I hope everybody is faring well through the uncertainty of this COVID-19
pandemic. If you're stuck at home and looking for something fun and new
to do, try out the new tildeverse space we set up on yourworldoftext.com:
https://www.yourworldoftext.com/~tildeverse/
As with all things in the tildeverse, keep it positive!
cmccabe
Hello all,
Google auth wasn’t the highest on the poll that I ran. However I do feel 33% in favour of google auth or options like it is enough for me to implement the feature.
To use google auth you also need to enter your password for your account on login.
Information on getting google auth setup you can go on our wiki.
https://tilde.club/wiki/googleauth.html
If you’d like to see more options reply to this email with suggestions and I may look at implementing them.
Thank you to everyone that participated in our poll.
~deepend
Just looked. From what I read the phishing attack would really only work for accounts that someone would have to goto a web page for login (which could be faked) and get the details. But for ssh login there is not the same risk.
Thanks
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
I understand that. But I what way is someone phishing a code that is available for 30 seconds? That would still allow it to be useable
Sent from my iPhone
> On Feb 26, 2020, at 11:34 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> The phished credentials are generally used immediately to take over the account.
>
> --
> Jeffrey Paul
> sneak(a)sneak.berlin
>
>> On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote:
>> Would be interested in hearing more information on how someone is
>> phishing a code that is only valid for like 30 seconds? Is there more
>> to that story then just phishing?
>>
>> Thanks
>>
>>
>>>> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>>>
>>> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>>>
>>> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>>>
>>> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>>>
>>> Best,
>>> -sneak
>>>
>>> --
>>> Jeffrey Paul
>>> +1 312 361 0355 (voice, sms, Signal)
>>> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>>>
>>>
>>>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>>>
>>>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>>>> some websites say it came in 8.2. Not sure who to believe.
>>>>>
>>>>> Tilde club currently runs Fedora 30.
>>>>
>>>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>>>> available :/
>>>
>>
Would be interested in hearing more information on how someone is phishing a code that is only valid for like 30 seconds? Is there more to that story then just phishing?
Thanks
> On Feb 26, 2020, at 11:09 AM, Jeffrey Paul <sneak(a)sneak.berlin> wrote:
>
> Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
>
> Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
>
> If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
>
> Best,
> -sneak
>
> --
> Jeffrey Paul
> +1 312 361 0355 (voice, sms, Signal)
> This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
>
>
>>> On Feb 26, 2020, at 09:58, ngp <ngp(a)tilde.club> wrote:
>>>
>>> On Wed Feb 26, 2020 at 10:50 AM, deepend wrote:
>>> Found a file mentioning that Fido/U2F auth being available in 8.1. But
>>> some websites say it came in 8.2. Not sure who to believe.
>>>
>>> Tilde club currently runs Fedora 30.
>>
>> Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not
>> available :/
>
Hey ~clubbers.
I know some people are not fans of public key authentication. So here is a poll I’d like to see if we can improve things since password only auth will not be returning.
http://www.strawpoll.me/19445663
Look forward to the result :)
Hello Everyone!
I will first like to welcome everyone that has joined since we brought tilde.club back from idle. As well would like to welcome back many users that have returned.
We have been working hard in the background to keep things going in a positive direction and hopefully users like the direction things are going. (Feedback is always good and welcome if any of you have thoughts on this)
This was mostly a post to let you know that for awhile now we have had a mastodon account and up to this point it has been fairly quiet. I am going to start posting more information and updates regarding the state of tilde.club and things we add or improve. If you would like to follow and keep informed please go to
https://tilde.zone/@tildeclub
Otherwise I will also try to post on the mailing list for those who don’t want mastodon.
Hope to see you all on the server and continue this journey forward.
Thanks
~deepend
Dear ~club:
Just to give myself some breathing room, I'm going to reduce these
workshops to one ever two weeks. I hope at least some of you are enjoying
them. They're moderately fun to write, in any case.
I have a different sort of idea for this workshop. Rather than all going
off and doing our own thing on our own pages, let's use this mailing list
to work collaboratively on something.
Yesterday's xkcd[0] was about putting some effort into a response to a pun
or similarly repellent joke by forming a sentence out of place names and
linking them together with driving directions. (And if you think that was
easy to explain in text, then you're wrong.) I think this is a great idea,
but I don't happen to have a list of word-to-place-names ready at hand.
How am I supposed to make witty comebacks without a list?
(Incidentally, you might call this list that links words to place names
a... map.)
My first thought was to try to come up with this list myself, but that's a
lot of work. Then I thought that lots of other readers of xkcd might want
a list, too. Why not distribute the work amongst us so that we all may
benefit? I'm sure there are already groups out there who are doing this
exact thing, but I say we give it a shot anyway.
~club, your challenge this bi-week is to reply to this message with some
common words or phrases expressed as place names. I'll start:
friend ---> Friend, Nebraska[1]
I'll keep track of the mappings we come up with---feel free to do the
same---and I'll post them on my tilde.club page. Also: bonus points if
you've been to any of the places you reply with or know something neat
about them!
If you're looking for ideas on what words to use, consider drawing from
the most common English words[2]. They'll be the most useful.
Good luck, ~club, and happy mapping,
Bradley
[0]: https://xkcd.com/2260/
[1]: https://en.wikipedia.org/wiki/Friend,_Nebraska
[2]: https://en.wikipedia.org/wiki/Most_common_words_in_English
Dear ~club:
I hope you had fun folding---or at least trying to fold---a paper crane.
As I mentioned last week, it's a surprisingly calming activity, and I
recommend it if pixels (or any other things) are getting you down. You can
take a look at my first somewhat successful attempt [here][0]. (The
numeral "1" printed on its wing means that it's my first passable crane.)
That was a decently interesting excursion in meatspace, but now it's time
to return to a more familiar region. In fact, let's go all the way home
and talk about tilde.club.
I can only assume that if you're reading this, you've been to the
tilde.club website. It stands in striking contrast to the gelatinous
blobules of JavaScript that we call modern websites and acts as a reminder
of the simplicity of the early Web. It's enough to bring a tear to my eye.
But perhaps you, like me, have noticed that the water in your eyes
actually has less to do with nostalgia and more to do with the...
"striking" appearance of the website. It is---and let's be fair about
this---a bit orange.
~club, by special and specific request of the administrators of this
here tilde.club server, your task this week is to redesign the website. At
least one user (~maz)[1] has made a wonderful attempt which features 30%
less eye-searing orange, but don't let that stop you from using other
design features like "other colors" and "non-fixed width fonts".
I have reason to believe that particularly good designs will be considered
as potential replacements for the current one, so take that as motivation,
if you like. Just remember that whatever you design should contain the
same basic information as the current site. Other than that, it's up to
you.
Have fun,
Bradley
[0]: https://tilde.club/~bradley/assets/img/paper-crane.jpg
[1]: https://tilde.club/~maz/tilde.club/
