Added a bunch of fixes that only make sense if you're me, and some actual pages

main
silverwizard 4 weeks ago
parent ac72587fcd
commit 39f8578c9a
  1. 4
      local.env
  2. 8
      mark.sh
  3. 17
      rss.sh
  4. 15
      src/MFAIsntMoving.md
  5. 5
      src/SnakeOilsCost.md
  6. 2
      src/test2.md
  7. 2
      static.sh
  8. 8
      templates/footer.html
  9. 12
      templates/footer.sh
  10. 0
      templates/header.sh

@ -5,5 +5,7 @@ TEMPLATES="$BASEDIR/templates"
DEST="$BASEDIR/dest"
TITLE="Am I A Hacker? I've No Idea"
LINK="http://localhost"
DESC="A hacker trying to survive the software crisis"
export BASEDIR SRC STATIC TEMPLATES DEST TITLE
export BASEDIR SRC STATIC TEMPLATES DEST TITLE LINK DESC

@ -1,12 +1,12 @@
IFS='
'
sh templates/header.html > dest/index.html
sh templates/header.sh> dest/index.html
for file in `find src -type f -name "*.md"`
do
src=$file
dest=`echo $file |sed -e 's/^src/dest/' -e 's/md$/html/'`
echo "SRC: $src DEST: $dest"
sh templates/header.html > $dest
sh templates/header.sh > $dest
cat templates/cardbegin.html >> $dest
markdown_py $src >> $dest
@ -18,6 +18,6 @@ do
sh templates/date.sh $src >> dest/index.html
cat templates/cardend.html >> dest/index.html
cat templates/footer.html >> $dest
sh templates/footer.sh >> $dest
done
cat templates/footer.html >> dest/index.html
sh templates/footer.sh >> dest/index.html

@ -1,11 +1,20 @@
IFS='
'
. ./local.env
echo '<rss version="2.0">' > $DEST/rss.xml
printf "\t<channel>\n" > $DEST/rss.xml
printf "\t\t<title>$TITLE</title>\n" > $DEST/rss.xml
echo '<rss version="2.0">\n' > $DEST/rss.xml
printf "\t<channel>\n" >> $DEST/rss.xml
printf "\t\t<title>$TITLE</title>\n" >> $DEST/rss.xml
printf "\t\t<link>$LINK</link>\n" >> $DEST/rss.xml
printf "\t\t<description>$DESC</description>\n" >> $DEST/rss.xml
printf "\t\t<language>en-ca</language>\n" >> $DEST/rss.xml
printf "\t</channel>\n" >> $DEST/rss.xml
for file in `find $SRC -type f -name "*.md"`
do
stat -f %Sm $file >> $DEST/rss.xml
printf "\t<item>\n" >> $DEST/rss.xml
printf "\t\t<pubDate>`stat -f %Sm $file`</pubDate>\n" >> $DEST/rss.xml
printf "\t\t<title>`basename $file|sed s/.md//`</title>\n" >> $DEST/rss.xml
printf "\t\t<link>$LINK/`basename $file|sed s/.md/.html/`</link>\n" >> $DEST/rss.xml
printf "\t\t<description>`cat $file`</description>" >> $DEST/rss.xml
printf "\t</item>\n" >> $DEST/rss.xml
done
echo "</rss>" >> $DEST/rss.xml

@ -0,0 +1,15 @@
# [MFA Isn't Moving](MFAIsntMoving.html)
Clickbait Title: Stop trying to make MFA happen, it's not going to happen
Authentication sucks. And computers suck at authentication. Shadow identities and conceptual identities are complicated. You can't put a person into a computer so identification of a person ends up being by proxy. We have a pretty standard set of proxies - a random number you can remember, a random number on a USB device or phone, and a random number made out of a scan of part of our body. We call these Something You Know, Something You Have, and Something You Are, because it's less depressing this way. We also use exceedingly larger amounts of math to make these numbers harder to guess, and harder to take out of their contexts. These values also get slippery - is your SSH key something you *have* or something you *know*? What about a password that's equivalently long and you store in a file on your computer? Despite their edge cases, it's pretty easy to distinct most of these however, so I wont get too caught up in the weeds.
The important thing is that there's a lot of hatred of Something You Know credentials of late. This generally comes down to someone saying Passwords Are Dead or Passwords Should Die. This generally ends with a call for replacing them with Passkeys, in effect, replacing Something You Know with Something You Have. This almost entirely is justified with chain of custody around credentials. If people don't have passwords, they can't make weak passwords, they can't share passwords, and they can't write them down. This basically comes down to Something You Know being limited by the ease of sharing knowledge, and the limitations of forgetfulness. People make bad passwords. This is a true statement I don't want to argue against.
Despite this, Something You Have has its own set of issues. If there's a shared build user, or an email address that manages support cases, or a user who manages network services, then you already don't have a 1:1 mapping between users and identities. As a sysadmin I might need to be several different identities - some of which do not represent me, but instead represent systems, people, and projects, and what I would rather do is to have access to admin rights and the tools to make the changes to other users without changing my assumed identity, but that's very rarely an option. If my build pipeline can only be invoked by the build user, and I need to become the build user to make that pipeline starts at a weird time. This means that I need credentials for that user.
These alternate credentials are often managed by the idea of chain of custody. If you know what SSH key logged into the build user, you can map that to identities. But what if the system doesn't offer this. AWS only allows one root user, only allows one MFA token on that user. Now you need to manage that MFA credential. If you are in a situation with an AWS root user, then you need to have an MFA token, and pass it between people, having a specific yubikey that changes hands when people go on vacation, or when their shift as root ends. Lots of places I've seen refuse to put MFA on their AWS root account (this is not the place I work, but I've heard of the pattern). Similarily, I have BitBucket pipelines that need to pull repos, manipulate them, and then push them (the main things they're doing is changing versions), and I can't create tokens for that user without logging into it. This means I need to login to the build user sometimes, meaning that credentials need to exist for it, and I and others need them. Shared credentials are bad - but systems don't always give you a choice.
Now, someone I envison could argue that "bad systems wont integrate passkeys" isn't important. Trying to improve the bad systems isn't important, we should improve the good systems. I don't agree. Security is only as strong as its weakest piece, so I think we should look at how we can reform passwords, improve passwords, and build a future where we accept these these things are needed. Something we can easily share, rotate, and move between peoples. We need to keep our authentications able to be fluid around identities, and accept this as a valid way of managing authentication.
This isn't my last statement on this, this is just a first item.

@ -0,0 +1,5 @@
# [The Cost of Snakeoil](SnakeOilsCost.html)
Snake Oil is a major issue in the security community. This is a major thing in all of the economy right now. A lot of it comes down to the promise that it will be cheaper to Buy and not Build. The core idea that the largest expense a company can have is people, and so, let's have someone else pay the people and get the benefits!
Now, I don't know how that works out in every case. I think the cloud is mostly a method to create vendor dependency and raise the cost of compute as high as it will go, so I don't think it's going well generally. However, I think security is very complicated

@ -1,2 +0,0 @@
# This is
also a test

@ -3,4 +3,4 @@
cd $BASEDIR
sh mark.sh
cp static/* dest/
cp dest/* $DEST
sh rss.sh

@ -1,8 +0,0 @@
</div>
<div class="rightcolumn">
<div class="card">
<h2>Who Am I</h2>
<p>I'm a hacker who is trying to survive the Software Crisis</p>
</div>
</div>
</html>

@ -0,0 +1,12 @@
echo '</div>'
echo '<div class="rightcolumn">'
echo ' <div class="card">'
echo ' <h2>Who Am I</h2>'
echo " <p>$DESC</p>"
echo ' </div>'
echo ' <div class="card">'
echo ' <h2>Subscribe To The Feed!</h2>'
echo ' <a href=/rss.xml>Subscribe!</a>'
echo ' </div>'
echo '</div>'
echo '</html>'
Loading…
Cancel
Save