From 39f8578c9ac4c1e6231e1f32852b9afd1f0fcfb4 Mon Sep 17 00:00:00 2001
From: silverwizard <silverwizard@obscuritus.ca>
Date: Tue, 10 Dec 2024 23:10:46 -0500
Subject: [PATCH] Added a bunch of fixes that only make sense if you're me, and
 some actual pages

---
 local.env                            |  4 +++-
 mark.sh                              |  8 ++++----
 rss.sh                               | 17 +++++++++++++----
 src/MFAIsntMoving.md                 | 15 +++++++++++++++
 src/SnakeOilsCost.md                 |  5 +++++
 src/test2.md                         |  2 --
 static.sh                            |  2 +-
 templates/footer.html                |  8 --------
 templates/footer.sh                  | 12 ++++++++++++
 templates/{header.html => header.sh} |  0
 10 files changed, 53 insertions(+), 20 deletions(-)
 create mode 100644 src/MFAIsntMoving.md
 create mode 100644 src/SnakeOilsCost.md
 delete mode 100644 src/test2.md
 delete mode 100644 templates/footer.html
 create mode 100644 templates/footer.sh
 rename templates/{header.html => header.sh} (100%)

diff --git a/local.env b/local.env
index 353a4a1..d6fb598 100644
--- a/local.env
+++ b/local.env
@@ -5,5 +5,7 @@ TEMPLATES="$BASEDIR/templates"
 DEST="$BASEDIR/dest"
 
 TITLE="Am I A Hacker? I've No Idea"
+LINK="http://localhost"
+DESC="A hacker trying to survive the software crisis"
 
-export BASEDIR SRC STATIC TEMPLATES DEST TITLE
+export BASEDIR SRC STATIC TEMPLATES DEST TITLE LINK DESC
diff --git a/mark.sh b/mark.sh
index 396a222..445142a 100755
--- a/mark.sh
+++ b/mark.sh
@@ -1,12 +1,12 @@
 IFS='
 '
-sh templates/header.html > dest/index.html
+sh templates/header.sh> dest/index.html
 for file in `find src -type f -name "*.md"`
 do
 	src=$file
 	dest=`echo $file |sed -e 's/^src/dest/' -e 's/md$/html/'`
 	echo "SRC: $src DEST: $dest"
-	sh templates/header.html > $dest
+	sh templates/header.sh > $dest
 
 	cat templates/cardbegin.html >> $dest
 	markdown_py $src >> $dest
@@ -18,6 +18,6 @@ do
 	sh templates/date.sh $src >> dest/index.html
 	cat templates/cardend.html >> dest/index.html
 
-	cat templates/footer.html >> $dest
+	sh templates/footer.sh >> $dest
 done
-cat templates/footer.html >> dest/index.html
+sh templates/footer.sh >> dest/index.html
diff --git a/rss.sh b/rss.sh
index a4ff377..f543bc9 100755
--- a/rss.sh
+++ b/rss.sh
@@ -1,11 +1,20 @@
 IFS='
 '
 . ./local.env
-echo '<rss version="2.0">' > $DEST/rss.xml
-printf "\t<channel>\n" > $DEST/rss.xml
-printf "\t\t<title>$TITLE</title>\n" > $DEST/rss.xml
+echo '<rss version="2.0">\n' > $DEST/rss.xml
+printf "\t<channel>\n" >> $DEST/rss.xml
+printf "\t\t<title>$TITLE</title>\n" >> $DEST/rss.xml
+printf "\t\t<link>$LINK</link>\n" >> $DEST/rss.xml
+printf "\t\t<description>$DESC</description>\n" >> $DEST/rss.xml
+printf "\t\t<language>en-ca</language>\n" >> $DEST/rss.xml
+printf "\t</channel>\n" >> $DEST/rss.xml
 for file in `find $SRC -type f -name "*.md"`
 do
-	stat -f %Sm $file >> $DEST/rss.xml
+	printf "\t<item>\n" >> $DEST/rss.xml
+	printf "\t\t<pubDate>`stat -f %Sm $file`</pubDate>\n" >> $DEST/rss.xml
+	printf "\t\t<title>`basename $file|sed s/.md//`</title>\n" >> $DEST/rss.xml
+	printf "\t\t<link>$LINK/`basename $file|sed s/.md/.html/`</link>\n" >> $DEST/rss.xml
+	printf "\t\t<description>`cat $file`</description>" >> $DEST/rss.xml
+	printf "\t</item>\n" >> $DEST/rss.xml
 done
 echo "</rss>" >> $DEST/rss.xml
diff --git a/src/MFAIsntMoving.md b/src/MFAIsntMoving.md
new file mode 100644
index 0000000..be38533
--- /dev/null
+++ b/src/MFAIsntMoving.md
@@ -0,0 +1,15 @@
+# [MFA Isn't Moving](MFAIsntMoving.html)
+
+Clickbait Title: Stop trying to make MFA happen, it's not going to happen
+
+Authentication sucks. And computers suck at authentication. Shadow identities and conceptual identities are complicated. You can't put a person into a computer so identification of a person ends up being by proxy. We have a pretty standard set of proxies - a random number you can remember, a random number on a USB device or phone, and a random number made out of a scan of part of our body. We call these Something You Know, Something You Have, and Something You Are, because it's less depressing this way. We also use exceedingly larger amounts of math to make these numbers harder to guess, and harder to take out of their contexts. These values also get slippery - is your SSH key something you *have* or something you *know*? What about a password that's equivalently long and you store in a file on your computer? Despite their edge cases, it's pretty easy to distinct most of these however, so I wont get too caught up in the weeds.
+
+The important thing is that there's a lot of hatred of Something You Know credentials of late. This generally comes down to someone saying Passwords Are Dead or Passwords Should Die. This generally ends with a call for replacing them with Passkeys, in effect, replacing Something You Know with Something You Have. This almost entirely is justified with chain of custody around credentials. If people don't have passwords, they can't make weak passwords, they can't share passwords, and they can't write them down. This basically comes down to Something You Know being limited by the ease of sharing knowledge, and the limitations of forgetfulness. People make bad passwords. This is a true statement I don't want to argue against.
+
+Despite this, Something You Have has its own set of issues. If there's a shared build user, or an email address that manages support cases, or a user who manages network services, then you already don't have a 1:1 mapping between users and identities. As a sysadmin I might need to be several different identities - some of which do not represent me, but instead represent systems, people, and projects, and what I would rather do is to have access to admin rights and the tools to make the changes to other users without changing my assumed identity, but that's very rarely an option. If my build pipeline can only be invoked by the build user, and I need to become the build user to make that pipeline starts at a weird time. This means that I need credentials for that user.
+
+These alternate credentials are often managed by the idea of chain of custody. If you know what SSH key logged into the build user, you can map that to identities. But what if the system doesn't offer this. AWS only allows one root user, only allows one MFA token on that user. Now you need to manage that MFA credential. If you are in a situation with an AWS root user, then you need to have an MFA token, and pass it between people, having a specific yubikey that changes hands when people go on vacation, or when their shift as root ends. Lots of places I've seen refuse to put MFA on their AWS root account (this is not the place I work, but I've heard of the pattern). Similarily, I have BitBucket pipelines that need to pull repos, manipulate them, and then push them (the main things they're doing is changing versions), and I can't create tokens for that user without logging into it. This means I need to login to the build user sometimes, meaning that credentials need to exist for it, and I and others need them. Shared credentials are bad - but systems don't always give you a choice.
+
+Now, someone I envison could argue that "bad systems wont integrate passkeys" isn't important. Trying to improve the bad systems isn't important, we should improve the good systems. I don't agree. Security is only as strong as its weakest piece, so I think we should look at how we can reform passwords, improve passwords, and build a future where we accept these these things are needed. Something we can easily share, rotate, and move between peoples. We need to keep our authentications able to be fluid around identities, and accept this as a valid way of managing authentication.
+
+This isn't my last statement on this, this is just a first item.
diff --git a/src/SnakeOilsCost.md b/src/SnakeOilsCost.md
new file mode 100644
index 0000000..1fc5385
--- /dev/null
+++ b/src/SnakeOilsCost.md
@@ -0,0 +1,5 @@
+# [The Cost of Snakeoil](SnakeOilsCost.html)
+
+Snake Oil is a major issue in the security community. This is a major thing in all of the economy right now. A lot of it comes down to the promise that it will be cheaper to Buy and not Build. The core idea that the largest expense a company can have is people, and so, let's have someone else pay the people and get the benefits!
+
+Now, I don't know how that works out in every case. I think the cloud is mostly a method to create vendor dependency and raise the cost of compute as high as it will go, so I don't think it's going well generally. However, I think security is very complicated
diff --git a/src/test2.md b/src/test2.md
deleted file mode 100644
index c83914f..0000000
--- a/src/test2.md
+++ /dev/null
@@ -1,2 +0,0 @@
-# This is
-also a test
diff --git a/static.sh b/static.sh
index a3bf23d..9af5052 100755
--- a/static.sh
+++ b/static.sh
@@ -3,4 +3,4 @@
 cd $BASEDIR
 sh mark.sh
 cp static/* dest/
-cp dest/* $DEST
+sh rss.sh
diff --git a/templates/footer.html b/templates/footer.html
deleted file mode 100644
index 0aecc91..0000000
--- a/templates/footer.html
+++ /dev/null
@@ -1,8 +0,0 @@
-</div>
-<div class="rightcolumn">
-	<div class="card">
-		<h2>Who Am I</h2>
-		<p>I'm a hacker who is trying to survive the Software Crisis</p>
-	</div>
-</div>
-</html>
diff --git a/templates/footer.sh b/templates/footer.sh
new file mode 100644
index 0000000..53ec851
--- /dev/null
+++ b/templates/footer.sh
@@ -0,0 +1,12 @@
+echo '</div>'
+echo '<div class="rightcolumn">'
+echo '	<div class="card">'
+echo '		<h2>Who Am I</h2>'
+echo "		<p>$DESC</p>"
+echo '	</div>'
+echo '	<div class="card">'
+echo '		<h2>Subscribe To The Feed!</h2>'
+echo '		<a href=/rss.xml>Subscribe!</a>'
+echo '	</div>'
+echo '</div>'
+echo '</html>'
diff --git a/templates/header.html b/templates/header.sh
similarity index 100%
rename from templates/header.html
rename to templates/header.sh