rare meta w

i guess maybe if you’re using a device with a tiny screen and a lemmy client that doesn’t let you zoom in on images

17 × 59 = 10003

you’ve got an extra zero in there, and you forgot the 1, but the rest of your divisors match my crude brute-force approach:

>>> n=31521281
>>> d = [ x for x in range(1,n//2+1) if not n%x ]
>>> d
[1, 11, 17, 59, 187, 649, 1003, 2857, 11033, 31427, 48569, 168563, 534259, 1854193, 2865571]
>>> yours=list(map(int,"11+17+59+2857+11033+534259+1854193+2865571+168563+48569+10003+31427+649+187".split("+")))
>>> set(yours) - set(d)
{10003}
>>> set(d) - set(yours)
{1, 1003}
>>> sum(d)
5518399

same conclusion though: 5518399 also ≠ 31521281

>>> isperfect = lambda n: n == sum(x for x in range(1,n//2+1) if not n%x)
>>> [n for n in range(1, 10000) if isperfect(n)]
[6, 28, 496, 8128]

>>> divisors_if_perfect = lambda n: n == sum(d:=[x for x in range(1,n//2+1) if not n%x]) and d
>>> print("\n".join(f"{n:>5} == sum{tuple(d)}" for n in range(10000) if (d:=divisors_if_perfect(n))))
    6 == sum(1, 2, 3)
   28 == sum(1, 2, 4, 7, 14)
  496 == sum(1, 2, 4, 8, 16, 31, 62, 124, 248)
 8128 == sum(1, 2, 4, 8, 16, 32, 64, 127, 254, 508, 1016, 2032, 4064)

shoutout to the person who reported this post with “Reason: Bot meme, you can’t even read it. whoever replies is a bot too” 😂

That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.

What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the loginSecret) which the client can send to obtain the encryptedMasterKey. This can be derived in a similar fashion to the keyEncryptionKey (eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.

Is there any downside to what I suggested, vs the current design?

And is there some reason I’m missing which would justify adding the complexity of SRP, vs what I proposed above?

The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user’s loginSecret from the server but has not obtained their encryptedMasterKey: in that case they could use it to request the encryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use the loginSecret for their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to the loginSecret in my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don’t think SRP provides any benefit here.

AGPL-3.0

Nice

This would be nice, but, this repo includes an iOS app, and AGPL3 binaries cannot be distributed via Apple’s App Store!

AGPL3 (without a special exception for Apple, like NextCloud’s iOS app has) is incompatible with iOS due to the four paragraphs of the license which mention “Installation Information” (known as the anti-tivoization clause).

Only the copyright holder(s) are able to grant Apple permission to distribute binaries of AGPL3-licensed software to iOS users under non-AGPL3 terms.

Every seemingly-(A)GPL3 app on Apple’s App Store has either copyright assignment so that a single entity has the sole right to distribute binaries in the App Store (eg, Signal messenger) or uses a modified license to carve out an Apple-specific exception to the anti-tivoization clause (eg, NextCloud). In my opinion, the first approach is faux free software, because anyone forking the software is not allowed to distribute it via the channel where the vast majority of users get their apps. (In either case, users aren’t allowed to run their own modified versions themselves without agreeing to additional terms from Apple, which is part of what the anti-tivoization clause is meant to prevent.)

Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.

I definitely agree here! But if it’s true that they’re accepting contributions without a CLA, and they haven’t added any iOS exception to their AGPL3 license, then they themselves would not be allowed to ship their own iOS app with 3rd party contributions to it! 🤡

If anyone reading this uses this software, especially on iOS, I highly recommend that you send the developers a link to this comment and encourage them to (after getting the consent of all copyright holders) add something akin to NextCloud’s COPYING.iOS to their repository ASAP.

cc @[email protected] @[email protected] @[email protected]

(i’m not a lawyer, this is not legal advice, lol)

edit: in case a dev actually sees this… skimming your architecture document it looks like when a user’s email is compromised (“after you successfully verify your email”), the attacker is given the encryptedMasterKey (encrypted with keyEncryptionKey, which is derived from a passphrase) which lets them perform an offline brute-force attack on the passphrase. Wouldn’t it make more sense to require the user to demonstrate knowledge of their passphrase to the server prior to giving them the encryptedMasterKey? For instance, when deriving keyEncryptionKey, you could also derive another value which is stored on the server and which the client must present prior to receiving their encryptedMasterKey. The server has the opportunity to do offline attacks on the passphrase either way, so it seems like there wouldn’t be a downside to this change. tldr: you shouldn’t let adversaries who have compromised a user’s email account have the ability to attack the passphrase offline.

(i’m not a cryptographer, but this is cryptography advice)

The only thing I want that I don’t have right now is horizontal monitor splits for vertical monitors.

You can do that with this shell extension (which is the upstream of Ubuntu’s “gnome-shell-extension-tiling-assistant” package, which on Ubuntu is installed by default and called “Ubuntu Tiling Assistant” in the GNOME Extension manager).

Great Salt Lake

lol, i guess that must be why.

fwiw, regardless of its name or how great it is, it is not one of the Great Lakes 😂

xkcd#2501:

Has literally never happened. Texas Instruments is the only brand who continues to do it wrong […] all the other brands who were doing it wrong have reverted

Ok so you’re saying it never happened, but then in the very next sentence you acknowledge that you know it is happening with TI today, and then also admit you know that it did happen with some other brands in the past?

But, if you had read the linked post before writing numerous comments about it, you’d see that it documents that the ambiguity actually exists among both old and currently shipping models from TI, HP, Casio, and Canon, today, and that both behaviors are intentional and documented.

There is no bug; none of these calculators is “wrong”.

The truth is that there are many different math notations which often do lead to ambiguities

Not within any region there isn’t.

Ok, this is the funniest thing I’ve read so far today, but if this is what you are teaching high school students it is also rather sad because you are doing them a disservice by teaching them that there is no ambiguity where there actually is.

If OP’s blog post is too long for you (it is quite long) i recommend reading this one instead: The PEMDAS Paradox.

In Australia it’s the only thing we ever use, and from what I’ve seen also the U.K. (every U.K. textbook I’ve seen uses it).

By “we” do you mean high school teachers, or Australian society beyond high school? Because, I’m pretty sure the latter isn’t true, and I’m skeptical of the former. I thought generally the ÷ symbol mostly stops being used (except as a calculator button) even before high school, basically as soon as fractions are taught. Do you have textbooks where the fraction bar is used concurrently with the obelus (÷) division symbol?

I’m curious if you actually read the whole (admittedly long) page linked in this post, or did you stop after realizing that it was saying something you found disagreeable?

I’m a high school Maths teacher/tutor

What will you tell your students if they show you two different models of calculator, from the same company, where the same sequence of buttons on each produces a different result than on the other, and the user manuals for each explain clearly why they’re doing what they are? “One of these calculators is just objectively wrong, trust me on this, #MathsIsNeverAmbiguous” ?

The truth is that there are many different math notations which often do lead to ambiguities.

In the case of the notation you’re dismissing in your (hilarious!) meme here, well, outside of anglophone high schools, people don’t often encounter the obelus notation for division at all except for as a button on calculators. And there its meaning is ambiguous (as clearly explained in OP’s link).

Check out some of the other things which the “÷” symbol can mean in math!

#MathNotationsAreOftenAmbiguous

There is a well-timed musical change just after 3:13:44 when Mary Landrieu is describing her surprise at learning about the severe racial disparities in US households’ net worth:

edit: fwiw the numbers she cites are substantially lower (though the disparities are similar) than what Pew Research reported for that timeframe.

This is also available as a book: https://en.wikipedia.org/wiki/The_Speech_(Sanders_book)

Can containers boot on their own? Then they are hosts, if not they are guests.

It depends what you mean by “boot”. Linux containers are by definition not running their own kernel, so Linux is never booting. They typically (though not always) have their own namespace for process IDs (among other things) and in some cases process ID 1 inside the container is actually another systemd (or another init system).

However, more often PID 1 is actually just the application being run in the container. In either case, people do sometimes refer to starting a container as “booting” it; I think this makes the most sense when PID 1 in the container is systemd as the word “boot” has more relevance in that scenario. However, even in that case, nobody (or at least almost nobody I’ve ever seen) calls containers “guests”.

As to calling containers “hosts”, I’d say it depends on if the container is in its own network namespace. For example, if you run podman run --rm -it --network host debian:bookworm bash you will have a container that is in the same network namespace as your host system, and it will thus have the same hostname. But if you omit --network host from that command then it will be in its own network namespace, with a different IP address, behind NAT, and it will have a randomly generated hostname. I think it makes sense to refer to the latter kind of container as a separate host in some contexts.

You main OS is called the host and the container is called the guest

The word “guest” is generally used for virtual machines, not containers.

fwiw, besides the “Proton’s Free plan now offers up to […] after completing certain tasks.” post earlier, i also just deleted some adverinfonewstainment tutanota spam blogpost ("Chat Control May Finally Be Dead: European Court Rules That Weakening Encryption Is Illegal") from this community.

tutanota is just like protonmail except there is more evidence indicating that they are primarily a honeypot for privacy-seeking rubes (as opposed to protonmail where it is maybe only obvious to people knowledgeable about the history of the privacy industry).

People should be skeptical of anyone selling a service involving cryptography software which has nearly no conceivable purpose except for to protect against the entity delivering the software. Especially if they re-deliver the software to you every time you use it, via a practically-impossible-to-audit channel, and require you to identify yourself before re-receiving it (as almost any browser-based e2ee software which doesn’t require installing any software does, due to the current web architecture).

If you think this kind of perfect-for-targeted-exploitation architecture isn’t regularly used for targeted exploitation… well, you’re mistaken. In the web context specifically, it has been happening since the 90s.

imo this community should not tolerate advertising (or other posts who’s purpose is to encourage using/purchasing) this type of deceptively-marketed service.

almost every proprietary thing, including windows and macos, has some open source components.

you’re not entirely wrong, but, fwiw this image was created 11 years after he was fired from Apple (and 5 months before he returned).