Laurent Bercot

@ska@treehouse.systems
644 Followers
41 Following
4.3K Posts

Grumpy Frenchman, C/Unix addict, author of s6 and other software at skarnet.org.

Good tech (so, probably not the tech you're thinking about), energy transition and climate change, leftist politics, psychology and self-improvement, pillow philosophy, songwriting and production, mechanisms of storytelling, video games as an art medium, shitposting.

Personal websitehttps://skarnet.org
Business websitehttps://skarnet.com
Twitterhttps://twitter.com/laurentbercot
Githubhttps://github.com/skarnet
Laurent Bercot1h ago
Glyph5h ago
after 25 years of a career of trying and mostly failing to make the world a better place with software it is truly soul-wrenchingly exhausting to watch a substantial plurality of the entire software industry decide that actually, it is more lucrative and easier to make the world worse instead
Laurent Bercot8h ago
Why is it ACAB and not "All of those that work forces are the same that burn crosses"?
Laurent Bercot12h ago
Emeritus Prof Christopher May13h ago

Enshittification alert:

WhatsApp (owned by Meta) is reversing its no ads policy... over the next three months if you use WhatsApp you'll going to be seeing adverts while you're chatting.

It may be a bit later than people expected, but given the Tech Bros past record(s), surely we're not surprised.

#WhatsApp #SocialMedia @pluralistic

h/t FT

Laurent Bercot15h ago
Graham Sutherland / Polynomial15h ago

scammers preying on people's basic decency fucks me off no end.

I gave two of the "desperately need money for insulin" ones the benefit of the doubt a week back, despite being pretty sure they're bots, and lo and behold today I see another three accounts using the exact same images with slightly different pretexts and donation links.

scamming people out of donations while also eroding trust in people who really are desperate is the lowest of the low.

Laurent Bercot15h ago
BeyondMachines 22h ago
#VibeCoding your MFA
Laurent Bercot16h ago
Falcon Darkstar16h ago

Hype cycles are not good and you should not contribute to them. They mis-allocate and squander, and cause long term bad decisions that ultimately hold back progress.

They kind of operate like an upward transform on the utility curve. In the positive utility but less than cost area, you get "but without the hype we wouldn't have X". In the negative utility area, you get straight up harms positioned as stepping stones to awesomeness.

Laurent Bercot17h ago
-Boulet-17h ago
Laurent Bercot18h ago
cR0w 21h ago

https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr

When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges.

Laurent Bercot18h ago
MiniMia 🏴󠁧󠁒󠁷󠁬󠁳󠁿 πŸ‡΅πŸ‡Έ1d ago

This πŸ‘‡

#IsraelIsATerroristState

Laurent Bercot18h ago
noyb.eu20h ago

🚨 Meta announced today that it will introduce ads on WhatsApp, which will be based on personal data from Facebook and Instagram. This move further consolidates Meta's social networking monopoly. EU law was actually supposed to prevent this.

https://noyb.eu/en/whatsapp-getting-ads-using-personal-data-instagram-and-facebook

WhatsApp is getting ads using personal data from Instagram and Facebook

Meta is expanding its ads business on WhatsApp using your data from Instagram and Facebook

noyb.eu
Γ—
BeyondMachines 22h ago
#VibeCoding your MFA
Show threadJohndgeek 🌎22h ago
@beyondmachines1 Talk about vibe coding the pipeline. 
Show threadSteffen Voß21h ago
@beyondmachines1 
Show threadAlerta! Alerta!21h ago
@beyondmachines1 🀣
Show threadSherlock Schaf20h ago
@beyondmachines1 πŸ€ͺ
Show threadLeszek20h ago
@beyondmachines1 Please tell me this is just a joke form someone wrote and not a screenshot of a publicly facing service.
Show threadVeronica Olsen πŸ³οΈβ€πŸŒˆπŸ‡³πŸ‡΄πŸŒ»20h ago
@makdaam @beyondmachines1 I assume it is a joke, but you never know these days.
Show threadBeyondMachines 18h ago
@veronica @makdaam I'm betting on Debug = True
Show threadstd::polar13h ago
@veronica still dubious
Show threadAri [APz] SovijΓ€rvi20h ago
@makdaam It has to be a joke, but I've seen so many of these where whoever made it obviously hadn't stopped to think how their "clever" system would fare in the real world. This includes those "secret questions" that you can easily lift from the person's social media.
Show threadIrina18h ago
@apzpins @makdaam The solution to that is *don't use those things as your security questions* so you can joyfully play the game. It's really that easy. Signed: Piep Abbenes (my 1990s pornstar name)
Show threadLeszek17h ago

@apzpins No, it doesn't have to be a joke. That's the worst part.

There's a guy who vibed out an online app with Cursor which had credential tokens in the client side javascript. He believes that was no biggie, and exposing his customer data is just part of the learning process.

He's releasing more webapps, same quality, now trying to add mobile ones. He's added a layer of "real browser detection" with Vercel on top to keep him safe.

Show threadAri [APz] SovijΓ€rvi16h ago

@makdaam My own experience with such coders was when I was told to give customer's web dev a virtual. It got owned in less than 12 hours, because he eventually figured out how to make MySQL listen to the public IP so he could use some kind of a graphical tool running on his own laptop to access it.

Felt like parents asking to give their kid a loaded shotgun and then be all surprised when the worst happened. But all in a day's work and so forth.

Show threadKevin Karhan 20h ago

@makdaam @beyondmachines1 +1

  • I hope too this is just a poorly made demonstration thingy that explains how to integrate some actual #2FA!

Cuz to me thats #NegativeFactorAuthentification instead of #TwoFactorAuthentification!

https://infosec.exchange/@beyondmachines1/114692899794487589

BeyondMachines :verified: (@beyondmachines1@infosec.exchange)

Attached: 1 image #VibeCoding your MFA

Infosec Exchange
Show threadAdriano18h ago
@makdaam @beyondmachines1 "for debugging porpoises"
Show threadAlister Bulman13h ago

@makdaam @beyondmachines1 Did you hear what Grindr use to do with a password reset?

They returned it along with the API response that would tell you that "the URL has been sent to your email address"

https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/

Hacking Grindr Accounts with Copy and Paste

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr [https://www.grindr.com/] is "The World's Largest Social Networking App for Gay, Bi, Trans,

Troy Hunt
Show threadLeszek13h ago
@alister @beyondmachines1 Auth recovery flows seem to be a common weak spot.
Show threadBeyondMachines 6h ago
@alister @makdaam I've seen something similar in other places. Not intentional, just dev losing focus.
Show threadBroken Social Graph20h ago
@beyondmachines1 all I see is hunter2
Show threadkae20h ago
@beyondmachines1 chat is this real?
Show threadBeyondMachines 18h ago
@kae_bytheocean no clue. But I'm thinking Debug = True
Show threadMartin SchrΓΆder2h ago
@beyondmachines1
Even then: When would the frontend ever get the code?
@kae_bytheocean
Show threadBeyondMachines 1h ago
@oneiros @kae_bytheocean seemed like a great idea at development debug time 🀷
Show threaddzamie20h ago
"x0cx0x" sure is an interesting way to censor the first six digits of a phone number
Show threadEmber β€‹2h ago
@dzamie not ai generated, just typical OCR errors (probably the OCR software included in mastodon)
Show threadvita is at gpn :320h ago
@beyondmachines1 i took like a whole minute to understand this T~T
Show threadNico Erfurth20h ago
@beyondmachines1 I fear it's real, isn't it?
Show threadKit πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈπŸ‡ΊπŸ‡¦20h ago
@beyondmachines1 What application is that, smh? I'm not sure the people know the purpose of sending a code to your phone XD
Show threadThe Psychotic Network Ferret20h ago
@beyondmachines1
Show threadsullybiker20h ago
@beyondmachines1 Oh dear god
Show threadOzzelot  20h ago
@beyondmachines1
Perhaps it is the number of an entirely different code. 
Show threadBeyondMachines 18h ago
@ozzelot That is so evil
Show threadOzzelot  18h ago
@beyondmachines1 The correct code has arrived at the phone and this is for internal use by people who have access to the DB and have no intention to bother with phones, I assume
Show threadBeyondMachines 18h ago
@ozzelot that's what we call a back door. And having a back door is always a bad idea.
Show threadOzzelot  18h ago
@beyondmachines1
Well, if it weren't for little old security through obscurity, it would be a front door!
Show threadlunchy19h ago
@beyondmachines1 is this real?
Show threadBeyondMachines 18h ago
@lunch I'm putting my money on Debug = True
Show threadROTOPE~1 19h ago
@beyondmachines1 2Fast 2FA 2Furious
Show threadJPeck19h ago
@beyondmachines1 really streamlines the authentication process
Show threadBeyondMachines 18h ago
@boscoandpeck we need HX, Hacker eXperience
Show threadJPeck18h ago
@beyondmachines1 πŸ˜‚ I can see the job listing now for a full stack hx developer
Show threadStanley Nerdlinger II19h ago
@beyondmachines1
Wait. Let me get my phone.
Show threadJustin Derrick19h ago
@beyondmachines1 Your alt-text needs a little tweak, the 'xxx-xxx' looks a little messed up.
Show threadChief Master Sergeant Walter H19h ago
@beyondmachines1 Better UX, that.
Show threadBeyondMachines 18h ago
@chief everyone is happy. Customers, hackers, everyone!
Show threadAndy Fletcher19h ago

@beyondmachines1 About 15 years ago I had a bank account in Qatar. They had SMS authentication for transfers.

The form asked you for your Qatar Id - easy as it was displayed at the top of the webpage then invited you to put in a phone number for the SMS authentication message to be sent to. You could use any phone number - your own, the wife or even a co-worker. I tried!

Show threadBeyondMachines 18h ago
@X31Andy I bet there are such implementations even now
Show threadDD19h ago
@beyondmachines1 LMAO 🀣
Show threadjbz19h ago
@beyondmachines1 accessibility feature here I come
Show threadOpenComputeDesign19h ago
@beyondmachines1 Please don't ask me how long I had to stare at this before I realized what was wrong 🀦
Show threadBeyondMachines 19h ago
@OpenComputeDesign like looking for my glasses while i'm wearing them πŸ€·β€β™‚οΈ
Show threadimpossibleibex πŸ‡ΊπŸ‡¦18h ago
@beyondmachines1 did you vibe code the alt text too?