Wrote this little snippet which might be helpful to fellow Ruby developers setting up their test suite.
https://dev.to/beatmadsen/process-based-parallel-execution-of-plain-minitest-tests-p4a
| @32DM9Y9 | |
| GitHub | @beatmadsen |
Erik Madsen
- 12 Followers
- 141 Following
- 19 Posts
Software engineer in Stockholm, Sweden. Danish national.
Where did it all go wrong in my software project?
Perhaps churn_vs_complexity 1.4.0 can be of help with the new --timetravel mode.
https://rubygems.org/gems/churn_vs_complexity/versions/1.4.0
Now you can analyse your javascript and typescript repositories with churn_vs_complexity version 1.3.0 that integrates with eslint for complexity analysis in those languages.
https://rubygems.org/gems/churn_vs_complexity/versions/1.3.0
I just published version 1.2.0 of churn_vs_complexity (https://rubygems.org/gems/churn_vs_complexity).
It now supports short-hand flags for relative periods like "a month ago" (-m) and a nice summary function to give you aggregate datapoints to measure your codebase's health over time, which you could easily integrate into your CI.
It still includes the nice churn vs complexity graph output, now with revised logic for which observations are included and an improved calculation of churn.
I just released an open source tool to visualise code complexity in Java and Ruby projects and help direct refactoring efforts.
Gem: https://rubygems.org/gems/churn_vs_complexity
Source: https://github.com/beatmadsen/churn_vs_complexity
Thank you, @chadfowler for the idea!
Ryan SchultzMASTODON TIP OF THE DAY: If you, like me, are getting spammed on Mastodon with crypto offers, here's how to put a stop to that: on the web interface to Mastodon, click on the gear to go into your settings, then select Notifications, then check the box next to "Block direct messages from people you don't follow" under OTHER NOTIFICATIONS SETTINGS.
(Hat tip to Jerry Bell for this; more information on this problem can be found in this post by him: https://infosec.exchange/@jerry/110384254052694131)
Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified: (@[email protected])
Attached: 1 image As many of you know, there's been a few focused attempts at spamming the fediverse with crypto offers. The wat this is currently happening is that someone is registering hundreds or thousands of accounts on an instance (first it was mastodon.social, and most recently mastodon.world) and then proceeding to post messages with links to get your free crypto. These messages are sent using the "mentioned people only" visibility setting, meaning that if you're not tagged in them, you don't know that this issue is happening. It's unclear how spam victims are selected, however it's very likely collecting user names recently appearing in timelines. Obviously, just like with spam and malicious emails, if you receive one of these messages, you should not click on links - at best it's a scam, and at worst, it's something that will attempt to steal passwords or install malware - usually for the purpose of stealing your identity, your money, and so on. If you receive such a message, simply use the reporting function on your instance to report the spam to your moderators and the moderators of the originating instance. For this particular tactic, it is prudent to consider disabling direct messages from people you don't follow. To do that, go to settings, preferences, notifications, and check the box next to "Block direct messages from people you don't follow" at the bottom of the screen. It's also possible to block the domain of the spammers, however it's important to note that doing so will remove all your followers and follows on that domain.
I built this little tool because I needed something like it. Sharing it with you in case it might be useful to you as well.
Just released version 1.0.0 of fiber-collector, a ruby version of Promise.all
https://rubygems.org/gems/fiber-collector
Let me know what you think
Luis VillaThe Standard Ebooks RSS feed was a pleasant suprise today. Happy Public Domain Day! https://standardebooks.org/
Jeremi M Gosney 
Many of you have been asking for my thoughts on the #LastPass breach, and I apologize that I'm a couple days late delivering.
Apart from all of the other commentary out there, here's what you need to know from a #password cracker's perspective!
Your vault is encrypted with #AES256 using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). #PBKDF2 is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only #KDF that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.
Using #Hashcat with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the < 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule.
Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:
1. users for which they have previously-compromised passwords (password reuse, credential stuffing)
2. users with laughably weak master passwords (think top20k)
3. users they can phish
4. high value targets (celebs, .gov, .mil, fortune 100)
If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.
I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know?
A proper mitigation would be to migrate to #Bitwarden or #1Password, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.
For more password insights like this, give me a follow!