I was going to make a suggestion about PGP or GPG or whatever, but those tools are so bad you can't expect software engineers to know how to use them... (not sarcasm)
Snark aside. What I mean here is that GPG is difficult to use and I would guess 90% of programmers don't know how to use it.
It's really not so bad. You use --genkey to generate a key, --import to import a key, --encrypt and --decrypt do what they say on the tin, --sign to sign messages, --recv-key can download a key from a keyserver and --verify to verify signatures. That's pretty much 99% of what I do with gpg! It behaves like a standard command line utility and can read from stdin and output to stdout if you need it to.
I hear that gpg is very difficult to use quite a lot but I have not had that experience at all. The flags are pretty self explanatory and the magpage(s) are very detailed!
There are also decent GUI interfaces that are extremely simple to operate! I would recommend "kleopatra" for most people! Emacs also works if you are into that!
I'm not sure if you are asking how to export your public key or how to distribute it, so I guess I can mention both.
You can export your public key using the --export flag, by default it exports all public keys in the keyring, so you can pass a keyid to only export a specific key. If you need the exported key to be in text form (not just a binary file) you can pass the --armor flag as well. The --armor flag encodes the binary data with base64 or something which allows you to operate on it like you would any other text (copy/paste, send over email, etc).
As for distributing the key, it depends! Lots of people put their public key on their GitHub profile or somewhere on their website (if they have a website). Since we are on HN you could put it in the "about" field on your HN profile. If none of these work you can send it over telegram, signal or whatever your favorite messaging method is.
For most people and situations the TOFU (trust of first use) method of distribution works fine. If you have stronger security requirements or are more paranoid you can establish a more secure channel or try to meet with the other parties in person.
GPG works fine for me too, and is fairly straightforward (except for email encryption, since my recipients often don’t want encryption, and there is also lack of good email clients supporting encryption).
It depends on your company’s retention policy for historical messages. Otherwise, you’re basically signed in as that user, so you can see whatever they see… which can be a lot depending on the company’s transparency.
I’m aware of many companies who have moved to a 90 day message retention policy in Slack. I thought it was a cost saving measure. But I’m beginning to see the wisdom in it.
It’s a deep hole for a company to dig itself out of, not to mention changing the habits of people to explicitly document things elsewhere.
It would be neat if Slack reported stats on searches so that, for example, a company could better understand what key conversations should be moved into proper documents…but this is likely against Slack’s interests.
Sorry to be Captain Obvious but the solution for that is to update the official, permanently stored reference docs when a question is asked on slack, not keep the only source of tribal knowledge on a ephemeral chat app.
IMO Slack and chat apps are way overused in development teams. They’re there for questions like “when are we meeting for that team event tonight?” And “Hey, can you review this code before I submit?” And NOT “Can you describe, in massive detail, all the arguments that get passed to our FooBar function?”
In a previous project I worked on, we used to nickname the passwords used throughout the system. The password re-use was virtually non-existent, but sometimes we forgot which system required which one (we were installing and erasing a lot of servers for testing stuff).
So, someone would ask a password to a system, we'd answer "ridiculously long one", or "the one X came up with", "variation 5".
When one of the security guys overheard what we did, and asked the details, we told what we do. The answer was "oh, that's neat!, go on".
Long living passwords shared via paper, and lived on people (like on their wallet, and never laid in the open), the other short lived ones are just remembered, but not mentally tied to anywhere.
It was a fast-paced project, so the project dynamics made the method work. If the systems and passwords were more stable, it might not have worked this well.
I'm a contract worker and often times a company first onboards me to slack, then sends me a bunch of login information in plain text after opening an internal ticket to add me to various systems.
My current company has an internal ‘secret sharing’ tool kind of like Pastebin (but encrypted, one time open links, etc) for one off sharing of things like that. For all other creds we use Vault heavily.
PII, passwords, things like that are NEVER to go over Teams or email.
If these are temp passwords that get changed on first login and expire maybe it's not so bad. If it is a normal password though yes that is pretty bad.
Fortunately, AWS from my example makes you set a new one after this. I'm sure there are other company-administered services with similar dynamics where the pwd change isn't required or the admin won't check that box because try are bad at their job
Even Windows has this, but there are a bunch of corner cases where it doesn't work.
The integrated RADIUS server can be configured to allow passwords that need changing (so that you can actually connect to AD and change it if you're away). But many other services, like AD-backed VPNs and such, will choke on a password that must be changed.
Start by not having a password manager that is universally adopted across the corporation.
Then maybe you've got a planned change that requires a manual operation on the production database, and you don't have the password already because it's rotated daily.
Maybe you need the agent license key for the monitoring system, so you can add it to the secrets file for the new host you're setting up.
Maybe someone created a new service and, and asked you to generate a new oauth2 client secret for it, and you need to send it to them.
Maybe it's corporate policy that every laptop must have an encrypted disk, and you've mailed a new remote worker a laptop and now need to send them the disk password by a different channel.
Maybe you occasionally need to work with some decrepit system that doesn't support single-sign-on - like a server's IPMI or some obscure bit of network equipment.
Of course there are better options than slack (which doesn't even have an off-the-record mode) but if slack is what everyone uses? Well....
Once a message is deleted there is no way to recover it, to my knowledge. But message retention in Slack is infinite. Further, sessions are infinite, at least last I set it up.
I think we set something like 1 year of retention for "public" channels, 9 months for private, and then certain channels can lower it beyond that. Same for files. And we have our tokens expire once a month.
The issue (I believe according to the author) is that Cloudflare is now choosing to withhold protection for Kiwi Farms, taking a moral stance and should be more responsible for other moral obligations or none at all. IE. Should they stop providing protection for more sites? When is the next Kiwi Farms?
I don't agree with the author because it is still early (and the author might be putting Cloudflare under pressure for some personal gain in some rhetoric), but these questions are interesting and is part of the cancel culture we are seeing more of.
As they mentioned in their article on Wednesday, cutting service to site A means that they're going to get a lot of angry people and/or governments wondering why they could dare to provide service for the equally vile (in their eyes) sites B, C, and D. They've just exacerbated this situation.
The problem is that demand for Cloudflare services is furthered by allowing illegal booters. If thoes sites were not protected by Cloudflare, they would attack each other offline. That would be the death-nail for most DDOS-for-Hire operations and the few remaining would raise prices, making it nearly impossible for a single person to boot other offline.
By allowing the attackers to use their services, while deciding other websites are not allowed to. Cloudflare is removing others freedom of speech.
This is sick. What does anyone learn doing by working like this? Is anyone gaining experience from this? It just feels like people are ground down so they can't physically work anymore.
The people running the show see no benefit from their team members "learning" or "gaining experience". If they ship the game and are so ground down they're burned out and ineffective, that's a problem for the next guy; the manager who got the game shipped by burning out the team got a huge bonus and has leveraged it into a shiny position somewhere else by the time any of the consequences rear their heads. IME this type of short-term thinking inevitably infects most companies, unless there is a very strong culture to combat it.
There's so much hype and expectation compared other software that it hits harder when bad software design appears in gaming. Bad software/project design still exists for regular software but users are more understandable when deadlines change.
I see this comment and others like it. It's important to also know where the mindshare is. Where are most average individuals spending most of their internet hours? It is likely not niche-blog.com. TikTok is quickly becoming "the internet" for all intenents and purposes for some people. It's also how some folks get their news, etc.
You don't even have to go that far to shoot down GP's argument. The blogs can be censored just like TikTok, as long as ISPs are incorporated in local states. Whether censorship happens by telling TikTok the rules, or telling the ISPs the rules seems inconsequential to the democritized availability of information.
Starlink et al. have a unique possibility of being state-agnostic and even leave citizens room for plausible deniability. (The next problem is how Starlink is payed in a way that states can't block, but it seems people are working on that...)
Wouldn’t Starlink just be beholden to the US government and it’s laws ?
As I see it no corporation can be state agnostic unless you want a corporation more powerful then states themselves and you don’t want that either because a corporation is not beholden to the people.
The bigger issue is that you may own your blog content, but if your blog is publishing undesirable opinions, it'll be difficult to find a host even in democracies with freedom of press.
In other words, you may have a legal freedom to express your opinions but nobody is forced to give you the platform to do so. It can become arbitrarily difficult to actually disseminate your opinions at the extreme. E.g. I may vehemently disagree with Trump's opinions, but I have to admit that I feel deeply uncomfortable with private entities controlling whether he gets heard or not.
At the same time, I don't have a good solution if I'm fully honest. Private entities absolutely should have the freedom to determine what they want published on their platforms. Maybe we need (as a society) realize that the social media has become a de-facto utility that needs to be provided as such, regulated as such and taken away from the hands of private entities?
> You can still write anything in a blog that you own and have people see it. To me that freedom is the "internet".
It's easy when you have a domain, server in your basement, a reasonable ISP. But as soon as you break the ToS with your provider or registrar getting the word out becomes practically impossible without resorting to IPFS or Onion or whatever in which case the content you own becomes a little ghetto that nobody reads.
Because blogs and websites aren't getting blocked in Russia or what? The only way content can be a little more resilient against blocking is P2P hosting. But even that can be made hard to access by blocking the on-ramp ( websites, app for the tools to get access to P2P ) or the protocol.
The crab is a boss of world 5. But Mouser is still in the game at the end of world 1. I remember the crab boss being easier compared to Mouser, and thinking they should be swapped.
The fact they stopped a NA release of the sequel because Howard Phillips review is amazing to me. Today we see still have games being released regardless if they should (Cyberpunk, Battlefield). Also it proves the importance of play testing to decide if the game is fun for the target demographic. I wonder if Miyamoto took this realization to heart and that is why we see his games so successful.
That’s easy to do when games are simple to make as they were back then.
Today? There’s too much at stake. $100 million dollar budgets, years of work, crushing deadlines, no way they would bring it all to a halt over one review. Besides, a lot of people will just buy whatever shit you put out as long as the hype is enough, and most games make most of their revenue in those early days after release.
And in the end, if you fuck up real bad, you can just release patches.
It's hard to even imagine this happening now, but it really does seem like it was a smart decision and Howard Phillips was completely correct (based on his gut reaction to playing the Japanese super mario bros 2) about what people did and didn't want, and it definitely does seem like the mario games went in the direction of not being so hard after that, although it's impossible to know if that was the specific reason.
Also, relating to difficult it's interesting that the original game that SMB2 in the U.S. was based on didn't have the B-run ability, and that change made the game substantially easier. Though in that case they may have decided they had to add it in order to be consistent to SMB1, and the decrease in difficulty was just an unintended side-effect. (Also, not having a save feature made the U.S. version a lot harder, so maybe that balances out with adding the run ability.)
This game came out not too long after the video game crash, which happened because the market was flooded by games that were just bad. Nintendo worked really hard to recreate consumer trust by making sure any released game was great.
