brainwane | Reading

Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.

ndrosen

I read an article mentioning AI-generated pop music; apparently, AI can generate formulaic pop music, which, if not great, isn’t worse than similar music composed by humans. There is an issue, it seems, with the people owning the AI collecting royalties because (I am not giving any advice about intellectual property) you’re only supposed to obtain a copyright on something which you created, not something which a computer created.

It got me thinking: could a more advanced AI generate cantatas and organ fugues which sounded just as if they had been composed by J.S. Bach? Symphonies that Beethoven didn’t get around to writing, but which could have been his work? If we find the music beautiful, would it matter that it was the product of a neural network or a set of algorithms, instead of a man of genius?

watersword

I tripped coming back from the garden after watering and skinned the hell out my left knee and twisted my right ankle, plus minor scrapes on my palms. Ow.

Hobbled home, rinsed everything off (because of course I had some dirt on me from wrestling the garden hose and whatnot), smeared on antibacterial ointment, iced both joints (not super successfully), taped bandaids to my knee, and ordered delivery of a bento box. Now I need to put on enough clothes to get downstairs to receive said delivery, and get back up the stairs to eat. Ow ow OW.

This was a perfectly pleasant heatwave until then! I got the window unit into my bedroom window yesterday, have been eating popsicles and drinking various flavored waters, and made summer rolls last night. I was going to make peanut noodles. But no. Did I mention OW?

fox

When my mother moved into assisted living last summer, we got her a landline phone with big buttons and six presets where you can put pictures to make it super easy to tell who it is you're calling. Alas, the pictures are hard for her to make out because the contrast isn't great at that size, so I turned them over and just printed everyone's initials, black on white, easiest thing. Her brother, her sister, her um-friend, and her cousin all have different initials, no problem. My brother and I have the same first initial so all our lives we've been designated on family calendars and things by our first and middle initials together.

She can't remember our middle names.

Current Mood: okay

liam_on_linux

A response to an HN comment...

The PC press had rumours of Quarterdeck's successor to DESQview, Desqview/X, from around 1987-1988.

That is roughly when I entered the computer industry.

Dv/X was remarkable tech, and if it had shipped earlier could have changed the course of the industry. Sadly, it came too late. Dv/X was rumoured then, but the state of the art was OS/2 1.1, released late 1988 and the first version of OS/2 with a GUI.

Dv/X was not released until about 5Y later... 1992. That's the same year as Windows 3.1, but critically, Windows 3.0 was in 1990, 2 years earlier.

Windows 3.0 was a result of the flop of OS/2 1.x.

OS/2 1.x was a new 16-bit multitasking networking kernel -- but that meant new drivers.

MS discarded the radical new OS, it discarded networking completely (until later), and moved the multitasking into the GUI layer, allowing Win3 to run on top of the single-tasking MS-DOS kernel. That meant excellent compatibility: it ran on almost anything, can it could run almost all DOS apps, and multitask them. And thanks to a brilliant skunkworks project, mostly by one man, David Weise, assisted by Murray Sargent, it combined 3 separate products (Windows 2, Windows/286 and Windows/386) into a single product that ran on all 3 types of PC and took good advantage of all of them. I wrote about its development here: https://www.theregister.com/2025/01/18/how_windows_got_to_v3...

It also did bring in some of the GUI design from OS/2 1.1, mainly from 1.2, and 1.3 -- the Program Manager and File Manager UI, the proportional fonts, the fake-3D controls, some of the Control Panel, and so on. It kept the best user-facing parts and threw away the fancy invisible stuff underneath which was problematic.

Result: smash hit, redefined the PC market, and when Dv/X arrived it was doomed: too late, same as OS/2 2.0, which came out the same year as Dv/X.

If Dv/X had come out in the late 1980s, before Windows 3, it could have changed the way the PC industry went.

Dv/X combined the good bits of DOS, 386 memory management and multitasking, Unix networking and Unix GUIs into an interesting value proposition: network your DOS PCs with Unix boxes over Unix standards, get remote access to powerful Unix apps, and if vendors wanted, it enabled ports of Unix apps to this new multitasking networked DOS.

In the '80s that could have been a contender. Soon afterwards it was followed by Linux and the BSDs, which made that Unix stuff free and ran on the same kit. That would have been a great combination -- Dv/X PCs talking to BSD or Linux servers, when those Unix boxes didn't really have useful GUIs yet.

Windows 3 offered a different deal: it combined the good bits of DOS, OS/2 1.x's GUI, and Windows 2.x into a whole that ran on anything and could run old DOS apps and new GUI apps, side by side.

Networking didn't follow until Windows for Workgroups which followed Windows 3.1. Only businesses wanted that, so MS postponed it. Good move.

skygiants

When I'm reading nonfiction, there's often a fine line for me between 'you, the author, are getting yourself all up in this narrative and I wish you'd get out of the way' and 'you, the author, have a clearly presented point of view and it makes it easy and fun to fight with you about your topic; pray continue.' Happily, Phyllis Rose's Parallel Lives: Five Victorian Marriages falls squarely in the latter category for me. She's telling me a bunch of fascinating gossip and I do often disagree with her about what it all means but we're having such a good time arguing about it!

Rose starts out her book by explaining that she's interested in the idea of 'marriage' both as a narrative construct developed by the partners within it -- "a subjectivist fiction with two points of view often deeply in conflict, sometimes fortuitously congruent" -- and a negotiation of power, vulnerable to exploitation. She also says that she wanted to find a good balance of happy and unhappy Victorian marriages as case studies to explore, but then she got so fascinated by several of the unhappy ones that things got a little out of balance .... and she is right! Her case studies are fascinating, and at least one of them (the one she clearly sees as the happiest) is not technically a marriage at all (which, of course, is part of her point.)

The couples in question are:

Thomas Carlyle and Jane Baillie Carlyle -- the framing device for the whole book, because even though this marriage is not her favorite marriage Jane Carlyle is her favorite character. Notable for the fact that Jane Carlyle wrote a secret diary through her years of marriage detailing how unhappy she was, which was given to Carlyle after her death, making him feel incredibly guilty, and then published after his death, making everyone else feel like he ought to have been feeling incredibly guilty. Rose considers the secret postmortem diary gift a brilliant stroke of Jane's in Triumphantly Taking Control Of The Narrative Of Their Marriage.

John Ruskin and Effie Gray -- like every possible Victorian drama happened to this marriage. non-consummation! parent drama! art drama! accusations that Ruskin was trying to manipulate Effie Gray into a ruinous affair so that he could divorce her! Effie Gray's family coming down secretly to sneak her away so she could launch a big divorce case instead! my favorite element of this whole story is that the third man in the Art Love Triangle, John Millais, was painting Ruskin's portrait when he and Gray fell in love instead, and Ruskin insisted on making Millais keep painting his portrait for numerous awkward sittings while the divorce proceedings played themselves out and [according to Rose] was genuinely startled that Millais was not interested in subsequently continuing their pleasant correspondence.

John Stuart Mill and Harriet Taylor -- this was my favorite section; I had never heard of these guys but I loved their energy. Harriet Taylor was married to John Taylor but was not enjoying the experience, began a passionate intellectual correspondence with John Stuart Mill who believed as strongly as she did in women's rights etc., they seriously considered the ethics around running off together but decided that while all three of them (Harriet Taylor, John Taylor, and John Mill) were made moderately unhappy by the current situation of "John Mill comes over three nights a week for passionate intellectual discussions with Harriet Taylor while John Taylor considerately goes Out for Several Hours", nobody was made as miserable by it as John Taylor would be if Harriet left John Taylor and therefore ethics demanded that the situation remain as it was. (Meanwhile the Carlyles, who were friends of John Mill, nicknamed Harriet 'Platonica,' which I have to admit is a very funny move if you are a bitchy 19th century intellectual and you hate the married woman your friend is having a passionate but celibate philosophical romance of the soul with.) Eventually John Taylor did die and Harriet Taylor and John Mill did get married -- platonically or otherwise is unknown but regardless they seem to have been blissfully happy. Rose thinks that Harriet Taylor was probably not as brilliant as John Mill thought and John Mill was henpecked, but happily so, because letting his wife tell him what to do soothed his patriarchal guilt. I think that Rose is a killjoy. Let a genius think his partner of the soul is also a genius if he wants to! I'm not going to tell him that he's wrong!

Charles Dickens and Catherine Dickens -- oh this was a Bad Marriage and everyone knows it. Unlike all the other women in this book, Catherine Dickens did not really command a narrative space of her own except Cast Aside Wife which -- although that's probably part of Rose's point -- makes this section IMO weaker and a bit less fun than the others.

George Eliot and George Henry Lewes -- Rose's favorite! She thinks these guys are very romantic and who can blame her, though she does want to take time to argue with people who think that George Eliot's genius relied more on George Henry Lewes kindling the flame than it did on George Eliot herself. It not being 1983 anymore, it did not occur to me that 'George Eliot was not primarily responsible for George Eliot' was an argument that needed to be made. "Maybe marriage is better when it doesn't have to actually be marriage" is clearly a point she's excited to make, given which one does wonder why she doesn't pull any Victorian long-term same-sex partnerships into her thematic examination. And the answer, probably, is 'I'm interested in specifically in the narrative of heterosexual marriage and heterosexual power dynamics and the ways they still leave an imprint on our contemporary moment,' which is fair, but if you're already exploring a thing by looking outside it .... well, anyway. I just looked up her bibliography out of curiosity to see if she ever did write about gay people and the answer is "well, she's got a book about Josephine Baker" so I may well be looking that up in future so I can have fun arguing with Rose some more!

kaberett

~~... is a placeholder because I am doing so badly at routines in general and bedtime routines in particular, still, augh.~~

Reading. Adventures in Stationery, James Ward. Not entirely sold on the way anecdotes were strung together, and definitely dubious about the broader social history, but a pleasantly undemanding diversion in a week where I really needed that and for bonus points it finally explained The Thing About Blackwing Pencils to me.

( Stationery nerding. )

Watching. One more episode of Farscape (S02E02 Vitas Mortis), while bleaching A.

Cooking. Mostly Pasta With Things. (Things have included "kohlrabi and misc other greens from the allotment" and "psuedo puttanesca".)

Eating. STRAWBERRIES. Have also nibbled, from the allotment: peas! broad beans! aforementioned kohlrabi! cherries! the first raspberries! redcurrants! jostaberries!

Exploring. ... bits of a field? OH and I bimbled down to the post office and, en route, checked how the local quince tree is doing. (FRUITING.)

Creating. Painted A colours!

Growing. Iiii just about made it to the allotment to water things on, like, Tuesday, but I have otherwise been... struggling.

... the ginger at home continues to go zoom, though! And I really really need to pot it on, eesh.

Observing. BAT.

ndrosen

This weekend is the start of a major heatwave. I put on shorts today, and wore them walking to the farmers’ market and then, in a second expedition, to the supermarket. My pale calves contrast with my bronzed arms. I’ll try to avoid using more power than I need to, since increased use of air conditioning may put a strain on the electric system.

brithistorian

It occurred to me that the main characters of Burn Notice can be mapped 1:1 to the main characters of Pokemon:

Michael = Ash
Fionna = Misty
Sam = Brock

And so I made this:

Watch on YouTube

nanila

If you were a fruit, which would you be and why?

I would like to be a guava. They are a tropical fruit that does not export well, and are almost as tetchy as avocados. Unripe, unripe, unripe, unripe, unripe, RIPE AND SUCCULENT, hahaha you missed the 10-minute window when I was perfect and now I shall rot secretly on the inside so you won't be able to anticipate your disappointment.

When you do manage to catch them at the right moment, they are sooooo delicious.
If you wake up and smell smoke, and you have to get everybody (pets included) out of the house safely, but you have time to grab one item, what would you grab?

My phone. No question. Once upon a time it would have been passport or driving licence or some such, but we do everything on our phones now, so I can think of nothing more essential than that. Yes, the documents are a faff to replace, but how are you going to get online to do it without your phone?
If you were stuck on an island, who would be the one person you would want with you and why?

I hate it in films (and in fact in real life) when people are ordered to choose between beloved family members. I would want my partner AND my children with me, or else I would refuse to choose.
If you could change one thing about your physical appearance, what would it be?

I'm not sure changing one thing would make much of a difference.
If you could spend the day with one famous person, dead or alive, who would you choose?

I'd quite like to have a chat with Jaron Lanier.

alias_sqbr

Watch on YouTube

qian

My talk for the Tolkien lecture series hosted by Pembroke College, Oxford is up on YouTube: The Uses of Fantasy. I really enjoyed doing it, though I'm now out of the one idea I had for a Guest of Honour/whatever speech lolol. I have used it up!!

watersword

Got a Cake Batter cone (working my way through the non-coffee-flavors at my local ice cream shop) and walked over to the garden; I am very pleased to report that the rhubarb has come up, and so has the parsley and the cosmos and the sweet alyssum! Could there be 100% more of all of these plants, considering how many seeds I put in? Yes. But: I created plants! The basil is going to be so happy over the next week of heatwave. The peas are doing great and I am going nuts over the lack of watermelon, hopefully they will also rejoice in the heat.

And then I stuck a couple of coreopsis in the front garden, which I impulse-bought this morning at the farmer's market, not even a little sorry. Other impulse purchases today included a bag of basil (PESTO) and a container of corn salsa, which I will add to fish-stick tacos.

ndrosen

Some of my online friends may be interested in a podcast cum transcript of a Reason interview with the psychologist Scott Barry Kaufman on incels, narcissists, and the victim mindset. Getting people to reject the victim mindset, he says, is not a matter of yelling at them, “Tough it out, you sissy!”

If I may paraphrase, it’s telling people that even if they have suffered real wrongs or have real problems, they should not define themselves as victims and make no effort to improve their situation. Instead, they should take responsibility for themselves, and do what they can to climb out of whatever hole they’re in.

kaberett

I went "HOLD ON I HAVEN'T POSTED--" at 00:01 last night, when I had already been in bed but failing to sleep for about twenty minutes, and so I will tell you that part of the reason that I did not manage to actually post, actually yesterday, is that my reward for having finally e-mailed the headache clinic and said "so yeah I took my loading doses in mid-April, sorry I didn't manage to e-mail at the time, executive dysfunction has been eating my entire brain"...

... was of course a response like "well ideally your follow-up appointment would have been last week but, okay, fine, how about Monday? :|"

"... oh and by the way you know those questionnaires we want you to submit a minimum of a week in advance? yeah if you could get those done too--"

-- which: ENTIRE brain.

(I managed to confirm the Monday appointment. I did not manage to get the headache diary and questionnaires done.)

marina

( a post of no significance )

ndrosen

On Friday, June 13, after spending a long time on hold (I was able to work while this was going on), I got to talk with a pleasant, helpful lady at the IRS, who told me that I didn’t even need to pay gift tax, since I was not transferring more than twelve million dollars over the course of my life to another person. I said that the Treasury could keep the money I had paid, and I would consider it a contribution to reduce the national debt, but I did not want to pay it again, together with interest and penalties.

She gave me instructions and a mailing address. On Monday, I went to the bank, and obtained a copy of my canceled check. I wrote a letter of explanation, and enclosed the image of the canceled check with it in an envelope, which I sent to the IRS by certified mail on Wednesday.

Let’s hope that my good deed is not further punished.

terriko

This is crossposted from Curiousity.ca, my personal maker blog. If you want to link to this post, please use the original link since the formatting there is usually better.

Catching up on some missed weeks now!

Books returned June 8, 2025. Titles and reviews in post.

My books

Full Speed to a Crash Landing – I read the second one first so I had some idea of how this ended but wow it was fun to see how they got there. Kind of… space heist crossed with enemies to lovers vibes, but no resolution since this is book 1 of at least 3. Absolutely fun and I’m on the list for book 3 already.

Not many books this week because i was working my way through a book I bought which I actually still haven’t finished — it’s got a lot of grief and I need to move through that slowly right now. And also because I’ve been writing rather than reading.

Picture books

Rosie goes to preschool – meh. I glanced through it but kiddo didn’t even want to read it.

Grandpa Green – a repeat. about life and memory loss and gardening. Beautiful but I don’t think it resonates too much with my kid since he hasn’t actually experienced a grandparent with memory loss yet. He still loves the gardening art, though.

Puppy Bus – kid gets on the wrong bus to school and ends up getting a dog’s education. Adorable and funny.

Good Rosie – not sure I read this one? I can’t remember it.

Pete the Cat’s got class – don’t think i read this one either.

Just Like Millie – sweet, beautiful art. Learning to cope with life via dog.

Lizzy and the Cloud – also didn’t read this one. Usually I try to get to each book at least once but kiddo was really into some other books instead!

Molly & May – a brief friendship on a train. I liked it but kiddo was kind of meh on it.

My humongous hamster – a repeat.

ndrosen

I finished an Office Action on the older of my two amended cases earlier this week; then a new amendment showed up. I didn’t write the first action on this one, but inherited it from an examiner who has left the Patent Office. So I’m back to two cases on my Amended docket.

I have been working on my oldest Regular New application, but haven’t finished it so far.

Current Music: J.S. Bach, English Suite #2

Profile

brainwane

My Website

Navigation

April 2025

S	M	T	W	T	F	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Page Summary

Style Credit

Base style: Librarian's Dream by branchandroot
Theme: Amaranth by Musyc

Expand Cut Tags

No cut tags

Page generated Jun. 30th, 2025 04:58 pm

Friends!

Reading

Why is there no consistent single signon API flow?

AI Generated Music

lolsob

it's happening slowly, but it is happening

If only DESQview/X had been launched when Quarterdeck starting talking about it

(no subject)

vital functions

Heat Wave

Pokemon/Burn Notice

The Friday Five on a Sunday

Music: Exit Music (For A Film) · Radiohead

Tolkien lecture

patience in a garden plot

The Victim Mindsight

and so the year turns: solstice

egregious backdating for completionism's sake

(no subject)

Tax Issue — Follow-up

Books returned June 8, 2025

My books

Picture books

The Red Queen’s Race

Profile

Navigation

April 2025

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags