#qi-hardware IRC log for Sunday, 2011-04-17

whitequarkwpwrak: thanks for the article. for my ultrasonic bath, I think that 35W is the input power; the output power will be much lower due to various losses04:30
whitequarkand, after all, it will be around 15W/l. talking about the frequency, it emits loud clicks when working. that very well may be the audible side-effects of sweeping04:32
whitequarkC-Keen: so I've etched that brass yesterday06:13
whitequarkit's just like etching copper06:13
whitequarkalmost no differences06:13
qwebirc95244(/nick Fusin08:26
Fusinwithout '(' is better I believe ;)08:26
FusinBen Nano is up and running08:27
Fusinnow 'testphase' ...08:27
C-Keenwhitequark: did it go well?08:45
whitequarkC-Keen: yeah08:50
whitequarkno problem. I now have a smiley =) of brass08:50
whitequarkI wonder if 0.05 mm sheets I have are thick enough for solder paste mask08:50
Action: whitequark is trying to debug I2C communication with Soviet analog 1-channel scope "C1-68"08:53
whitequark68 is the year, I think08:53
C-Keenwhitequark: nice :)08:53
Action: whitequark is trying ammonium persulphate now11:12
whitequarkthe solution slowly becomes light-blue in the process11:12
whitequarkand it is relatively non-smelly compared to FeCl311:12
whitequarkit just emits ammonia and sulphur dioxide...11:13
rjeffrieswolfgang for some reason my openID credentials are rejected. Is there a way to overcome that so I can do a little editing of the wiki?14:44
wolfspraulopenid login is broken14:46
wolfspraulthe way to overcome it is to do anonymous edit and pass the math captcha, or to create an account14:46
wolfspraulthere was some problem upstream with openid login, so I will just wait and hope one day the problem will go away in an update14:47
wolfspraulmost important: thanks for considering to help with the wiki!14:47
rohopenid itself is a really fucked up concept.14:53
rohnothing which could fix it.14:53
wolfspraulbetter than creating accounts everywhere I think14:53
kristianpauli agree with roh14:53
kristianpaulindeti.ca stop acepting my own openid some weeks ago :(14:54
rohwolfspraul: nope.14:54
wolfspraulwhat's better?14:54
rohwolfspraul: if you allow openid you can by default allow anonymous edits. same level of trust14:54
kristianpaulFoaf-ssl is nice, but not wider deployed yet i think14:54
wolfspraulroh: of course14:54
rohyou 'trust' somebody you dont know to name a 3rd party for you to ask to verify credentials.... ehh.. WTF?14:54
wolfspraulanonymous edits are of course allowed as well (just with math captcha)14:54
wolfspraulyes sure14:55
wolfspraulit's a spam filter14:55
wolfspraulI never thought about it as being more. Also it can reduce the number of accounts people have to have everywhere.14:55
rohso the first thing i would do as spammer would be setting up a openid server allowing me to spam you all. (if it dit not happen it will. i promise)14:55
rohwolfspraul: openid ALLOWS spam. not removes them.14:55
rohit even allows automated bot spamming (contrary to captchas and account creation, which one can tarpit by heuristics (e.g. >10 accounts in $timeframe form same ip.. etc)14:56
wolfspraulroh: ok reading :-) Maybe the way to fix the broken openid login is to remove the broken plugin.14:58
wolfspraulI think in real life, it would still function as a spam filter today, but maybe you are right and that's only because it never caught on.14:59
rohwolfspraul: my guess is that everybody able to fix the plugin doesnt do for the same reasons i would never write one ;)14:59
wolfspraulI just look at it very pragmatically as a way to avoid local account creation everywhere.15:00
rohsome technology isnt hard. its just blocked by people sane enough not to do it. (contrary to nuclear power... will take some time to have people get that it was a stupid idea to begin with)15:00
wolfspraulif I would receive openid spam I would disable it, of course15:00
rohmaybe i should do a openid wildcard bot and publish that... *veg*15:00
wolfspraulroh: so you say openid is so fundamentally and unfixable broken that we should just remove it?15:01
kristianpaulbtw openid is not an opendoor to spam if you consider the _first_ time it is acepted you need to fill some data that tells who are you15:01
rohwolfspraul: as far as i understood the concept, yes.15:01
wolfsprauland it will never catch on either, whether for technical or commercial reasons15:01
wolfspraulit's already clear to me that it is close to anonymous15:02
rohi dont know anybody who seriously uses it.15:02
wolfspraulme neither :-)15:02
kristianpaulyeah :(15:02
rohi have been asked many times, but mostly by people annoyed that 'the internet is not facebook' and doesnt do single sign on.15:02
wolfspraulit may not even have a concept of blacklists/revokations or so, right?15:02
rohif you want a proper solution, use client based certificates.15:03
kristianpaulopenid uses a third party for auth also15:03
rohthen you could just make the client auth by its cert.15:03
wolfspraulyes but it's trivial to setup all these servers, since it's a distributed system15:03
wolfspraulso like roh said, it may just be a techie way of security by obscurity15:03
rohbut x509 sucks even more in reality, so nearly nobody uses that (also browser cert handling sucks)15:03
wolfspraullooks nice at the surface, but once you attack it programmatically it comes down15:04
wolfspraulmaybe a login system that ties back into pgp keys would be better?15:04
kristianpaulroh: no more logins then? ;-)15:04
rohkristianpaul: well.. 'show your cert'15:04
rohbut that wouldnt fix anything. then people wouldnt forget passwords, but loose certificates or fitting keys or passphrases15:05
rohthus i stay with username/password and extra accounts for all. the browser remembers them anyhow15:05
kristianpaulwel, we are humans afetr all :-)15:05
wolfspraulroh: do you suggest removing openid login support on the qi wiki?15:06
rohalso easier to re-roll if there was an issue. and its explainable to non-tech-humans15:06
rohwolfspraul: i dont see a reason to use it. (has anybody ever used it?)15:06
rohneed to run.. bbl15:06
Action: kristianpaul try to use openid but i got rejected most of the time...15:07
kristianpauli guess my server is not part of a ring of trust, and i dunno what to do to achieve that15:07
wolfspraulroh: no it is and always was broken15:07
kristianpaulto control stop spam by openid, is acepatable to do a first time account creation, so you ensure that the accound is owned by a human..15:08
kristianpaulso well openid, not so open.. you need  a trust-ring after all..15:08
wolfspraulroh: I just removed it. problem solved :-)15:09
wolfspraula non-working feature is worse than not having it at all15:10
wolfspraulthanks for your feedback!15:10
mthroh: afaik openid only says "this is the same person as before", it doesn't say anything about the trustworthyness of that person15:53
rohmth: still the 'server' is not under the controll of the service you access. so it doesnt say anything about trust15:55
rohmeans: it doesnt matter what the server says. why should one trust it in the first place?15:56
mththe service doesn't have to trust the auth server, as long as the user does16:05
mthwith a username/password scheme, on account creation the service has no reason to trust the user either16:06
mthfrom that point on, it's up to the user to only share his password with people he trusts16:08
mthideally, that is only himself16:08
mthbut knowing the password does not mean the service can trust the user, only that the person doing the login is trusted by the person who created the account16:10
mthfor example, on projects.qi-hardware.com, the point at which a user is trusted by the service is when that user is added as a member of a project by an admin, not the moment of account creation16:11
rohdoesnt change the default assumption. that the auth server doesnt lie16:13
mthlie about what?16:13
rohthat the user is indeed the user.16:14
mthbut "the user" is just a URL on the auth server, isn't it?16:14
rohsince its usually not in the users control (see blogs, masshosters...)16:14
mthso it's only a matter of the auth server being consistent in its responses16:15
rohmth: and the user needs to trust it not to leak informations as well as to work.16:15
rohits only adding 'another point of fail'16:15
rohit tries to solve a problem by adding another. thats plain and simple bad design.16:15
rohwell.. its only one of the hypes which will die out again.16:16
mthimplementation defects in the auth server are indeed a risk16:16
mthI think it's a scheme that works in theory but may or may not work in practice16:16
rohmth: and the issue that its 'yet another server to keep safe'16:16
rohsimple math says that issues in security as well as reliability will be atleast statistically twice as much16:17
wpwrakroh: at most ! ;-) if reliability is down to hell, you'll never make it even to the security holes :)16:18
rohenforcing ssl and a somehow sane pw should avoid most user handling as well as conveniece problems. in the end it doesnt matter where you log in by pressing ok on a form your browser prefilled.16:18
mthimo browsers should have a "generate password" option16:19
rohwpwrak: in real world reliability doesnt scale linear with the number of involved machines but inverse exponential ;)16:19
rohsince more routers, etc are involved16:19
rohmth: yes.16:19
rohand no certificates installed by default. emtpy trust chain.16:20
rohthen add something like certificate patrol by default.16:20
rohmeans you would have to add every site once and then never again. and gain higher security.16:21
rohof course that would completely bust the air-selling-business of verisign ;)16:22
rohah.. and for even higher security you need some 3rd party validation anyhow.. means you bank will (and some even do already) print their certificate fingerprint on the paperwork16:23
rohthe dialogs how to compare them etc would need to be improved also of course... current x509 userinterfaces suck big time16:23
mthrecent openssh has a nice ASCII art visualizing the server key fingerprint16:28
rjeffrieswolfgang i was able to edit Wiki by using regular account. thanks.21:32
kristianpaulwpwrak: your log analizer, sample in real time?22:21
kristianpauli mean you dont have to sample n milli seconds then stop and analize..22:21
kristianpaulwell, is logic, so we need analize it later.. i see then reason for triggering here22:24
wpwrakkristianpaul: err, you mean my USB decoder ? or the rigol scope ? or ... ?23:08
kristianpaulwpwrak: rigol (sorry if i wasnt clear)23:09
wpwrakkristianpaul: in the rigol, it's like the analog system - you need some trigger (can be auto-trigger, of course)23:10
wpwrakkristianpaul: it can also trigger on patterns, etc. what it can't do is trigger on decoded protocols (well, unless that would be equivalent to pattern). that would be yet another thing one could do with an fpga :)23:11
wpwrakkristianpaul: (for expensive scopes, you can buy extensions that give you SPI/I2C/CAN/etc. triggers. it's funny to consider that, if you had access to the susyems)23:22
wpwrakbrr ... system's sources, you could implement all this in roughly the same time that the cost of one license would pay for in terms of work hours :)23:24
kristianpaulof course, not that i'm going to buy one, just survering from you the expensive/fancy features :-)23:28
--- Mon Apr 18 201100:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!