Photo cross-post

Sunday, 29 June 2025 04:31 pm
andrewducker: (Default)
[personal profile] andrewducker


We had a nice day on the beach in North Berwick. A few of Sophia's old nursery friends, getting back together, with a few siblings thrown in. They got on like it wasn't mostly a year since they last saw each other, and they had a ball digging holes, wading through seaweed and climbing on rocks. The weather was just as fabulous as it looks here.
Original is here on Pixelfed.scot.

Monthly updates could be worse

Sunday, 29 June 2025 07:40 pm
ailbhe: (Default)
[personal profile] ailbhe
I am not keeping up to date. It's partially that I'm often tired and partially that I'm still not writing about the thing that happened around Christmas that made things... more difficult... though ultimately it will turn out to have been better this way. But it's INCREDIBLY HOT and so we're running fans and using the pop-up pool in the garden and eating TONS of ice cream so it's also quite luxuriously holidayesque, while underneath is the horror of climate change. Yay?

In the last couple of weeks I may be regaining my ability to read again, which is intermittent, and I'm hoping to do monthly book posts again, I liked that the two or three times I did them.

Holiday fun

Saturday, 28 June 2025 09:37 pm
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
[personal profile] rmc28

Friday:

  • Mary Rose, worth the admission fee all by itself, thoroughly absorbing exhibition of the many many objects found within the wreck, and amazing to see the preserved timbers themselves from lots of different angles.
  • lunch
  • dockyard boat tour, including a good look at the Queen Elizabeth aircraft carrier currently in dock (I cannot look at aircraft carriers without Danger Zone playing in my head)
  • HMS Victory, audioguide version with dramatic retelling of the battle of Trafalgar. Very absorbing, impressive amount of the ship available to visit even while restoration is ongoing, very tiring.
  • back to hotel and flop for a little
  • walk, ferry, bus to Gosport ice rink, disco skate, bus, ferry and walk back to hotel; ice is rather worse than Cambridge, but ferry+bus beats 2x Cambridge buses any time

Saturday:

  • sauna and swim for me
  • walk to the dockyard, waterbus to the Explosion Museum of Naval Firepower
  • lunch
  • walk ~2 miles to Submarine Museum
  • walk through of HMS Alliance, also a look around HMS Holland 1 (the first ever Royal Navy submarine)
  • my body in full rebellion against "museum walking" by this point, we took the waterbus back to the main dockyard, got cold drinks, and got back on the dockyard boat tour - different guide, different focus, well worth it
  • little wander around Gunwharf Quays and a little shopping in the outlet stores; having forgotten to bring my ereader, I resorted to buying a newspaper and we sat quietly ignoring each other in a curry gastropub for a while. Eventually we ordered some curry, which was really rather good, and then toddled back to the hotel
  • I decided I'd had enough moving for the day, so now I'm lying on the hotel bed with Glastonbury on the TV, life is good

Tomorrow I think we'll do a couple of brief museum things at the historic dockyard, and then perhaps go for a wander through Southsea. I'm going to watch England v Jamaica tomorrow afternoon (I think R has less than zero interest in football, women's or otherwise) and we've a reservation in the Spinnaker Tower for sunset cocktails tomorrow evening.

physical issues My leg muscles, especially the ones that stabilise hips, knees and ankles, have been giving me some grief since I went clubbing after the Kodiaks won playoffs at end of May. I'm reasonably sure it's muscular fatigue and not joint/ligament damage. Rest helps, but so does gentle movement: if I sit still too long everything has seized up a bit when I stand up, but loosens up again as I start moving. Skating and hockey are fine once I'm warmed up. Yoga and general stretching seem to help, as do hot baths and sauna. Steady walking is a lot better for me than the stop-start of museum walking, as the last two days have made clear. I love museums but right now the spirit is willing and the flesh has Had Enough.

A complaint about modern life.

Saturday, 28 June 2025 10:49 am
andrewducker: (lesbian tea)
[personal profile] andrewducker
When I am Emperor anyone selling bowls, plates, etc will have to certify whether you can microwave food in them without them getting hotter than the food.

Is microwave transparency really too much to ask?

Hoodies

Saturday, 28 June 2025 09:56 am
rmc28: (silly)
[personal profile] rmc28

I have been resisting buying a number of great hoodies from the assorted Historic Dockyard museum shops, on the grounds that I already have More Than Sufficient Hoodies, related to either ice hockey or musical theatre. R said obviously I need to wait for an ice hockey musical and get that hoodie.

Suggestions welcome for the topic / plot of such a musical.

Girls weekend: ships and skating

Friday, 27 June 2025 08:39 am
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
[personal profile] rmc28

Uni buddy R and I made it to Portsmouth last night, despite the best efforts of signal failures to scare us off. (Half the trains were showing as cancelled around 3pm; by the time we actually got to Cambridge station at 5pm things were looking better; by the time our train got to Finsbury Park it looked like service was nearly restored and we continued to change at Three Bridges as originally planned.)

I was working up until about 4pm, with a couple of colleagues very amused that a) I didn't start packing until a gap between meetings at 2pm, and b) my "girls weekend" consists of naval museums and ice skating.

We had an easy walk to our hotel in the midsummer twilight, and settled in to our respective rooms. I'm doing admin until R texts me she's ready for breakfast. And then: the Mary Rose! (who else has formative childhood memories of watching it being raised?)

Golang and Let's Encrypt: a free software story

Thursday, 26 June 2025 02:52 am
fanf: (Default)
[personal profile] fanf

https://dotat.at/@/2025-06-28-boulder.html

Here's a story from nearly 10 years ago.

Read more... )

[personal profile] mjg59
Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.

Events of note this week (mostly hockey)

Sunday, 22 June 2025 10:33 pm
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
[personal profile] rmc28

You may have noticed it's been hot in England. So a lot of this week has just been the extra routines to cope with that (airing out the house at night / early morning, extra hydration, more naps).

It was a three-day week at work for me, with Monday my travel day back from Prague, and Wednesday a multi-errand day. Tuesday was a hectic day at work, but a rare evening with very few plans, so I actually rested. Wednesday had EHCP review for one child; a lunchtime skating lesson for me; a school bowling trip, hospital appointment and shopping all with the other child; and then Kodiaks practice in the evening.

lots of ice hockey )

This week and next are 4-day weeks at work for me; I am having a long weekend away in Portsmouth with one of my oldest friends from university. Probably my only trip away this year that isn't directly about ice hockey. (But there is a rink in Gosport and both of us skate.) We plan to visit the Mary Rose, and I at least want to visit both the Submarine Museum and the Explosion Museum. I have been intrigued by the latter since I saw a road sign for it on the way to Gosport rink last month, but haven't yet found anything else about it apart from name and location. No spoilers!

Photo cross-post

Sunday, 22 June 2025 06:37 am
andrewducker: (Default)
[personal profile] andrewducker


First climbing experience, and after an hour of trying different walls Sophia made it to the top!
Original is here on Pixelfed.scot.

Photo cross-post

Saturday, 21 June 2025 12:29 pm
andrewducker: (Default)
[personal profile] andrewducker


Sophia is watching the boys in the street have a water fight.
Original is here on Pixelfed.scot.

A week ago I was in Prague

Saturday, 21 June 2025 12:39 pm
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
[personal profile] rmc28

(I forgot to mention that for about twenty minutes of the day I flew to Prague, I couldn't find my passport, because it was not in the box where it normally lives at home. That was not a fun twenty minutes, and much love to both Tony and Charles for joining me in the search. We found it eventually, it had fallen down the side of the shelf on which the passport box lives, in a way that meant you could only see it from one specific angle. Thankfully, I eventually stood at that angle and spotted it.)

The ice hockey camp continued to be excellent and very hard work, and I feel like I learned a great deal (and now I need to remember to keep using everything I learned and not fall back into bad habits). The coaching was very supportive and kind while pretty much pushing me to my physical limits. I very much hope to return on future camps.

The Saturday evening we went into central Slaný where there was a kind of beer festival happening, lots of different beer stands around the town square, a live rock band on stage, and a bunch of fairground rides. Sunday lunchtime, after the camp was finished, the original three of us got an Uber into Prague in the gloriously hot and humid afternoon. The other two had been to Prague before so I went off on my own to do some tourist things (boat tour! historical tram! walking across the Charles Bridge!) and messaged them when I was ready to meet up again. Turned out we were about five minutes walk apart at that point.

I took a load of photos but actually this random selfie for my family is one I'm really happy with:

We had dinner in Prague, during which time the hot weather broke into torrential downpour, and did a bit more walking around once that tailed off into intermittent showers, but eventually got back to Slaný for the evening. We got packed up and out of our rooms as requested in the morning but were able to leave our kit in storage while we had a leisurely walk and hipsterish brunch in Slaný before it was time to head to the airport.

Getting home was tediously delayed by train cancellations but I still got home in time to put the first washload on and repack my kitbag for Warbirds practice Monday evening.

Page generated Monday, 30 June 2025 05:00 am
Powered by Dreamwidth Studios