd find in modern graphical editors.
That's about everything I use regularly, you can really go deep in on customizing vim into your perfect IDE, but I like to keep it light.
Most people wouldn't say that Stack Overflow is in any way obscure, but then again most people don't really go below the surface of simply asking and maybe answering. Most people have no idea that, for example, Stack Overflow has it's own chat server which, although it hasn't been updated in years, is quite possibly the best system of it's type that I've ever used. In fact, there are actually two different servers, one for Stack Overflow and one for the rest of the Stack Exchange Network.
But that's how I got my start to being online. Way back when I didn't even have any social media, I made a Stack Overflow account to ask a terrible (now deleted (not by me (pretty sure it got roomba'd))) question about some especially tricky programming question that I couldn't solve after days of searching. As I used the site more, I began learning more about how it functions and the systems that underpin it, and eventually found my way to meta and then to chat, where I found a very friendly room of people who were the first real software engineers I got to know.
The only problem is that the userbase on stack overflow skews pretty old, especially compared to me at the time, and I think I picked up a lot of my internet-speak from them. Even now, when talking to closer to me in age, I frequently get called out for sounding old or being a boomer, which I think is on account of the dialect of internet I first picked up.
Also, feel like I gotta throw this in, but I know stack overflow gets a lot of shit thrown at it for being hard to approach and for being rude/unwelcoming/mean/heavy handed etc etc I'm sure you've heard the refrain. But as someone who's gotten to know how all these systems work, I promise it isn't all that scary once you understand how to approach it. Anyways, I'm getting off topic, but maybe I'll post about how to be a new user on stack overflow one of these days :P
What was your obscure chatroom/forum that you used before social media? Don’t say Gaia Online or Club Penguin. I’m talking obscure.
ok i. love haskell
I'm sorry for this in advance but I've seen one too many of these bullshit memes on CS meme pages and I can't take it anymore
This is a crap regex and here's why:
Who the hell is visiting a website via SMTP? That doesn't even make sense. It's an email protocol for gods sake. FTP is a stretch, but possible I guess (firefox dropped suport a year ago, but maybe this screenshot is old or from a lame non-firefox user). You've also forgotten other much saner URI schemes like file:// (local files), ws:// (websockets), among others.
Starting with an optional www, interesting start. The thing is, although we see www used as a subdomain a lot, on a technical level, it's just an arbitrary subdomain. There's nothing special about it. And you forgot to escape the dot so now you've got a wildcard which allows illegal domain name characters in.
Ok, so we're ignoring every non-www subdomain, hmmmm can't think of an obvious example of those you're missing (*cough cough* tumblr blogs *cough cough*). ANyways, good on you for realizing you can have numbers in domain names, but you've missed other domain name allowed characters, most notably the hyphen, best known for how it saved experts-exchange from being known as ExpertSexChange (nothing wrong with Expert Sex Changes but that's not what Experts Exchange was/is for).
Using "any string of letters" for TLDs is certainly a stretch, but I'll let it slide. Aside from an exhaustive list or some approximation of Mozillas public suffix list, I'm not sure if there's a much better way to do it.
Time to take a look at the path. In a real URI, the path is essentially an arbitrary collection of characters, some of which are URI encoded I guess, but trying to enforce a ton of structure there is just going to go wrong. Which is exactly what this regex does :( Notably, we've disallowed query strings, allowed anchors in the middle of the path, and restricted the character set to be alphanumeric, all of which are going to cause problems.
Also, general regex notes, you'll want to take advantage of the built in character groups like \w and \d for words and numbers, and in the last match group, if you move your \/? out of the group, you'll improve the performance on large URIs. Also, in the future, just don't use a regex for URI matching. Trust me, it gets super fucked super fast, URIs are actually really complex beasts once you get into the weeds there (source: I've been in those weeds).
a regex god
This medium article is interesting. It points out some real, important flaws in MFA from a usability perspective that disproportionately impact users who are homeless, have certain types of cognitive disabilities or have mobility limitations, and does a great job explaining exactly why it's hard for members of those groups (also, side-note, it's just a pain in the neck even if you're fully abled / nurotypical). It requires you to keep track of a second device, it requires you to have a phone, it requires you to not be easily distracted, among other important problems.
However, once it moves from talking about the ways people struggle with MFA to searching for the root of the problem and concluding that it "outsources the responsibility for keeping a platform safe... onto users" and that "it's a Band-Aid... in lieu of developing systems that protect the entire platform" it seems like the author doesn't quite understand precisely why MFA exists and what it's supposed to protect against.
This (in combination with reading the notes) made me realize that most people just aren't really clear on why MFA/2FA is even a thing and why it's become so widely adopted. No, it doesn't help you if a breach happens, and no it's not offloading security from the company to the users.
So, seeing this I thought I'd take some time to explain exactly what MFA protects against and why it's not "outsourcing responsibility" as much as it is dealing with the fact that passwords suck (something which the author also points out as disproportionately effecting people with cognitive/physical disabilities!). The very real issues that the author points out are actually not with MFA at all -- it's with lazy and inadequate implementations of MFA. And I've got some great news for OP -- the future looks bright and may even eliminate passwords altogether.
MFA/2FA (same thing, different terms) exists because passwords suck. They suck to come up with, they suck to remember / keep track of (password managers make this easier, but that really is a band-aid), and they also suck to track on the back-end of whichever website you're logging in to. Passwords truly are the bane of the modern internet for far more reasons than I care to list.
The biggest problem is that people are very very bad at coming up with truly random passwords even once, much less the literal hundreds of times we're asked to do it on the modern web. Even if you only came up with one password and used it for everything, people tend to use things like their first/last names, birthdays, words relating to celebrities/interests/hobbies, and data that is generally not too hard to social-engineer because they know they need to remember the passwords in the future because those things are, well, memorable.
The reason this is a problem is because as the internet has grown and the computing power that an average person has at their disposal increases, password guessing technology has improved as well, to a point where many many passwords are guessable in mere minutes/hours. So, how do websites keep users safe in light of this? Well, they can try and add rate limits so that only a fixed number of attempts are allowed every minute/hour, but then an attacker can just lock you out by using up all the attempts. Similarly they can try and target blocks by location / IP address, but when an attacker can easily use a botnet they have access to near infinite locations / IP addresses that's totally inadequate.
We need a better way to make sure people are who they say they are. This is where MFA comes in. The idea of MFA is that you have Multiple Factors, the factors being 1) "something you know" (a password) and additionally 2) "something you have" (a phone, usb-key, etc). While an attacker can trial-and-error guess "what you know" from anywhere in the world, it's much harder for them to steal something you have. If you think of a password like a key to your house, this makes a lot of sense. Part of what makes your home key so secure is that someone would need physical access to it in order to get in.
Ok, MFA is a neat idea to solve a big problem, the question is what exactly do we do to confirm that you have this second factor, this "thing you have"? Well, there are a number of things that are used in the wild (ranked by security from crappiest to least crappy):
Type in these magic numbers you got via text message / call (thing-you-have is access to a phone number)
Use an authenticator app on your phone that will give you some magic numbers or a push notification (thing-you-have is an authenticator app)
Physical keys (most popularly yubikey) that you have to touch in order to log in (thing-you-have is the physical key)
And hardware based keys (you probably haven't seen these yet, they're the "cutting-edge" of MFA, but here the thing-you-have is a specific device)
The worst version of this for both accessibility AND security is text messages (via SMS) and phone calls. Here, the thing-you-have is access to a given phone number, which is technically a thing-you-have but suffers from a crapload of issues: 1) SMS / phone calls are notoriously insecure, 2) it requires cell service 3) it requires you to give them your phone number 4) your phone number can change or you can lose access to it, and 5) it clogs up your text messages which is just annoying.
So why does this exist? On a technical level, text/call based 2FA is the easiest/laziest way to go, especially if you already collect phone numbers (or want an excuse to). However, not everyone who has a phone also had a phone number, you're counting on the cell company to not have an outage and just,,, fail to deliver the codes, it's all flaky and gross and kinda sucks all around, but luckily it seems to be slowly giving way to our next idea!
A much better way to confirm this "something you have" factor is the authenticator app (push notification based or code based, most apps can do either). This solves a lot of the issues of phone based auth, and can even work without any internet / cell service using the 6 digit code (google TOTP or RFC 6238 for technical details, it's neat). However, it still requires you to have a phone so that you can either answer the push notification or type in the code, both of which are annoying, and, as the medium author mentions, not everyone has a phone.
This is where physical keys come in. Phones are expensive, break easily, and are easy to lose track of (temporarily or permanently), USB keys are less expensive, harder to break, and you can just leave them plugged into your computer all the time (or stick it on a keyring if you carry keys). Hardware keys are much more seamless to use (no more typing digits or pulling out your phone) while providing greater security. To log in to a website, you submit your password, tap a key, and you're in. No copying codes or responding to push notifications. (You can even use your phone as a hardware key in some cases, just by bringing it close to your computer)
You may be wondering how this is more secure than the previous options, and that's because the key now knows the website it's asking to log you in to. With the previous solutions, it would be possible for an attacker to send you a phishing link with a similar looking domain and an identical looking login page, then once you log in they could use those credentials to log into the real website and trigger a push notification, you'd type the code in to the attackers site, and then they'd copy that into the real site, granting them access. With the hardware key, it can confirm that the domain name is correct automatically, totally eliminating an entire genre of phishing attack where you're fooled by a misleading URL.
And then we reach the final version, it turns out that you don't even need a physically separate second factor -- what if the device you're using is the thing-you-have. I'm sure we've all thought it was kind of silly to receive a 2FA code on our phones to log into an app, also on our phone. But in fact, our phones and computers can have a virtual version of the physical key inside of them, and then the second factor is nearly invisible. This is the ultimate goal, MFA without the user seeing the second factor at all.
Once we have that, what are we even using the password for? Well, we do kind-of need it for adding new devices and as a backup for broken / lost devices, but for the most part we've done away with it! This is the best of the accessibility world and the security world, and this is the future we're hoping to build.
Anyways, hopefully I've been able to show that security and accessibility can and should actually go hand in hand. As the tumblr adage goes, why pit two bad bitches against each other?
resharing this oldie because i just got a new laptop and the number of times i am being required to login to things, login to a DIFFERENT app/program/password manager/authenticator, provide a number, and then login again is making me fucking INSANE
So this isn't exactly new but yes it's horrifying and also it's actually much worse. Have a phone with bluetooth turned on? That means that it will periodically scan for bluetooth accessories that it knows. But to do that, it has to send out a signal (containing your phones name, among other metadata) that all bluetooth devices in range will receive, regardless of if your phone knows them or not. This is how bluetooth device "discovery" works.
So, all that you'd have to do to turn this into something invasive is program a bluetooth device to keep a list of phones that it's seen and when it saw them. This can be used to figure out who's been in a location at a given time, or even pinpoint locations more precisely if you use multiple bluetooth devices.
Anyways, turn off bluetooth, use wires, I like wires om nom nom I'm eating wires ok goodbye.
Scientists turn WiFi routers into ‘cameras’ that can see people through walls
With the help of AI, the researchers were able to detect the movement of human bodies in a room using Wi-Fi routers -- even through walls.
Researchers at Carnegie Mellon University have repurposed a common piece of tech present in virtually every household to function as a tracking technology. By utilizing WiFi routers, they have developed a method for detecting the three-dimensional shape and movements of human bodies in a room, without the use of cameras or expensive LiDAR hardware.