Nostr notes by arcanicanis

It's also conversely weird where people hold the belief that ...

2026-03-09T09:01:49Z

In reply to nevent1q…7s27
_________________________

It's also conversely weird where people hold the belief that if they were insanely rich, that their life would be substantially better.

Yes, you would no longer have financial stressors (then again, if you're not stupid and blow it all and end up broke..), wouldn't have an obligation to work, but then some people also start to lack finding purpose or function in life on their own. You've 100%ed the game, what objectives are left?

But even moreso is all the fake people. That you could be a center of attention to a crowd, but where it's not genuine. It's not where [at least most] people even actually care about you personally, and are more interested about being in your proximity just for your status and money. If you're too notable, you can't live as a nobody anymore. You're also a magnet for the occasional crazy person that you've never met.

I remember there being a news article about one notable figure that had made it very big, that they felt essentially alone and depressed. There was such a condescending public response, of people mocking said person, as if it's like impossible to be a multi-billionaire and also be depressed, even as a genuine person (not like someone that faked their way and used people to get to their status, whereas in that case, it'd certainly be due).

I'm speaking from my out-of-box experience on Kubuntu 25.10, ...

2026-03-08T10:14:54Z

In reply to nevent1q…040p
_________________________

I'm speaking from my out-of-box experience on Kubuntu 25.10, 32GB physical, +4.3(?)GB swap. I'd be totally fine with my userspace stuff being forcibly killed on OOM rather than having an unresponsive system that's hiked up with activity on shuffling things in and out of swap under pressure, with SysRq reset being the only option out.

As is the situation of hitting OOM whether you have swap or not. ...

2026-03-08T09:50:59Z

In reply to nevent1q…a7vr
_________________________

As is the situation of hitting OOM whether you have swap or not. Swap just slows down the time of getting to the threshold of the OOM killer being invoked. If you're pushing into the situation where you "need" swap, it's usually going to saturate swap too, unless you have like a +8 GB or so swap volume or something, whereas as far as I'm aware, most people only have a 1GB swap by default.

Let the kernel kill a process in an OOM situation and continue to ...

2026-03-08T09:30:46Z

In reply to nevent1q…xqfn
_________________________

Let the kernel kill a process in an OOM situation and continue to run just fine? Use a userspace OOM killer earlier before the kernel has to step in?

I love swap completely slowing down the process of reaching the ...

2026-03-08T08:27:16Z

In reply to nevent1q…rxwz
_________________________

I love swap completely slowing down the process of reaching the threshold to trigger the OOM killer to be invoked (if at all, and hopefully not stuck in the limbo in-between), thrashing my NVMe or SSD with useless activity for several minutes into hours, to sit and watch a system be so dogged down, that you can't even log into a virtual tty without it timing out (all while the kernel is actually responsive to immediately respond to magic SysRq keycombos). It's great.

https://arcanican.is/blog/2026/no-fun.php Had a stream of thought ...

2026-03-02T08:17:59Z

https://arcanican.is/blog/2026/no-fun.php

Had a stream of thought that I needed to get written down, as presented above. Just expressing a mix of thoughts I've had in recent years, and not to seek out sympathy or anything. I'm sure there's some other folks involved in hobbies or communities that feel the same.

Oh my. I think I've just hit a new revelation for a software ...

2026-02-25T22:12:49Z

Oh my. I think I've just hit a new revelation for a software architecture that should be a lot more servicable, stateless, and more practical to host with just static files, and possibly still be able to do federation (through a second layer atop, for converting NDJSON streams and ID references, into standard ActivityPub objects/collections).

I was working on a sideproject of a web-based yt-dlp frontend (and media platform), but may be able to 'kill two birds with one stone' with the idea.

Time to throw almost everything out again and see if this one sticks.

If there's a future time where I have availability, I may try ...

2026-02-09T21:09:52Z

In reply to nevent1q…9lre
_________________________

If there's a future time where I have availability, I may try to take a stab at implementing it in an XMPP client. If that goes somewhere, I could then try to see if it could be done ActivityPub side too (for private messaging) and have it interop, is my general vision.

@nprofile…nptm Possibly to your interest, if you haven't ...

2026-02-09T20:55:42Z

silverpill (nprofile…nptm) Possibly to your interest, if you haven't seen it already: https://autocrypt2.org Apparently only 25 pages long, with seemingly clear and specific steps and some code examples (at least in cursory skimming): https://datatracker.ietf.org/doc/draft-autocrypt-openpgp-v2-cert/

The gTLD expansion [lottery] itself is practically like AOL ...

2026-01-17T00:28:28Z

In reply to nevent1q…7g39
_________________________

The gTLD expansion [lottery] itself is practically like AOL keywords, just with an extra word needed, given companies can just own their own brand TLD now e.g. .google, .microsoft, .netflix, .pfizer, .scjohnson, .skype(?), .toshiba, .vanguard, .vistaprint, and so so so many more)

I guess that also serves as punishment for a particular VR ...

2025-12-25T08:02:33Z

In reply to nevent1q…mcxf
_________________________

I guess that also serves as punishment for a particular VR platform forcing EAC, just to auto-moderate against ALL forms of client modding; while the better alternatives openly allow modding (as long as it's not for malicious purposes).

Old mansion, for skipping ahead and getting tires quicker on a ...

2025-12-16T04:56:19Z

In reply to nevent1q…0n85
_________________________

Old mansion, for skipping ahead and getting tires quicker on a fresh run. There are ways to handle the bees, just sometimes a little finnicky; or also I think time-of-day stuff, but I can be impatient. Invariably, it's still all a humoring experience anyway.

I still haven't even fully finished the first game still, ...

2025-12-16T04:51:39Z

In reply to nevent1q…u6me
_________________________

I still haven't even fully finished the first game still, after about +68 hours of playing only permadeath mode. :P

Perhaps I should return to trying to pull that off yet. Those heckin bees in the abandoned shed though..

Oh nice. I guess I'll have to plan on not getting as much ...

2025-12-16T04:47:18Z

In reply to nevent1q…ujg4
_________________________

Oh nice. I guess I'll have to plan on not getting as much work done in late December/early January then.

Ooo, I am genuinely eager for the [eventual] release of My Winter ...

2025-12-16T04:36:20Z

In reply to nevent1q…sqx2
_________________________

Ooo, I am genuinely eager for the [eventual] release of My Winter Car. It's very rare to find the folks that appreciate obscure titles like MSC.

As in to just traverse their outbox and save all the posts in ...

2025-12-15T21:18:26Z

In reply to nevent1q…lj3v
_________________________

As in to just traverse their outbox and save all the posts in bulk (with/without attachments); that should be a trivial one-day project. Unless you mean storing the HTTP Signature also, now that's a separate story.

I guess one effect I still miss from the Beryl/'Compiz ...

2025-12-08T01:39:51Z

I guess one effect I still miss from the Beryl/'Compiz Fusion' era of Linux compositors, was being able to use Ctrl+Scroll to adjust the transparency of a window. So I could have a movie playing, drag a terminal over top, make the terminal semi-transparent, and be able to mentally switch focus between the two, without having to look between screens.

Oh it has for keyboards? That's neat. I probably wondered ...

2025-12-04T22:13:42Z

In reply to nevent1q…enyz
_________________________

Oh it has for keyboards? That's neat. I probably wondered about that too, but never really dug on it.

Speaking of Wacom and mice: I'm still idly curious why ...

2025-12-04T22:11:50Z

In reply to nevent1q…a963
_________________________

Speaking of Wacom and mice: I'm still idly curious why nobody's bothered to make a "pressure-sensitive" mouse (e.g. with soft actuation, and the pressure would be measured like pen tablet input), for cases where breaking out a drawing tablet might be excessive (e.g. some Blender sculpting tasks). I wouldn't be surprised if Wacom (or somebody) sits on a weird patent for something like that.

I'm pretty certain my XMPP server has far more uptime than ...

2025-11-18T20:35:57Z

In reply to nevent1q…e22q
_________________________

I'm pretty certain my XMPP server has far more uptime than Discord has had, my fedi server has more uptime than X has had, and my self-hosted email more than O365/Azure has had, all by just not using Cloudflare and just running on a basic VPS.

That could be an interesting concept/trend: hosting providers ...

2025-11-14T06:39:52Z

That could be an interesting concept/trend: hosting providers where the users of a hosted service could just directly donate towards the provider (on behalf of the hosting customer), while having some mechanism for attestation on-platform that they were the donor of said funds.

I understand they're a large contributor to GNOME, and employ ...

2025-07-12T00:30:55Z

In reply to nevent1q…wu79
_________________________

I understand they're a large contributor to GNOME, and employ a few developers to contribute to it. But it's a bit of a regression from offering KDE back in RHEL 7, but removing it in later releases when it's the far more stable and reliable option over GNOME (especially in a Wayland context).

Why does RedHat have to keep sawing themselves off at the legs? ...

2025-07-12T00:21:35Z

Why does RedHat have to keep sawing themselves off at the legs? Was going to do an RHEL 10 workstation install, but apparently the ability to install KDE has been removed since a few releases ago (as a first-party option; not talking EPEL). This also makes it a bit ironic, as RHEL 10 is to be "Wayland-only", and if they don't ship KDE as a first-party supported option, then that means a GNOME Wayland-only desktop, which is probably the worst possible option.

I think any curricula solely focused on just teaching someone a ...

2025-07-05T19:52:20Z

I think any curricula solely focused on just teaching someone a programming language, is kind of pointless.

I think for some real-world objectives to actually learn how things work, be more well-rounded, and understand how simply some things can be implemented, could be objectives like (after getting the basic concepts would be):

Develop something that can read/write a particular file format
Develop something that implements a network protocol
Write a basic parser (JSON, XML, etc), as bonus points

Some examples being: a primitive HTTP client, a basic IRC bot, an SMTP client, read an ODS/XLSX spreadsheet (with an XML lib), a PKZIP or tarball reader/writer, etc.

Projects like that would be astronomically more empowering than the ridiculous joke of what I see with people doing college courses, such as prompts like "write a C# class for calculating the total price of a sale at a lemonade stand (using floats even...)"

Whichever amount makes sense (3 is fine; or front and back ...

2025-05-28T19:09:02Z

In reply to nevent1q…dphq
_________________________

Whichever amount makes sense (3 is fine; or front and back isometric flats for coloration, 3rd for angled perspective of standard posture or something). Normally I dump at least $350+ equivalent on character sheets, so whatever would be fair in that budget.

I do have a character sheet commission that I would likely take ...

2025-05-28T18:37:31Z

In reply to nevent1q…stsq
_________________________

I do have a character sheet commission that I would likely take you up on that offer (when open), whenever I get to a more complete idea (still trying to fine-tune details on color pattern and palette; but generally it'll be some form of a scalie canid, which there aren't too many of)

I don't care if a commissioned artist leans on AI for ...

2025-05-28T18:22:40Z

In reply to nevent1q…aseq
_________________________

I don't care if a commissioned artist leans on AI for insignificant details (e.g. background details, basic pose, etc), it's more about whether: they're reachable outside of sh't platforms (e.g. not staying exclusive to FA notes for commissioning or something similarly absurd), they have an art style I hold interest in, and they accept some form of semi-anonymous payment (e.g. not PayPal, whereas most cryptos would probably be fine).

It's generally the last detail that's the primary blocker of why I don't commission much anymore.

I assume it's probably some over-/misapplication of it, of ...

2025-05-13T17:46:41Z

In reply to nevent1q…3akl
_________________________

I assume it's probably some over-/misapplication of it, of companies trying to use it as an 'every' tool, spammy notifications/reminders, various integrations of counter-productive value, and probably a boat anchor to self-host (for those that do anymore, given it sounds like they've cornered everyone into their SaaS offering).

But this is just my second-hand interpretation of what I passively observe off others, I don't interact with it myself either.

I assume Owncast doesn't have any sort of functionality for ...

2025-05-08T05:06:26Z

In reply to nevent1q…nl0f
_________________________

I assume Owncast doesn't have any sort of functionality for seeding streams between viewers yet?

The "insult to injury" in all this, is that I just want ...

2025-05-04T02:15:05Z

In reply to nevent1q…v8v4
_________________________

The "insult to injury" in all this, is that I just want to write a plugin for Cockpit that's visually consistent with the Cockpit itself.

But I also can't use the Cockpit's copy of PatternFly, because they keep switching between versions, and evidently it's just 'too hard' to simply ship separate major versions as separate files; ergo you can't use Cockpit's copy, you have to ship your own. Originally on v3, then v4, v5, and now it's moving on v6.

They even complain about breakage within a major version, but yet this is all entirely within the same company (RedHat): https://cockpit-project.org/blog/cockpit-221.html

Instead of writing my plugin, most of the time will probably be wasted with just dealing with the CSS UI framework itself.

And of course when I do npm install on the demo plugin, it pulls in 214MB for effectively a "hello world" project.

..."modern" CSS frameworks feel like a mental illness. ...

2025-05-04T02:04:30Z

..."modern" CSS frameworks feel like a mental illness.

I mean even with FrontPage you at least had some direct ...

2025-04-24T03:36:37Z

In reply to nevent1q…7f2v
_________________________

I mean even with FrontPage you at least had some direct correlation with the output HTML (aside from the extra cruft it'd add), versus this present day of people that call themselves web designers that don't even know what HTML/CSS even is, and scoff at the idea of ever learning any of it. Or those that cannot solve anything without some framework to 'think' for them.

I started poking around with HTML when I was like 9 years old, using a site builder program that was preinstalled on some early WinXP-era HP prebuilt, that tries to funnel you into using Tripod/Lycos as a hosting provider at the time.

The difference is that I grew up and I always seeked out new things to learn, and to expand deeper into learning anything I can in any of it. Meanwhile most of this damn present-day 'web design/dev' industry is people still riding around with toddler training wheels, solely to stay within their comforts, and they somehow manage to be taken seriously.

There's another local that is trying to run a webhosting company (that they bought out), effectively treating it like no more than a free money machine, and they don't even want to try running a homelab server to try to learn any entry-level Linux sysadmin stuff. It's so demoralizing when this is all I'm surrounded with.

It's exceptionally vile how saturated the tech industry is ...

2025-04-23T19:42:36Z

It's exceptionally vile how saturated the tech industry is with people that have no idea what they're doing, that act as if they're a "pro!", when they are the very reason there's major security incidents, or end up as another statistic of a botnet.

Everything is entirely about comfort to them, they don't want to adapt or learn, they just want to slap everything together with options that make them feel comforted and empowered, and never call in specialists where necessary.

Just as how dangerous a point-and-click Windows sysadmin with heavy Dunning-Kruger effect is, there's very much the same counterpart with the average idiot calling themself a web design agency because they know how to install WordPress (if at all, if they don't lean on something else to do that for them).

For something that could be done effectively in 50 lines of code (or sometimes basic sysadmin knowledge), they will instead go out to find a scatter of 3 different plugins to accomplish the same task, of dubious authors/quality.

Because they don't know how to code, and because the built-in block-based visual editor is "too confusing" for them, they will instead install a whole suite of another entire visual editor (Beaver Builder or Elementor), all entirely around their comfort. This crap can take up to 1GB of RAM to fulfill one web request, and they never see this as an issue (contextually: 1GB to generate +150KB of output).

Latest exhibit is an unfinished e-commerce website, that's had two other contractors they went to first, whereas after each contractor they'll pull me in solely to be the janitor and clean up others' work, usually starting as a call in middle of the night (phone ringing at 11pm/midnight in US Central), but they'll always cancel any subsequent work that needs to be done, and go with someone else instead.

Same thing happened again: they call me in to be the janitor in the middle of the night, they can't even be bothered to remember my email address (and ask for it to be spelled out for the +10th time over the phone), and when I check out the same project now, it's even exceptionally worse.

First time I've had to "fire the client" (after 2 years of this across other situations), and here's a video meme I've made of the actual plugin list they've amassed for a site that's supposed to be 'trusted' to process credit card information. (For context, only ~5 plugins would be necessary, if done competently. One plugin name is censored, because it has a contractor's name)

Just even the state of boot firmware on mobile devices is insane. ...

2025-03-03T20:45:15Z

In reply to nevent1q…5fyz
_________________________

Just even the state of boot firmware on mobile devices is insane.

Imagine if new desktop motherboard's firmware were hardcoded to ONLY directly boot Windows 11, ONLY in a very specific partition layout, specific to that motherboard (at least in the case of a prebuilt). Antitrust enforcement would probably be all over Microsoft on that; meanwhile this is the state of mobile devices, and Apple/Google get a free pass (presumably because it's a duopoly and not monopoly).

And I'm not even speaking about SecureBoot, I'm saying the boot firmware of these devices are specifically that: just an OS bootloader right in the firmware; no configurable MBR/UEFI pre-boot environment anywhere.

Free market would allow someone to make something better, but either everyone's spineless or careless, or perhaps Google contractually obliges handset vendors not to (in exchange for Google Play Services licensing or certain logo certifications).

I mean more in regards of the design considerations: Should it be ...

2025-02-18T00:11:16Z

In reply to nevent1q…e0vm
_________________________

I mean more in regards of the design considerations:

Should it be raster or vector?
Anti-aliased brushes or not (or both)?
Full color or pallettized to a specific set of colors?
Should there be a standard resolution or a resolution limit?
Option to import/remix other folks' drawings, etc

Because otherwise a basic thing could be done in like <100 lines of JavaScript and <canvas>, meanwhile the selection of design choices either makes or breaks it.

I live too deep under a rock to know how Miiware or other successful social stuff was designed.

What would be some worthwhile constraints and features, if it ...

2025-02-17T23:18:45Z

In reply to nevent1q…ee6k
_________________________

What would be some worthwhile constraints and features, if it did?

After all, there are a lot of things that could be confused for ...

2025-02-17T19:24:19Z

In reply to nevent1q…aacj
_________________________

After all, there are a lot of things that could be confused for an autism diagnosis

The subtext is: "trusted" sources haven't published ...

2025-02-17T19:14:45Z

In reply to nevent1q…c4ra
_________________________

The subtext is: "trusted" sources haven't published much on this topic yet, so don't believe info from any of the independent results in the void of that.

I can't remember if they play the same games as they do on YouTube for 'news-related' searches, of pinning results from a hand selected set of establishment media outlets at the top, ahead of the organic ordering.

'Cogito, ergo sum' or something.

2025-02-11T20:00:45Z

In reply to nevent1q…lhe4
_________________________

'Cogito, ergo sum' or something.

If government is the Certificate Authority of a cryptographic ...

2025-02-06T21:18:04Z

In reply to nevent1q…8azp
_________________________

If government is the Certificate Authority of a cryptographic digital ID system, and if the digital ID is used as an authenticator, then therefore the government can impersonate you, do things on your behalf, and access any resources that are 'protected' wherever the digital ID is relied on as an authenticator. It inherently gives them a backdoor into anything that relies on it, as they can always notarize another ID as you.

There could be ways to mitigate risks, but I highly doubt they'll be considered, since it's always the dumbest of person that any of these systems will be engineered to (just as why authentication with banking is just outright pathetic in a lot of areas, where a vast majority of online banking doesn't even support any hardware token auth whatsoever).

The important part is that digital ID isn't used as a routine authenticator, and maybe only for proving identity ONCE when initially setting up an account, and the onus being on the end user to supply the methods they want to authenticate NOT involving the digital ID as a routine authenticator (password + OTP, user-procured hardware token, or whatever else).

Neat, didn't notice that SCRAM for HTTP Authentication was a ...

2024-12-22T23:05:24Z

Neat, didn't notice that SCRAM for HTTP Authentication was a standardized thing until now: https://datatracker.ietf.org/doc/html/rfc7804

Apparently authored by an employee of an XMPP software vendor.

From periodically lurking X (and I'm sure the same applies to ...

2024-12-11T07:08:00Z

From periodically lurking X (and I'm sure the same applies to Bluesky), I don't understand the fixation of all the people that want to act as some self-appointed justice system that declares people 'pedophile', 'zoophile', or whatever else, based on some Google Doc of just alleged Discord/Telegram/etc screenshots, of conversations with people you have never heard of.

Should I demonstrate how trivial it is to edit conversation history in Discord with developer tools (when accessed from a browser)? Is it worth making a tool to fake Telegram screenshots, to also illustrate the same?

Why is it almost never verifiable court documents, charges, local news reports, etc? If the conversation screenshots are "proof", and there is reasonable evidence to a crime, why is nobody bothering to report to law enforcement, to then officially legally request those conversation logs from the platform and investigate further?

Then there's also times when people will decry any accusations against their friends or acquaintances as baseless, as nothing more than a desperate measure to take them down, but then clap like seals for any campaign against people they hate, for probably no different of quality of 'evidence'.

Just to be clear: anyone advocating for pedophilia or zoophilia deserves the woodchipper. What I'm complaining about is the people obsessing over and recirculating gossip, playing 'moral authority' of the internet, and all the factions that are just a constant inward firing squad.

And hell, it doesn't even have to be alleged crimes, there's some subsets of people that are just appear so insufferably miserable to each other, like some alleged Christian groups throwing each other out and advising people to stay away from certain people, for barely any justification at all.

I don't understand how people aren't self-aware of their own behavior, especially when it very likely is the cause to why they have no stable friendships or are usually alone.

What would be a fair, self-discoverable mechanism for a private ...

2024-11-29T23:23:51Z

What would be a fair, self-discoverable mechanism for a private user storage for an ActivityPub actor, primarily for the storage of arbitrary content such as client preferences, encrypted keyring, etc?

Naturally all I can think of would be another endpoint listed under the endpoints map in an actor, perhaps with a property name of userStorage, whereas the endpoint would be a Collection that you'd Add or Remove objects from.

Or alternatively, if it's something that should just be genericized to some system of arbitrary user-created collections (no idea if discussions about the streams attribute went anywhere), but then that'd probably lose meaning for something that could be self-discoverable (such having to then discover which collection holds a private-only user store for client-managed data, and make it more needlessly complicated).

This is pretty much the last gap that I need figured out, and then my overall plan should be complete, once resolved.

One thing I don't understand with DMARC reports: how do you ...

2024-10-24T15:43:25Z

One thing I don't understand with DMARC reports: how do you even know which sending user is authoritative for a domain? Is the trust model just TOFU (within the same domain)? The DMARC TXT record just designates where to send reports to, but not which account reports should originate from for a domain.

and even then, some people will still type out google.com, ...

2024-09-15T18:55:34Z

In reply to nevent1q…kx2p
_________________________

and even then, some people will still type out google.com, navigate there, and then type the domain name of a website as a Google search, and click the first result instead of understanding to just type the domain name directly in the address bar.

Are all the ports for STUN/TURN open, including the entire ranges ...

2024-06-11T21:26:22Z

In reply to nevent1q…kkng
_________________________

Are all the ports for STUN/TURN open, including the entire ranges for TURN relay (ALL ports from UDP port 49152, to UDP port 65535, as is the default for eturnal and coturn), or if you're using a custom port range, is it enough ports (e.g. at least like ~100 ports or so)?

Is it with calls only between people on the same XMPP server, or ...

2024-06-11T18:54:06Z

In reply to nevent1q…ar7c
_________________________

Is it with calls only between people on the same XMPP server, or is it with calls to users on other servers? To my understanding, each server (for each participant in a call) needs to provide STUN/TURN services.

or the result when people complain to social media instead of ...

2024-04-21T04:53:14Z

In reply to nevent1q…jfp3
_________________________

or the result when people complain to social media instead of putting the effort into carefully reporting installer issues.

I'm pretty much available for tech support whenever needed ...

2024-04-13T04:47:58Z

In reply to nevent1q…e05f
_________________________

I'm pretty much available for tech support whenever needed for XMPP servers and alike (and there is of course also the respective support MUCs, for each server software). I can also set up cert/uptime monitoring with notifications, from my Icinga2 instance, if desired. I was intending at some later point to deploy a self-serve system for that.

Much of it's explained later in one of the replies at: ...

2024-03-24T00:03:14Z

In reply to nevent1q…ahlp
_________________________

Much of it's explained later in one of the replies at: https://were.social/notice/Ag9m39s4aWr45TmKdE

Generally trying to build within the capabilities present in PHP 8.0, making use of common first-party binary extensions to PHP first (hence OpenSSL for secp256k1, or else libsodium when I deal with ed25519)

Hadn't known about the IETF publication, I actually had to dig in various forum threads and StackOverflow to find the math on how to accomplish it, as well as work off of other people's notes. The mentioned publication probably would have helped out much more, I'll probably highlight in on any future summary on that.

I do however need to dig deeper on the specifics about low-s with signature creation.

Much of the stuff with Multibase, Multikey, etc I've already read into plenty before when experimenting with Object Integrity Proofs in ActivityPub, just with ed25519 instead.

Sounds like it doesn’t necessarily ease the burden of ...

2024-03-23T18:56:16Z

In reply to nevent1q…f80v
_________________________

Sounds like it doesn’t necessarily ease the burden of implementing did:[something] for ActivityPub though. Do you consider it a dead end as far as practical utility goes?

Oh, it absolutely could be used today in FEP-ef61, and the laziest implementations could just lean on querying https://plc.directory/ for every did:plc. A person could just skip all of the above prerequisites, and at minimum [only] be a consumer of that DID method by just grabbing the JSON (or JSON-LD: https://plc.directory/did:plc:s2m7kbq2unki7rager5aw6sw ), and having blind faith that the directory validated it (except it'd only be a one-way relationship).

I did accomplish this with no dependencies (other than OpenSSL and a BigInt math library) in ~400 lines of code from scratch.

The significant issue is long-term trust in that DID platform, as there's no idea how they'll moderate it, if they'll force incompatible breaking changes, lock it down later on (for submitting did:plc identities, or resolving them), or if it'll be shut down some amount of years from now. But at least there's nothing that mandates the use of their resolver, as I'm sure others could launch their own, maybe.

I guess I successfully created a did:plc and have it published to ...

2024-03-23T08:12:34Z

I guess I successfully created a did:plc and have it published to (sorta) Bluesky's backend did:plc registry: https://plc.directory/did:plc:b3iyjhbvpeiygj35orqatuqb/log

Instead of endorsing any sort of a ATProto PDS or anything, I instead have it pointing to my ActivityPub (and other) identifiers in varying forms.

I'm probably the only [non-employee] user (or at least: one of very few) on Bluesky's infrastructure that has full custody and control over their own private keys for their did:plc identity, and yet I don't even have a Bluesky account. Unless I'm just uninformed of something buried somewhere allowing you to export at least one of your rotationKeys (not the signingKey, which is just for signing posts, etc). Because without that, you don't really control your identity at all, only Bluesky exclusively does.

Meanwhile, in this endeavor, I "only" had to:

Write a DAG-CBOR and CIDv1 encoder
Write a Multibase and Multikey encoder and decoder
Write a base58btc encoder/decoder
Write a base32 encoder
Write functions to compress and decompress a secp256k1 public key (involves crypto maths, for decompression)
Write some very adhoc ASN.1 DER encoding/decoding functions (just to encode a raw secp256k1 public key into PEM encoding, to feed to OpenSSL; and then extract the r and s values from the outputted signature from OpenSSL)
Write a function to generate a did:plc identifier, from the genesis operation
Write a lot of test code

With how scarcely some topics are documented, and how scattered many tidbits of info is: I swear some of this is almost intentionally a trap to sell consultancy.

The volcano beacons for human sacrifice in the form of: ...

2024-03-22T21:23:05Z

The volcano beacons for human sacrifice in the form of: superfluous tech consultants.

Or alternately: people who write specs and never bother to even completely implement their own spec.

It's all I routinely bitch about: ...

2024-03-08T19:52:10Z

In reply to nevent1q…ceg9
_________________________

It's all I routinely bitch about:

https://were.social/notice/AfHlGgRYClScNnQFiy

https://were.social/notice/AfYn3Wcauj4nkflBkO

I assume it was originally under an ambitious idea to allow users to have control over their identity by cryptography, but implemented in such a half-baked way that was conceptually flawed, to the point where users cannot export their keys for risk of the entire server: https://github.com/mastodon/mastodon/discussions/22315#discussioncomment-4423581

...Why do we have this ridiculous joke of assigning a keypair to ...

2024-03-06T01:48:47Z

...Why do we have this ridiculous joke of assigning a keypair to every ActivityPub actor (that the user themself can never have) for HTTP Signatures when all remote resources are fetched under the internal actor's key only (and anonymity of who's querying the resource), and therefore be unable to enforce access control on a non-public resource?

I think that's the point to Nostr though: there's not ...

2024-02-23T20:37:09Z

In reply to nevent1q…l0w9
_________________________

I think that's the point to Nostr though: there's not meant to be a lot to it.

Public key is the identity, sign messages to publish under that identity, relays are your inbox/outbox, require proof-of-work as one way to keep spam from overtaking the network, etc (if I understand correctly)

Would it be worth anything for me to spend my day writing a light ...

2024-02-23T20:14:53Z

Would it be worth anything for me to spend my day writing a light dissertation between ATProto, ActivityPub, Nostr (very lightly, I still need to dig more), DIDs, etc? (and having to re-read much of the specs again)

If so, expect that it'd be at least as long as (if not more) than: https://arcanican.is/primer/ap-decentralization.php

and just to declare: I've only written a full ActivityPub server implementation, meanwhile I have not written an ATProto server nor anything Nostr yet. I believe I have a fairly complete understanding how it ATProto comes together in it's components, compared to a lot of other people that seem to be commenting on it.

I present to all of you the pinnacle in CAPTCHA technologies, to ...

2024-02-17T07:19:28Z

I present to all of you the pinnacle in CAPTCHA technologies, to solve the issue of spambots abusing open registration:

All you have to do is require any applicants to complete The Impossible Quiz, easy: https://www.newgrounds.com/portal/view/365143

Well, it’s really close in severity: when you can take over the ...

2024-02-15T22:24:13Z

In reply to nevent1q…ennz
_________________________

Well, it’s really close in severity: when you can take over the deliverability of their posts to any followers (on any software) that aren’t on the same server, when you can take over where Direct Messages across servers end up, when you can change the public key cached for any remote user and start impersonating S2S traffic, and much more.

So here’s an example of one of the maliciously-crafted payloads ...

2024-02-15T15:00:00Z

So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:

{
"@context": ["https://www.w3.org/ns/activitystreams";],
"id": "https://mastodon.social/users/Gargron/posts/123456";,
"type": "Note",
"actor": "https://mastodon.social/users/Gargron";,
"attributedTo": "https://mastodon.social/users/Gargron";,
"content": "Well, this is an extremely concerning vulnerability I should have accounted for.",
"to": [ "https://www.w3.org/ns/activitystreams#Public"; ],
"cc": [ "https://mastodon.social/users/Gargron/followers"; ],
"published": "2024-01-28T22:00:00Z"
}

I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, >73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.

For more details on the vulnerability, the original security report as it was submitted on Github is available at: https://arcanican.is/excerpts/cve-2024-23832/

My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

Well that’s one way to wake up: logging into a production ...

2024-02-14T02:54:37Z

Well that’s one way to wake up: logging into a production system, and peeking into the database to troubleshoot a problem, and then noticing: nearly all the database records are just completely gone, and there’s no rational reason why—but then after some amount of time, you realize you’re just looking at a testing pre-launch copy of the database, not the actual production database, and nothing was missing at all.

https://www.w3.org/TR/activitypub/#block-activity-outbox The ...

2024-02-13T21:17:11Z

In reply to nevent1q…waq9
_________________________

https://www.w3.org/TR/activitypub/#block-activity-outbox

The Block activity is used to indicate that the posting actor does not want another actor (defined in the object property) to be able to interact with objects posted by the actor posting the Block activity.

In the ActivityPub spec itself, it bears no meaning of access control; it’s purely just to ignore notifications and objects (such as replies) from that actor, as there is no rational way to accomplish limiting access to public posts from specific actors.

Anything sensitive that requires access control should not be posted publicly on social media to begin with. This isn’t a software design issue, it’s a human behavioral issue.

I routinely [privately] warn people about oversharing, such as when I stumble across someone posting a photo that gives away the exact location of where they live, or where they work, and most of the time it’s shrugged off as a non-issue, because they assume they have tangible threats in the present, but never consider the future.

Then of course, they could always end up in some controversy much later on, over something completely innocuous, and face some tangible threats/risk, but yet put the blame on everyone else for their reckless posting behaviors (“omg doxxing!”). Blocking people they perceive as a threat solves nothing.

The reality that disgusts me the most, is with the cargo culted ...

2024-02-12T05:23:32Z

In reply to nevent1q…gnt5
_________________________

The reality that disgusts me the most, is with the cargo culted mentality of:

Software is now (rightfully) considered so dangerous that we tell everyone not to run it themselves. Instead, you are supposed to leave that to an “X as a service” provider, or perhaps just to “the cloud.” (…)

The assumption is then that the cloud is somehow able to make insecure software trustworthy. (…)

Specifically where you have retards that made the mistake of running their company IT almost exclusively on Microsoft products, especially with Exchange, SharePoint, and such; that they figure it’s “safer” if you just have Microsoft host all of it instead. Instead of: just using something else, with a better security history.

It even blows my mind further with teleconferencing software; like paying an O365 subscription for Teams, as if WebRTC is a finite resource you can only get from Microsoft and can’t run yourself.

So now a lot of it’s just a capture of so much internal company data and infra all onto Azure/O365, making all these customers as Microsoft’s most favorite little captive victims.

Hell, even the f’ing military (when I was in my last few months of doing ActiveDirectory/Exchange admin stuff in the Marine Corps, to the end of my contract) was in the transition of dumping all their internal servers for Exchange Online and O365, whereas all of that’s outside of the intranet perimeter now.

https://spectrum.ieee.org/lean-software-development

2024-02-12T05:01:41Z

https://spectrum.ieee.org/lean-software-development

For your torture: https://en.wikipedia.org/wiki/I-number

2024-02-08T07:16:28Z

In reply to nevent1q…3puu
_________________________

For your torture: https://en.wikipedia.org/wiki/I-number

There is a chance it could be screwy things on my side with the ...

2024-02-07T06:57:29Z

In reply to nevent1q…hvh9
_________________________

There is a chance it could be screwy things on my side with the Erlang OTP version and it’s TLS implementation or with Hackney and other middleware, nonetheless I stumbled across:

https://www.erlang.org/doc/man/ssl.html#type-middlebox_comp_mode

https://github.com/erlang/otp/issues/6241

and just tried limiting it to TLSv1.2 and it seems to be operational now. I don’t know if there’s something in the path to mastodon.social’s servers that has a hiccup with TLSv1.3. Either way, it’s something that changed late last year where I suddenly couldn’t get anything from mastodon.social anymore, while I hadn’t made any changes to my instance.

Apparently the federation issue I’ve had with mastodon.social ...

2024-02-07T06:48:58Z

Apparently the federation issue I’ve had with mastodon.social seems to presumably be with their CDN (Fastly) and TLSv1.3 use. After limiting this instance to TLSv1.2 for outbound connections, it’s now able to query content from mastodon.social

Yes, something else than colons may have been preferable, however ...

2024-02-06T07:42:00Z

In reply to nevent1q…9z03
_________________________

Yes, something else than colons may have been preferable, however hexadecimal absolutely was a practical choice: you could split subnet allocations by each digit (4-bits), which you can’t do with base-10 dotted-decimal in IPv4. I’d argue it’s easier to teach subnetting with IPv6 than with IPv4.

Now I'm randomly curious: does phenomena of Dunbar's ...

2024-01-20T00:41:35Z

Now I'm randomly curious: does phenomena of Dunbar's number indirectly include parasocial connections and brand names too? Do the people that worship brands and celebrities therefore have much less 'mental space' for remembering actual people in their lives?

Wait, secp256k1 (as in Koblitz curve, as used in ...

2024-01-13T01:10:06Z

In reply to nevent1q…mcfd
_________________________

Wait, secp256k1 (as in Koblitz curve, as used in Bitcoin/Ethereum, only meant for a specific narrow use and supposedly has much more ways to be easily misused, making key compromise easier) versus P-256 (secp256r1) or the much simpler/performant Curve25519? Was there a reason for adopting specifically secp256k1 in Nostr above all others?

and traditionally they were one of the few early printer vendors ...

2023-08-30T19:22:35Z

In reply to nevent1q…a00v
_________________________

and traditionally they were one of the few early printer vendors (other than HP) to actually provide first-party native Linux drivers, as well as deb/rpm downloads from their website (although packaged a little weird). I don’t know how the landscape is now, comparatively.

It’s the main reason I have interest in it, despite my general ...

2023-08-14T03:49:40Z

In reply to nevent1q…l4yx
_________________________

It’s the main reason I have interest in it, despite my general hate of social media. The ability to just have discussions with actual people, versus being around individuals that are trying to be: performative, trying to build follower numbers, trying to turn everything into a spectacle, or ‘building the brand of them’.

That’s probably a far better chance than describing it to the ...

2023-08-09T00:52:45Z

In reply to nevent1q…g5gl
_________________________

That’s probably a far better chance than describing it to the average Discord user.

Perhaps instead for compatibility, it could be an attachment to a ...

2023-08-05T23:51:04Z

In reply to nevent1q…zp8u
_________________________

Perhaps instead for compatibility, it could be an attachment to a Note (maybe even with the Note serving as the alternate representation), rather than having to completely dull down the vocabulary just to play along with Mastodon?

I can probably attest to some of the same, just lesser severity. ...

2023-07-15T19:01:08Z

In reply to nevent1q…q0d8
_________________________

I can probably attest to some of the same, just lesser severity. Of being a stupidly naive kid on the internet, pulled into fandom things early, and only being able to distinguish the sensibility of a person based on their avatar and how well-spoken they are. Getting pulled in by art communities and webcomics, and gradually into weirder forms of content. Then later on when I had a vehicle, started to be involved in local fandom and staffing for conventions, while just looking past all the negatives and oddities.

Started to get trapped into certain belief systems (the ones fairly exclusive to furry fandom) that only created excuses to have depression and ‘pity Olympics’. Then I actually started to browse around and actually see what a lot of the people of the fringe look like (of folks that I thought were sensible people), but when you just see what they look like, it becomes exceptionally obvious in just appearance and attire that something is way off with them, even to the most socially-underdeveloped of autists to see.

Finally had some self-reflection, moved away from those fringes and beliefs, and have been a lot more functional since; but still somewhat ‘trapped’ into the general broad sphere of ‘furry fandom’ for friends/connections, since being with social outcasts during developmental years probably doesn’t help one’s social development. For a majority of folks I’ve kept an eye on over the years, it’s pretty much a ‘Hotel California’ where I just see people get sucked in, develop into the worst of habits, and despite however many times they ‘officially announce’ that they’re “leaving”, they’re always still stuck here.

I feel bad for the next naive generation getting sucked in by catchy furry VR memes on TikTok and such, not knowing where they’re going to end up.