Wouldn't this, along with the other numerous talks on ECS that were made before Unity copyrighted it, be enough to challenge the copyright and have it revoked? Or is that not how copyright works?

I think he should reconsider his stance on signing commits.

It's also important if you're checking hashes (at least, it was - if you're using correct hashing algorithm that isn't ancient, you will not have this problem).

Because if you take for example "0e462097431906509019562988736854" (which is md5("240610708"), but also applicable to most other hashing algorithms that hash to a hex string), if("0e462097431906509019562988736854" == 0) is true. So any other data that hashes to any variantion of "0e[1-9]+" will pass the check, for example:

md5("240610708") == md5("hashcatqlffzszeRcrt")

that equals to

"0e462097431906509019562988736854" == "0e242700999142460696437005736231"

which thanks to scientific notation and no strict type checking can also mean

0^{462097431906509019562988736854} == 0^{242700999142460696437005736231}

which is

0 == 0 `

I did use md5 as an example because the strings are pretty short, but it's applicable to a whole lot of other hashes. And the problem is that if you use one of the strings that hash to a magic hash in a vulnerable site, it will pass the password check for any user who's password also hashes to a magic hash. There's not really a high chance of that happening, but there's still a lot of hashes that do hash to it.

For anyone wondering - why would I need it? I'm already signed in to github, the commit is commited using my ssh-key, Github knows it's me. Why would I need another verification?

Here's why. https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g . If someone commits with your email (or github noreply email, which is public), it will get attributed to you. I was just trying it with colleauges account, and so far I haven't found any way how to tell that it really wasn't him.

If it has my username, on GitHub, you’re confident it’s my commit.

Apparently, that's not true: https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g

However, it's a pretty old article - maybe it's already fixed? I'll have to try that.

EDIT: It still works, and you can just use the github noreply address, which is ID+username@users.noreply.github.com . The commit gets linked to their profile, and is shown on their profile page, has their username and profile picture. I haven't figured out any difference between legit and impersonated commit so far, but maybe it's hidden somwhere in the repo administration.

So, there you have it. That's what PGP signing is for.

I use comment signing as some kind of a multifactor.

I have my signing key saved on YubiKey, so it's pretty difficult that an attacker could gain access to it.

However, you can still commit through git web browser, and usually have a session for it open when working. If I slipped up and someone got to my PC while I have github open (or managed to steal my session cookies somehow - i.e a rubber ducky driveby), his options are:

• Commit without signing through SSH. I have ssh key password in my password manager that auto-locks after a minute, so that shouldn't happen, plus the commit wouldn't be signed since I have the key with me.
• Commit something though the browser - he can't sign it.
• Add SSH or a new signing key through the browser - I get immediately notified.

So, the end result should be that thanks to the signing mechanism, I should immediately know that something is wrong. Is it neccessary? Probably not, but I still think it's worth it, at least for me.

Now I'm wondering whether it wouldn't be better to have the ssh key on the Yubikey instead. Hmm. I did only discover commit signing later, and didn't have ybikey before, so it never occured to me.

You are right, and the company is definitely to blame. But, compared to how usually other breach happens, I don't think this company was that much negligient - I mean, their only mistake was as far as I know that they did not force the users to use MFA. A mistake, sure, but not as grave as we usually see in data breaches.

My point was mostly that IMO we should in this case focus more on the users, because they are also at fault, but more importantly I think it's a pretty impactful story - "few thousand people reuse passwords, so they caused millions of users data to be leaked" is a headline that teaches a lesson in security awarness, and I think would be better to focus on that, instead of on "A company didn't force users to use MFA", which is only framed as "company has been breached and blames users". That will not teach anyone anything, unfortunately.

I'm not saying that the company shouldn't also be blamed, because they did purposefully choose to prefer user experience and conversion rate (because bad UX hurts sales, as you've mentioned) instead of better security practices, I'm just trying to figure out how to get at least something good out of this incident - and "company blames users for them getting breached" isn't going to teach anyone anything.

However, something good did come up out of it, at least for me - I've realized that it never occured to us to put "MFA is not enforced" into pentest findings, and this would make for a great case why to start doing it, so I've added it into our templates.

I get what are you getting at, and I agree with that - a world where every product would follow best practices in regards to security, instead of prioritizing user convenience in places where it's definitely not worth it in the long term, would be awesome (and speaking from the experience of someone who's doing Red Teamings, we're slowly getting there - lately the engagements have been more and more difficult, for the larger companies at least).

But I think that since we're definitely not there yet, and probably won't ever be for was majority of webs and services, it's important to educate users and hammer proper security practices outside of their safe environment into them. Pragmatically speaking, a case like this, where you can illustrate what kind of impact will your personal lack of security practices cause, I think it's better to focus on the user's fault, instead of the company. Just for the sake of security awarness (and that is my main goal), because I still think that headlines about how "14000 people caused millions of people private data leaked", if framed properly, will have better overall impact than just another "company is dumb, they had a breach".

Also, I think that going with "lets force users into environment that is really annoying to use" just by policies alone isn't really what you want, because the users will only get more and more frustrated, that they have to use stupid smart cards, have to remember a password that's basically a sentence and change it every month, or take the time to sign emails and commits, and they will start taking shortcuts. I think that the ideal outcome would be if you managed to convince them that's what they want to do, and that they really understand the importance and reasoning for all of the uncomfortable security anoyancies. And this story could be, IMO, a perfect lesson in security awarness, if it wasn't turned into "company got breached".

But just as with what you were saying about what the company should be doing, but isn't, it's unfortunately the same problem with this point of view - we'll probably never get there, so you can't rely on other users being as security aware as you are, thus you need the company to force it onto them. And vice versa, many companies won't do that, so you need to also rely on your own security practices. But for this case - I think it would serve as a better lesson in personal security, than in the corporate security, because from what I've read the company didn't really do that much wrong, as far as security is considered - their only mistake was not forcing users to use MFA. And tbh, I don't think we even include "Users are not forced to use MFA" into pentest reports, although that may have changed, I haven't done a regular pentest it quite some time (but it's actually a great point, and I'll make sure to include it into our findings database if it isn't there).

I’m still quite on the fence about what to think about this. If you have a weak password that you reuse everywhere, and someone logs into your Gmail account and leaks your private data, is it Google’s fault?

If we take it a step further - if someone hacks your computer, because you are clicking on every link imaginable, and the steals your session cookies, which they then use to access such data, is it still the fault of the company for not being able to detect that kind of attack?

Yes, the company could have done more to prevent such an attack, mostly by forcing MFA (any other defense against password stuffing is easily bypassed via a botnet, unless it’s “always on CAPTCHA” - and good luck convincing anyone to use it), but the blame is still mostly on users with weak security habits, and in my opinion (as someone who works in cybersecurity), we should focus on blaming them, instead of the company.

Not because I want to defend the company or something, they have definitely done some things wrong (even though nowhere near as wrong as the users), but because of security awarness.

Shifting the blame solely on the company that it “hasn’t done enough” only lets the users, who due to their poor security habits caused the private data of millions of users being leaked, get away with it in, and let them live their life with “They’ve hacked the stupid company, it’s not my fault.”. No. It’s their fault. Get a password manager FFS.

Headlines like “A company was breached and leaked 7 000 000 of user’s worth of private data” will probably get mostly unnoticed. A headline “14 000 people with weak passwords caused the leak of 7 000 000 user’s worth of private data” may at least spread some awarness.

From how I understand it, the 14 000 -> 7 000 000 is caused by a feature that allows you to share your information with your "relatives", i.e. people who were traced to some common ancestor.

I'm still quite on the fence about what to think about this. If you have a weak password that you reuse everywhere, and someone logs into your Gmail account and leaks your private data, is it Google's fault?

If we take it a step further - if someone hacks your computer, because you are clicking on every link imaginable, and the steals your session cookies, which they then use to access such data, is it still the fault of the company for not being able to detect that kind of attack?

Yes, the company could have done more to prevent such an attack, mostly by forcing MFA (any other defense against password stuffing is easily bypassed via a botnet, unless it's "always on CAPTCHA" - and good luck convincing anyone to use it), but the blame is still mostly on users with weak security habits, and in my opinion (as someone who works in cybersecurity), we should focus on blaming them, instead of the company.

Not because I want to defend the company or something, they have definitely done a lot of things wrong (even though nowhere near as wrong as the users), but because of security awarness.

Shifting the blame solely on the company that it "hasn't done enough" only lets the users, who due to their poor security habits caused the private data of millions of users being leaked, get away with it in, and let them live their life with "They've hacked the stupid company, it's not my fault.". No. It's their fault. Get a password manager FFS.

Headlines like "A company was breached and leaked 7 000 000 of user's worth of private data" will probably get mostly unnoticed. A headline "14 000 people with weak passwords caused the leak of 7 000 000 user's worth of private data" may at least spread some awarness.

While it's not exactly what you are asking for, I can try to answer this from PoV of someone who does have a CS degree (SW engineering bachelors, and then masters in game development and graphics).

What I've slowly started to realize over the (few) years working in the field out of school, the best thing that college gave me (aside from friends from the industry, which is especially important in gamedev) is not some concrete in-depth skill with so-and so language that I've been taught. I honestly don't remember most of what I've been learning, I've already forgotten and would have to re-learn most of what I've been taught, especially in the maths and algorithm department, and even though I've had several in-depth courses on C, I'd probably still have to google basic syntax since I haven't used the language for several years.

I've always kind of though that the school has not given me much, because of that. That I still have to re-learn things, even those I've passed with flying colors at, and I wasn't sure whether it was worth it.

But then I started realizing something - compared to other colleagues who didn't have a degree, I was usually the one coming up with solutions we could start investigating, when we were dealing with a more difficult problem, or when someone needed something written in a specific language they donť know (which happens a lot in cybersecurity), they usually came to me, and I was able to do it relatively quickly.

Why? Because while it's true that I don't remember implementation details or syntax of most of what I've been taught, I was forced to sit through hours of different algorithms and approaches for all kinds of problems, and I was forced to learn at least for that one lesson programming languages of very different flavours. Languages I disregarded as not relevant - but what I didn't realize is that the goal wasn't to teach me the language, but to introduce me to the overall concept the language is going for. Will I ever need Lisp, Phyro or Prolog? Probably not, but now when I see a language that works like Prolog or Smalltalk, I don't have to struggle with not understading what the language syntax is going for - because I subconsciously recognize the concteps, and can pick up any similar language without issue. I've eventually realized that thanks to college I'm not a "C# programmer", but I'm "a programmer" and so far I haven't encountered a language I would have trouble with writing anything i needed in a reasonably short amount of time and without greater struggles. Because for all of them I've already been through hours of working in a language that works in a very similar fashion.

I mean, trying to write something in a language that works like Prolog, without ever seeing it before, would probably be hell, just like it was in school. But now I'm vaguely familliar with that class of languages, and I don't have any issue with it.

And that's something that's really usefull, an would be hard to pick up on your own. Because I did went through a lot of vastly different languages at school, most of which I'd never touch. And you would think that you'll probably never need to know some obscure class of languages - until you find an RCE on ancient server during pentest that executes COBOL, and you really need that reverse shell.

And the same can be said for algorithms. I'd probably still take me way longer to write some of the more advanced sorting algorithms from memory than just googling for it, and I'd probably have to invent the wheel anyway, but I still vaguely remember they exist. Data structures are really important for this, because they can make a huge difference and there's such a large variety of them, each one being really good for some kinds of problems, but not for others. And the same goes for some general math stuff like FFT and various compression algorithms - I remember the basic idea vaguely enough so that they pop into my mind when a problem sounds similar to what it solves, so I then know what to research and rediscover whether it's really a good fit.

And this has been especially important in rendering, because it's suprising how many game developers have no idea how exactly does rendering work, because they never had to learn.

I've been through classes on low-level rendering, and I don't remember almost anything as far as concrete math is considered, but I do have a lasting overview of vague memories of the steps included and the general idea behind it, and that's enough to jump into unknown shader code no-one has any idea how to fix, and start noticing concepts I vaguely remember being taught, and can make changes for which I can guess what will it impact. And the same concept also applies to UML diagrams and other bullshit. Sometimes you encounter one in the wild when dealing with documentation, and it really helps that I kind of understand what it's trying to tell.

And that's all thanks to classes I mostly considered useless - because classes on languages I use daily haven't really taught me much I didn't know already, and that's why i felt like the school isn't worth it at the time - I'm learning nothing new, and have to waste my time with many more useless bullshit that I did begrudgingly passed.

Turns out the useless classes are what have given me the most, without me realizing it. They have given me a very broad overview and experience with stuff I'd never learn on my own, and it made it vastly easier to research and learn stuff I ocasionally need - because I already have some basic experience in that kind of problem, even though I don't really notice it consciously.

I love this so much :D That reads like something I'd expect from ZA/UM, but it also thankfully alleviates most of the major issues I had with the game, which I've already talked about here on Lemmy. I really liked the game, but there was a lot of red flags point to it being just a quick corporate cash grab, where they decided to basically re-skin heir previous game based on with as low effort as possible, to quickly sell it and cash in on the Pokemon thing. It just smelled with corporate greed, and that they did not really cared about the game too much.

But assuming this screenshot is true, I'd say that it's clear that it wasn't development driven and pushed by corporate greed, but really just a few of guys trying their best.

There's one thing that I regret to this day - going fulltime right after school.

I studied gamedev, and we had a game going on pretty strong, which we were determined to finish in our free time. We were working on it with my roommate and a classmate, who is in general a pretty creative person - he writes LARPs for one group, is leading a amateur theater group, leads our game development team, masters RPGs, etc. He also works as a programmer, just like me.

When we finished school, he decided to stay working part-time, two days a week, and continue living in the student's appartment with our 3 more friends. Keeping his expenses as he had before during school, and focusing on his creative projects in the free time. Because as someone without a car, family, and i a shared household, on a programmers salary, you can get by pretty comfortably.

I, on the other hand, decided to go full-time. And boy does it sucks to get energy for hobby projects after you've spent 40 hours a week of working. Sure, I had more money - but the fact that after paying all my necessary expenses (which I was able to do even part-time), I was left with 3-4 times as much money didn't really help me at all. Sure, I had financial security, I could buy whatever I wanted and didn't need to pay any mind to my spendings, but was it worth it? I'm more and more conviced that it wasnt. I had to start forcing myself to work on my hobby projects that I've loved before. I started postpoing it, and was stressed by trying to shove that much work into so little time.

The money didn't help it at all, especially since I didn't really need them.

He's still working on plethora of projects I'd love to join in, but my contribution is getting less and less reliable, and more and more stressful for me, because the 8 hours of job work per day will just suck all energy out of you, especially since the projects are usually also programming related.

If I could change it, I'd never start working more hours than I need to comfortably get by, even with a little bit of frugal lifestyle. It's not worth it, and the stress caused by trying to overwork myself with the hobby projects, missing deadlines with both work and said projects, has taken a great toll on my mental health in the past 4 years we've finished school. In fact, I didn't even manage to finish my diploma thesis, after postponing it for three years, so I don't even have the Masters even though I did finish the state exam.

So, if you can, limit your work hours as much as you can to get by, and work on your own projects in the meantime (if that's what you want). The money are not worth it.

(I'm actually finally planning to go back to part-time, and take another Masters in game design this year, and probably stay at that, so I'll see how it goes. But seeing the difference between my best friend and me, where our paths diverted exactly by this, he's turned out a lot better than I did after those three years.)

My favorite is one of the latest .NET Framework Security and Quality Rollup:

*removed externally hosted image*

"Security and Quality Rollup" :D

Quality and Reliability

There are no new Quality and Reliability Improvements in this update.

I'd rather decide for myself what I consider a good game, and what I consider garbage, rather than have that dictated by a random intern who has to sort through hundreds of applications every day, and somehow make a decision on all of them. There's a lot of niche single-developer games on Steam that woudn't be nowhere near as successful without Steam letting them in, and it's highly improbable that they would be let in in the first place.

Laughs in GrapheneOS

I hate Boids with passion. It's the Red Herring of local navigation, every gamedev tutorial has them, but it's borderline unusable once you get a little bit more complex terrain or require slightly more complex situation, not to mention that setting up the weights for it to not be totally ugly is pain.

If you ever need local navigation in a game, do yourself a favor and forget Boids, and just go directly for Context Steering.. It's still not perfect, but it can handle slightly more situation with a little bit more grace.

But fuck local navigation, I hate that problem with passion.

Here's mine, I think its a similar approach, but the math is a little bit different. Ignore the unnecessary loop from the blatant copypast of multiple races parsing from day one, that was rendered unnecessary by the space replace in input :D

The math was figured out by solving a system of inequalities, for hold time, where (h-t) * h > d, and t, h and d > 0

https://github.com/TheMikina/aoc-2023/blob/main/src/bin/06.rs

Does anyone have any recommendations for books like that? A productivity book written for people who can't for the love of god stick to any system? I've tried a lot of them. Read a bunch of books, implemented gazzilion of systems, but everything seems to last only for a few days (during which I procrastrinate by setting it up), then it holds for a while, before being forgotten almost instantly.

And most importantly, all those books just assume that if you plan your day, you're actually going to stick to that plan. And once you start moving tasks from one day to the next, the whole thing falls appart...