bens_dad | Reading

We had a nice day on the beach in North Berwick. A few of Sophia's old nursery friends, getting back together, with a few siblings thrown in. They got on like it wasn't mostly a year since they last saw each other, and they had a ball digging holes, wading through seaweed and climbing on rocks. The weather was just as fabulous as it looks here.
Original is here on Pixelfed.scot.

ailbhe

I am not keeping up to date. It's partially that I'm often tired and partially that I'm still not writing about the thing that happened around Christmas that made things... more difficult... though ultimately it will turn out to have been better this way. But it's INCREDIBLY HOT and so we're running fans and using the pop-up pool in the garden and eating TONS of ice cream so it's also quite luxuriously holidayesque, while underneath is the horror of climate change. Yay?

In the last couple of weeks I may be regaining my ability to read again, which is intermittent, and I'm hoping to do monthly book posts again, I liked that the two or three times I did them.

andrewducker

1. The RAF Squadron Targeted by Palestine Action is Owned by a Hedge Fund: (tags:UK airplanes military investment )

rmc28

Friday:

Mary Rose, worth the admission fee all by itself, thoroughly absorbing exhibition of the many many objects found within the wreck, and amazing to see the preserved timbers themselves from lots of different angles.
lunch
dockyard boat tour, including a good look at the Queen Elizabeth aircraft carrier currently in dock (I cannot look at aircraft carriers without Danger Zone playing in my head)
HMS Victory, audioguide version with dramatic retelling of the battle of Trafalgar. Very absorbing, impressive amount of the ship available to visit even while restoration is ongoing, very tiring.
back to hotel and flop for a little
walk, ferry, bus to Gosport ice rink, disco skate, bus, ferry and walk back to hotel; ice is rather worse than Cambridge, but ferry+bus beats 2x Cambridge buses any time

Saturday:

sauna and swim for me
walk to the dockyard, waterbus to the Explosion Museum of Naval Firepower
lunch
walk ~2 miles to Submarine Museum
walk through of HMS Alliance, also a look around HMS Holland 1 (the first ever Royal Navy submarine)
my body in full rebellion against "museum walking" by this point, we took the waterbus back to the main dockyard, got cold drinks, and got back on the dockyard boat tour - different guide, different focus, well worth it
little wander around Gunwharf Quays and a little shopping in the outlet stores; having forgotten to bring my ereader, I resorted to buying a newspaper and we sat quietly ignoring each other in a curry gastropub for a while. Eventually we ordered some curry, which was really rather good, and then toddled back to the hotel
I decided I'd had enough moving for the day, so now I'm lying on the hotel bed with Glastonbury on the TV, life is good

Tomorrow I think we'll do a couple of brief museum things at the historic dockyard, and then perhaps go for a wander through Southsea. I'm going to watch England v Jamaica tomorrow afternoon (I think R has less than zero interest in football, women's or otherwise) and we've a reservation in the Spinnaker Tower for sunset cocktails tomorrow evening.

physical issues

My leg muscles, especially the ones that stabilise hips, knees and ankles, have been giving me some grief since I went clubbing after the Kodiaks won playoffs at end of May. I'm reasonably sure it's muscular fatigue and not joint/ligament damage. Rest helps, but so does gentle movement: if I sit still too long everything has seized up a bit when I stand up, but loosens up again as I start moving. Skating and hockey are fine once I'm warmed up. Yoga and general stretching seem to help, as do hot baths and sauna. Steady walking is a lot better for me than the stop-start of museum walking, as the last two days have made clear. I love museums but right now the spirit is willing and the flesh has Had Enough.

andrewducker

When I am Emperor anyone selling bowls, plates, etc will have to certify whether you can microwave food in them without them getting hotter than the food.

Is microwave transparency really too much to ask?

rmc28

I have been resisting buying a number of great hoodies from the assorted Historic Dockyard museum shops, on the grounds that I already have More Than Sufficient Hoodies, related to either ice hockey or musical theatre. R said obviously I need to wait for an ice hockey musical and get that hoodie.

Suggestions welcome for the topic / plot of such a musical.

andrewducker

1. The first non-opioid painkiller (for acute pain) has taken 27 years to produce.: (tags:pain research medicine )
2. UK asylum plans shows post-Brexit Britain is 'in very dark place', Albanian PM warns: (tags:uk migration OhForFucksSake )
3. Reading one book on a subject will put you ahead of the vast majority of people: (tags:experts learning )
4. One in four LGBTQ+ pupils may drop out before finishing secondary school: (tags:lgbt school bullying )
5. India High Court rules trans women are women: (tags:India transgender LGBT GoodNews )
6. A newspaper reported that Arthur Conan Doyle went to a local pub. Turns out to be completely made up (but the history is fascinating): (tags:journalism fraud Edinburgh history )
7. The transfers between parties in yesterday's Edinburgh council election are fascinating!: (tags:edinburgh elections voting politics scotland )
8. You can now buy The Hobbit in 5 different Celtic languages. (I'm sure people will have great fun comparing them): (tags:languages uk ireland TheHobbit )
9. Make AI Mediocre Again: (tags:satire ai video advertising )

rmc28

Uni buddy R and I made it to Portsmouth last night, despite the best efforts of signal failures to scare us off. (Half the trains were showing as cancelled around 3pm; by the time we actually got to Cambridge station at 5pm things were looking better; by the time our train got to Finsbury Park it looked like service was nearly restored and we continued to change at Three Bridges as originally planned.)

I was working up until about 4pm, with a couple of colleagues very amused that a) I didn't start packing until a gap between meetings at 2pm, and b) my "girls weekend" consists of naval museums and ice skating.

We had an easy walk to our hotel in the midsummer twilight, and settled in to our respective rooms. I'm doing admin until R texts me she's ready for breakfast. And then: the Mary Rose! (who else has formative childhood memories of watching it being raised?)

andrewducker

1. Holyrood Committee seek views and experiences as part of new inquiry into ADHD and autism: (tags:scotland autism adhd )
2. How would Britain vote, a year since the 2024 election (broken down in a wide variety of ways): (tags:uk voting polls )
3. Ooh Dark City has a 4k release. I'm quite tempted: (tags:movies scifi )
4. Poll: 82% of Israelis want to expel Palestinians from Gaza; 47% want to kill every man, woman, child: (tags:polls genocide Israel )
5. Poll: Americans' support for Israel at record low, backing for Palestinians at all-time high (46:33): (tags:USA polls Israel Palestine )
6. Why I'm glad the NHS has rejected two Alzheimer's 'wonder drugs': (tags:alzheimers medicine NHS )
7. Warwickshire County Council leader resigns, leaving 18-year-old in charge (Reform, unsurprisingly): (tags:politics UK )
8. Games run faster on SteamOS than Windows 11: (tags:games linux windows )
9. How disability benefits are paid across the world - and how UK compares: (tags:welfare disability international )
10. Harming children: the effects of the UK puberty blocker ban: (tags:UK bigotry children transgender LGBT )

fanf

https://dotat.at/@/2025-06-28-boulder.html

Here's a story from nearly 10 years ago.

( Read more... )

andrewducker

1. Mechanical Watch: Exploded View: (tags:watches design )
2. Language is complicated (Japanese star edition): (tags:japan English language )
3. Reminder that you can be lovely to your friends and family and still a disgustingly awful genocidal murderer: (tags:Nazis history people )
4. What Britain looks like after Brexit (written in 2016, about 2025). Anyone want to assign it marks for accuracy?: (tags:UK Europe OhForFucksSake )
5. Voyager 2 Illuminates Boundary of Interstellar Space: (tags:space )
6. Upcycling plastic into painkillers: Microbes transform everyday waste into acetaminophen: (tags:plastic medicine recycling )
7. Some great photos from Edinburgh's Pride March: (tags:lgbt edinburgh photos )
8. Businesses still gatekeep jobs for graduates - it's harmful and cruel: (tags:business academia university OhForFucksSake )
9. What does the new Industial Strategy mean for Scotland?: (tags:scotland government )
10. The USA is definitely not at war. Probably. Maybe. Kinda.: (tags:war USA Iran Israel video funny )

mjg59

Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.

rmc28

You may have noticed it's been hot in England. So a lot of this week has just been the extra routines to cope with that (airing out the house at night / early morning, extra hydration, more naps).

It was a three-day week at work for me, with Monday my travel day back from Prague, and Wednesday a multi-errand day. Tuesday was a hectic day at work, but a rare evening with very few plans, so I actually rested. Wednesday had EHCP review for one child; a lunchtime skating lesson for me; a school bowling trip, hospital appointment and shopping all with the other child; and then Kodiaks practice in the evening.

( lots of ice hockey )

This week and next are 4-day weeks at work for me; I am having a long weekend away in Portsmouth with one of my oldest friends from university. Probably my only trip away this year that isn't directly about ice hockey. (But there is a rink in Gosport and both of us skate.) We plan to visit the Mary Rose, and I at least want to visit both the Submarine Museum and the Explosion Museum. I have been intrigued by the latter since I saw a road sign for it on the way to Gosport rink last month, but haven't yet found anything else about it apart from name and location. No spoilers!

andrewducker

First climbing experience, and after an hour of trying different walls Sophia made it to the top!
Original is here on Pixelfed.scot.

andrewducker

Sophia is watching the boys in the street have a water fight.
Original is here on Pixelfed.scot.

rmc28

(I forgot to mention that for about twenty minutes of the day I flew to Prague, I couldn't find my passport, because it was not in the box where it normally lives at home. That was not a fun twenty minutes, and much love to both Tony and Charles for joining me in the search. We found it eventually, it had fallen down the side of the shelf on which the passport box lives, in a way that meant you could only see it from one specific angle. Thankfully, I eventually stood at that angle and spotted it.)

The ice hockey camp continued to be excellent and very hard work, and I feel like I learned a great deal (and now I need to remember to keep using everything I learned and not fall back into bad habits). The coaching was very supportive and kind while pretty much pushing me to my physical limits. I very much hope to return on future camps.

The Saturday evening we went into central Slaný where there was a kind of beer festival happening, lots of different beer stands around the town square, a live rock band on stage, and a bunch of fairground rides. Sunday lunchtime, after the camp was finished, the original three of us got an Uber into Prague in the gloriously hot and humid afternoon. The other two had been to Prague before so I went off on my own to do some tourist things (boat tour! historical tram! walking across the Charles Bridge!) and messaged them when I was ready to meet up again. Turned out we were about five minutes walk apart at that point.

I took a load of photos but actually this random selfie for my family is one I'm really happy with:

We had dinner in Prague, during which time the hot weather broke into torrential downpour, and did a bit more walking around once that tailed off into intermittent showers, but eventually got back to Slaný for the evening. We got packed up and out of our rooms as requested in the morning but were able to leave our kit in storage while we had a leisurely walk and hipsterish brunch in Slaný before it was time to head to the airport.

Getting home was tediously delayed by train cancellations but I still got home in time to put the first washload on and repack my kitbag for Warbirds practice Monday evening.

Profile

bens_dad

June 2025

S	M	T	W	T	F	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Page Summary

andrewducker - Photo cross-post
ailbhe - Monthly updates could be worse
andrewducker - Interesting Links for 29-06-2025
rmc28 - Holiday fun
andrewducker - Interesting Links for 28-06-2025
andrewducker - A complaint about modern life.
rmc28 - Hoodies
andrewducker - Interesting Links for 27-06-2025
rmc28 - Girls weekend: ships and skating
andrewducker - Interesting Links for 26-06-2025
fanf - Golang and Let's Encrypt: a free software story
andrewducker - Interesting Links for 25-06-2025
andrewducker - Interesting Links for 24-06-2025
mjg59 - Why is there no consistent single signon API flow?
andrewducker - Interesting Links for 23-06-2025
rmc28 - Events of note this week (mostly hockey)
andrewducker - Photo cross-post
andrewducker - Interesting Links for 22-06-2025
andrewducker - Photo cross-post
rmc28 - A week ago I was in Prague

Style Credit

Style: Poppy Fields for Practicality by timeasmymeasure

Expand Cut Tags

No cut tags

Page generated Monday, 30 June 2025 05:00 am