Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 8:40am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer.

Mountain View, California • 49°F

Thu, May 2, 2019 8:33am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied.

Mountain View, California • 49°F

Thu, May 2, 2019 8:31am -07:00
Randall Degges https://twitter.com/rdegges • May 2
Just in case you were wondering, there is, in fact, a blockchain magazine for Australians.

ohno

Mountain View, California • 49°F

Wed, May 1, 2019 7:38pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 1
From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?

If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript

Mountain View, California, USA • 49°F

1 reply

Wed, May 1, 2019 9:58am -07:00
Justin Richer https://twitter.com/justin__richer • Apr 28
I've been working on a protocol idea recently, and I've written up some thoughts with strawman examples at https://oauth.xyz/

It's far from final or complete, but if you're coming to #iiw, come talk to me about it.

What's your preferred channel for getting feedback on this? Email? Blog posts? Issues on the site's GitHub repo?

Also if you're planning on running a session about this at #IIW please hold it on the 2nd or 3rd day since I have to miss the first day!

Portland, Oregon, USA

2 likes 1 reply

Mon, Apr 29, 2019 4:05pm -07:00 #iiw
Justin Richer https://twitter.com/justin__richer • Apr 29
California, I am in you! #iiw

see you soon!

Portland, Oregon • 49°F

Sun, Apr 28, 2019 10:43pm -07:00
Apr 26
About Luminary’s $100 million: many of us are working 7 days a week on a tiny budget to build something we think is important, and Luminary and the like will light VC checks on fire to burn the podcast industry down around them if it means the chance to monetize an open platform.

👏 well said 👏

Portland, Oregon • 49°F

Fri, Apr 26, 2019 10:39pm -07:00
Darius Kazemi https://friend.camp/@darius • Apr 24
whew, just added 3 more posts in an attempt to catch up on my 365 RFCs project
https://write.as/365-rfcs/rfc-77
https://write.as/365-rfcs/rfc-78
https://write.as/365-rfcs/rfc-79
I am currently... 35 days behind. Oof.

This is such a cool project though.

If I learned anything from writing a song every day for 100 days in a row it's that doing *anything* every day is a serious challenge, much less something that takes creative effort or critical thinking!

Portland, Oregon • 49°F

1 like

Thu, Apr 25, 2019 9:09am -07:00
Jonathan LaCour https://cleverdevil.io/profile/cleverdevil • Apr 24
In other news, I picked up an Anker PowerPort Atom PD1 charger last week and I am blown away. Its absolutely tiny, charges my iPhone extremely quickly, and can even charge my 13" MacBook Pro. Highly recommended - https://amzn.to/2DyF3GX

My new favorite charger is the Innergie 60C, it's the size of an iPhone charger but about twice the height and provides 60W! I remember looking at that one but was skeptical that 30W would be enough for the 13" Pro. https://amzn.to/2GJWUf9

Portland, Oregon • 49°F

Wed, Apr 24, 2019 3:57pm -07:00
Jonathan LaCour https://cleverdevil.io/profile/cleverdevil • Apr 24
Really would love a copy of Logic Pro X for podcast production/editing, but I just can't justify the cost. Its a shame that GarageBand doesn't have a real podcast workflow. Perhaps Ferrite will end up on macOS soon to fill the gap...

What is Garage Band missing? I've used it for podcast editing before. Logic Pro is pretty much just a grown-up version of Garage Band, they are very similar though!

Portland, Oregon • 49°F

1 reply

Wed, Apr 24, 2019 11:53am -07:00
Evan Prodromou https://twitter.com/evanpro • Apr 22
Anyway, I think there may be an upper limit on hiring for a project, where there are tasks that just can't be decomposed. But I think there are plenty of projects where hiring more people makes things go faster.

Yeah I think there's some point where hiring more does make the team more productive (from 1 to 2 people for example), but much beyond that I think there are diminishing returns. Hiring people with skills other than development is a whole different story tho.

Portland, Oregon, USA • 49°F

2 likes 1 reply

Mon, Apr 22, 2019 4:05pm -07:00
Christopher Lemmer Webber https://octodon.social/@cwebber • Apr 20
Jetblue is rolling out a procedure where they identify customers not by their boarding pass or passport, but by facial recognition provided by the Department of Homeland Security https://twitter.com/mackenzief/status/1118509708673998848 http://mediaroom.jetblue.com/investor-relations/press-releases/2018/11-15-2018-184045420
Makes me feel sick to my stomach. I should stop flying places.

British Airlines did this on my last flight from the UK. I don't quite understand how I was already in that database.

Portland, Oregon • 49°F

1 like

Sun, Apr 21, 2019 11:00pm -07:00
Alexander Martin https://fosstodon.org/@alexbuzzbee • Apr 19
@aaronpk > that feeling when when
I regret to inform you that you appear to be showing symptoms of RAS Syndrome.

leave me and my ATM machine alone

San Francisco, California • 49°F

1 reply

Fri, Apr 19, 2019 2:14pm -07:00
MrGibber https://micro.blog/MrGibber • Apr 19
@aaronpk read the summary, probably not for me. However, hats off for clearly starting the audience. Many authors, businesses, schools, etc. would be much better off doing so. I'm basically the opposite of the audience, except I haven't put up the picket fence yet.

yeah I get that. fwiw most of the advice is applicable to literally everyone though, so you never know!

San Francisco, California • 49°F

1 reply

Fri, Apr 19, 2019 1:47pm -07:00
MrGibber https://micro.blog/MrGibber • Apr 18
@aaronpk how was the book?

It's great! Also, a little bird told me there aren't very many copies left so you should buy one now if you're interested before they run out!

Chicago, Illinois • 49°F

2 replies

Thu, Apr 18, 2019 5:33pm -05:00
Marty McGuire https://martymcgui.re/ • Apr 18

An unexpected quiet afternoon means time to work on the ol’ website.

Your "elsewhere" links are much easier to read than mine

Chicago, Illinois • 49°F

2 replies

Thu, Apr 18, 2019 1:15pm -05:00
Eddie Hinkle https://eddiehinkle.com/ • Apr 17
Hey! You’re in my area! 👋

very briefly!

Washington, District of Columbia • 49°F

1 reply

Wed, Apr 17, 2019 12:54pm -04:00
Nortix https://twitter.com/nortix • Apr 16
You've been to my hometown? Did you enjoyed it?

Yes! It was a very brief visit but I had a good time!

Washington, District of Columbia • 49°F

2 likes

Tue, Apr 16, 2019 7:54pm -04:00
Doctor The research fairy https://scholar.social/@bgcarlisle • Dec 10
~ Computer security tips from the year 2035 ~
Never memorise the characters that comprise your password as this could be picked up by a nearby device with Facebook thought-to-text activated
Instead, focus on using muscle memory alone to hit the correct keys in the correct order

I actually did this for an online bank password 10 years ago or so. I typed it out repeatedly, but never looked at what I was typing. I used that password for a couple years and literally could not tell you what it was.

Lyle, Washington • 49°F

2 likes 1 reply

Tue, Apr 16, 2019 11:16am -07:00

older