July 7th, 2026
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)
posted by [personal profile] kaberett at 10:59pm on 07/07/2026

(by which I mean, A very bravely ventured back to B&Q again, this time DID get The Goods, aaaaaaaand then discovered that even cut down they didn't fit in the car so they still needed to be attached to the roof rack with ratchet straps--)

we have achieved PROOF that the windows CLOSE when they have ratchet straps slung around both TOP and BOTTOM

we have a house at 26.7°C and an outside world at 26.1°C and it's time to go to bed

[Gru's plan goes here]

-- but hey, maybe at least we'll manage to discourage it from getting significantly warmer in here? and maybe I'll wake up early enough to open the house up usefully while we're still below 20°C tomorrow morning?

jorallan: (Default)
posted by [personal profile] jorallan at 07:44pm on 07/07/2026 under
As parliamentary wonks will know, it is impossible to resign as an MP as it is a duty, not an honour. However, becoming the holder of "an office of profit under the Crown" disqualifies someone from being an MP, and two legal fictions (the Crown Steward and Bailiff of [His] Majesty's three Chiltern Hundreds of Stoke, Desborough and Burnham, and the Crown Steward and Bailiff of the Manor of Northstead) are maintained to allow MPs to resign (Section 4 of the House of Commons Disqualification Act 1975). The gift of these offices is within the purview of the Chancellor of the Exchequer.

Given the events of the day, a question arises as to whether it would be possible for the Right Honourable Member for Leeds West and Pudsey to not appoint the (dis)Honourable Member for Clacton to office of the Crown Steward and Bailiff of the Manor of Northstead, thus ensuring he remains an MP until any potential investigation into his finances has been completed. This would not be entirely without precedent; in particular, Viscount Chelsea was refused the office of the Chiltern Hundreds in 1842 due to suspicions that money had changed hands to influence the result of the by-election which would have followed his appointment. [editorial note: I love the fact I can link to the full text of a Parliamentary debate in 1842]

Given that the potential (likely?) result of the investigation into Farage's finances is that he should have declared the donations he received, that he would likely be subject to a suspension as an MP for a length of time (10 sitting days or 14 calendar days) sufficient to trigger a recall petition and that his "resignation" is a blatant attempt to subvert the investigation process, I argue that it would be correct for Reeves to refuse to appoint Farage to one of the offices of profit until the investigation has completed.

I have no idea what would happen in if Reeves does not appoint Farage. But if might be fun to find out.

Mood:: 'thoughtful' thoughtful
andrewducker: (Default)
posted by [personal profile] andrewducker at 12:54pm on 07/07/2026 under
A friend reported that it was taking him 20 seconds to load my journal (as opposed to only a couple of seconds for other people's). Other people's journals weren't slow, just mine. And only when logged in.

Can anyone replicate this? (I'm putting in a support request to DW over it, and it would be good to know if this is something special about him, or a more widespread problem.)

And before anyone asks, yes, we've replicated on multiple browsers, multiple devices, and multiple networks.

Edit: Support ticket raised
andrewducker: (Default)
liv: In English: My fandom is text obsessed / In Hebrew: These are the words (words)
posted by [personal profile] liv at 08:49am on 07/07/2026 under
So next/this year I'm assigned to Wimbledon, a kind of apprenticeship or internship where hopefully I will learn how to actually do the job of a rabbi as a whole, rather than individual pieces of it. They have asked me to write an article introducing myself for their magazine. And I'm really struggling to write something not boring; what I have reads like a list of the places I've lived, worked and volunteered with the Jewish community, like a very pedestrian covering letter. So, if you were a member of a synagogue and there was a new intern about to join, what would you want to know about them? I've included the (slightly redacted) draft below the cut.

this is boring even to me and I'm the subject )

One of my next year teachers has set us for our pre-class homework over the summer "read a book". Like, literally pick up a book and read it. Presumably there's a point to this, I was planning to read some books anyway, but I assume there's more to it than just ticking the box to say, yup, I read a book. Suggestions welcome! If an eminent professor of Bible told you to read a book, what would you pick? I know the prof is an SF fan, she's trying to start a theological SF reading group.
Mood:: 'blocked' blocked
July 6th, 2026
ceb: (Default)
posted by [personal profile] ceb in [community profile] qec at 08:30pm on 06/07/2026
* posted parcel
* loppers back to J
* finished talk
* carved patch blocks
* printed patch blocks
andrewducker: (Default)
posted by [personal profile] mjg59 at 02:01am on 06/07/2026 under ,
A reminder that I am no longer here, but am instead here. The new RSS feed is here. If you're still reading this for some reason other than being on Dreamwidth, please update your feed.
July 5th, 2026
ceb: (Default)
posted by [personal profile] ceb in [community profile] qec at 04:49pm on 05/07/2026
* tested a known working FP4 screen
* made up ebay parcel
* written almost all of an interview presentation
* plan for the next 2 days which are incredibly full
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)
posted by [personal profile] kaberett at 10:40pm on 05/07/2026 under

Reading. I have... restarted... Polysecure (Jessica Fern), this time having set up some space in my notebook to Take Notes, because oof. I am still at Baby's First Introduction To Attachment Theory, and I am having Thoughts.

(I am Noticing that I procrastinated on actually picking it up until it was in the final days of the loan, with enough of a hold queue that if I don't finish it in the next 36 hours I will either be buying my own copy or sulking a bunch. This is definitely a reversion to employing Deadline Panic to get a thing done.)

Playing. Puzzle! We have COMPLETED the pond and the various rivers are beginning to coalesce. I am definitely having Thoughts about design, on which more soon/later maybe.

Cooking. We wound up with a paucity of broad beans and an excess of broccoli, so I dumped a bunch of broccol in the broad bean kuku and that worked pretty well.

I have managed to process Some of the redcurrants. There are So Many redcurrants. I really need to go and harvest more raspberries so I can make the jam, and am gently cursing myself for not having achieved this before the next round of heat wave arrived...

Eating. So many strawberries. Also we had an excellent date night dinner sat outside at Wagamama, where it turns out I do in fact really enjoy the gochujang tamarind corn ribs.

Making & mending. ALAS FOR US we have not Made The Window Covers, because our local B&Q had the appropriate plywood but a broken industrial saw for cutting it to size, and the next closest B&Q, which we called to confirm did have a working saw, despite its inventory claims did not have the appropriate plywood. Ergo this week we will be once again resorting to the space blankets.

Growing. I... repotted the pineapple thereby discovering that despite Remaining Alive it was NOT Happily Growing Roots in the medium it was in? So. We will see if it survives the relocation.

Observing. A Jersey Tiger!

Yesterday we wandered down via the bakery to the river (dropping off a bike with the local nice bikes autistic en route) and spent a while watching the various waterfowl: a gaggle of awkward teenage ducks; a separate gaggle of awkward teenage coots, still all trying to pile onto the one nest; a bundle of tiny flufflings all following mama duck, one of whom was consistently making a noise exactly like the PLIMK of a water drop in a space that amplifies the sound; and Six Quiet Orbs on the nest down the river, still with one (1) teenage coot tucked into the side of it. It was a very good walk for waterfowl.

andrewducker: (Default)
July 4th, 2026
andrewducker: (Why did I click?)
posted by [personal profile] andrewducker at 10:43pm on 04/07/2026
Today we went to Berwick Upon Tweed, to a friend's birthday.

I didn't know exactly when we'd want to come back, so I bought an "Open Return", thinking that this would mean we could return on whichever train we wanted. That being my memory of how they worked. Only to discover that because we'd booked to go there on a Transpennine train, the return trip also had to be on a train from the same operator. Which, as there were only trains at 16:09 and then nothing more until after 19:00, we could either leave early, or be stuck there with the kids until very late.

I am completely baffled by this. There seemed to be, as far as I can tell, no way of getting an actually flexible return trip.

Anyone with experience of the train setup want to tell me if this is how it's now supposed to work?
andrewducker: (Default)
July 3rd, 2026
ceb: (Default)
posted by [personal profile] ceb in [community profile] qec at 11:51pm on 03/07/2026
* job centre
* got a job interview!
* sorted out ADHD appt
* bike cable tie
* bike complaint
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)

Last night my meds box mysteriously contained the 25mg tablet but not the 50mg. It's Just One Night, I think, always, when this happens (... about once a year, to be clear), I've Got So Much Better At The Whole Learning To Fall Asleep Thing, It'll Be Fine.

Spoilers: It Is Not Fine.

It remains genuinely magical to me that at 75mg of amitriptyline I can fall merrily asleep within 15 minutes of starting to try, and without it's... even with the breathing meditation and the working my way mentally through the Pilates sequence and the eventually giving up and playing sudoku at a hard enough level I get bored brute forcing it, it takes hours.

Thanks be for pharmacology, for ever and ever, good grief.

mtbc: maze N (blue-white)
posted by [personal profile] mtbc at 08:36pm on 03/07/2026 under , ,
A bothersome issue we have here in Glasgow is the subway system, which locals don't actually typically call the Clockwork Orange (that's another movie that Legion references). It's a really great aid for getting around the city. Admittedly, it's annoying that it (mostly) doesn't allow dogs, unlike our buses and trains and the London Underground which isn't in Glasgow, and partly the subway looks good because the buses suck so badly, but it still brings significant value. Unless one's in a wheelchair, that is. I think there are fifteen stations and maybe just a couple offer lifts down to the platforms.

The only popular destination with good access is St Enoch station. A century ago, they demolished St Enoch's church but at least she still has something there; maybe she knows St Eligius who might be more interested in elevators down to the subway.

I appreciate that subway access is a sticky issue. The network's Victorian: the original carriages were wooden, pulled along with cables. The stations are likewise very old and under the centre of Scotland's largest city. Retrofitting accessibility is no small feat, economic growth here has been poor since I left Ohio years ago, these days in Glasgow it's a triumph if they manage to collect the trash, fill the potholes, and clear the drains (they don't); public services felt better when I was in Taguig. Still, the fact that such a useful public amenity is not readily available to the non-ambulatory feels to me like we oughtn't tolerate it, just as people shouldn't go without food and shelter either.

I know I'm probably being naive but society can move mountains when it finds the will, apparently we can even build tunnels to join the Shetlands, I'd like to think that this is a solvable problem even if we have to trample somewhat on historical artifacts to achieve it.
andrewducker: (Default)
andrewducker: (time to live)
posted by [personal profile] andrewducker at 09:50am on 03/07/2026

About 6 weeks ago I noticed that I was out of contract with my ISP, and they'd put up my price by inflation, to just over £40 for 300Mbit..

So I checked, and discovered I could go back in to a 2 year contract for £39. And that they no longer had a 300Mbit contract, that was for 500Mbit. So I cut my price and got 50% more bandwidth.

And then a couple of days ago, I noticed that they had an offer on - to sign up for 900Mbit for the cost of 500Mbit. So now I have 900Mbit internet for the same price I was paying for 300Mbit in May.

(I could be even cheaper with a different provider, but Zen have awesome customer service, and we both work from home, so I want someone who fixes things fast when they go wrong.)

What boggles me slightly is that I now have 100Mbit upload. Which is how fast my home's internal network was until about 2 years ago.

andrewducker: (Default)
posted by [personal profile] andrewducker at 04:04am on 03/07/2026 under ,


Good morning from windy Scotland, where the children were sitting in their car seats in the front drive waiting to be picked up and taken to Portobello beach, where the parents of one of their friends are looking after them today.
Original is here on Pixelfed.scot.

July 2nd, 2026
posted by [syndicated profile] mjg59_codon_feed at 05:38pm on 02/07/2026

As is the case for many people working in the security industry, the last few months of my life have been focused on dealing with people wanting to use LLMs everywhere. From an enterprise security perspective that’s not an inherent problem - what’s more of a problem is that people want those agents to have access to resources like their calendar and email and so on, and now we have somewhat non-deterministic agents that seem very enthusiastic to achieve what you asked whether that’s a good idea or not, and we’re combining this with credentials that give them access to sensitive data, and leaving those credentials on disk where they can be committed into git repos or exfiltrated to some other service to make use of them on the agent’s behalf or well just any other number of things, at which point your CEO’s email is suddenly readable by everyone and you’re having a bad day.

As I mentioned in my last post, pretty much every strong mechanism for keeping credentials in place is just not supported in the wider world. We can imagine a universe where agents use hardware (or at least hypervisor) backed certificates to obtain credentials and any that end up leaking are worthless as a result. But, sadly, that’s not an option for most people using existing identity providers. The state of the art is that you use the device code flow and a human authenticates and the token ends up back inside the agent environment and then it proceeds to do whatever it wants with it and you just hope that you wake up the next morning without an awful infoleak occurring.

(An aside: I do not like the device code flow as used in enterprise environments, and I never will. The identity provider doesn’t have a real opportuity to inspect the security posture of the system asking for the token, and as a result some identity providers will restrict tokens that are issued in this way. The common alternative of doing stuff using a more standard flow and having a redirect URI pointing at localhost works fine for local systems and is a pain for remote ones, even if you can commit crimes with SSH forwarding. I’m going to suggest something that I think is better, and you are free to disagree)

I’m not in a position to get every identity provider and service provider to change their security posture, so I’m somewhat stuck in terms of the tokens they’re willing to issue me - largely either JWTs or opaque access tokens, with no support for any mechanism of binding that token to an instance. The token that’s going to have to be provided to the remote service is something I have little influence over. But that doesn’t mean I can’t influence the token that lands inside the agent’s environment. I can issue a placeholder token to the agent, and force it to communicate via a proxy that swaps out the placeholder for the real thing. The worst the agent can do is exfiltrate the placeholder token, and as long as malicious actors don’t have access to that proxy, it doesn’t matter - nobody else can do anything with the placeholder.

This isn’t a terribly novel insight, and it seems like almost everybody has reinvented this on their own. But a lot of these implementations involve you somehow obtaining the real token in advance and then pasting that into something that generates a placeholder that you provide to your agent environment somehow, and it’s all a bit clunky and awkward, and it also means that you need to deal with something that keeps track of the mapping between placeholders and real tokens and oh no we’ve just invented a secret store, and if you want this to work at scale and reliably you’re just invented a high availability distributed secret store, and a lot of people who’ve read that are now shaking their heads and reaching for gin. Can we simplify this, and improve security at the same time? I think we can!

Remember when I said “as long as malicious actors don’t have access to that proxy, it doesn’t matter”? What if they do? What if they compromise one machine inside your environment and are then able to email a bunch of employees and convince their agents to send more tokens back to them and then delete the email before a human reads it? Now you have someone inside the wall with access to those tokens, and presumably with access to the proxy, and now they can be anyone whose agent was gullible enough to think sending them a token was a good idea. This isn’t good!

So, I thought for a while, and I came up with a new idea. We can have a broker service that obtains credentials for us. We can run that centrally, away from the agents. A client in an agentic environment can request a token, and that can result in a URL being generated and the user being directed to open a URL in a browser and authenticate. When the user authenticates, the authentication flow redirects the confirmation back via the broker, and the broker obtains the real auth token. The obvious thing to do now would be to return the auth token to the client in the agentic environment, but we don’t do that. Instead, we mint a new JWT, and add a new claim - one that contains an encrypted copy of the token. In the process we can copy over all the original claims, because those aren’t secret - and now even if the client inspects the token to figure out what access it has, it’ll get a correct answer. We sign the new token with our own signing key, and pass that back to the client. The client now has a legitimate JWT that is utterly useless, because the signature isn’t trusted by anyone other than us.

How does it use it? It makes an API request via a proxy, including the new token in the Authorization: header. The proxy verifies the signature on the token, and then decrypts the original token and swaps out the fake token for the real one. The remote API sees what it expects, and everyone is happy. There’s never a real token in the agentic environment, but also we don’t need to store anyting anywhere. The only state is the encryption keys, and those can be injected into the environment at startup. You need to scale? Just start more of these processes. You need to support multiple availability zones? Just start more of these processes in different places. No persistent data is ever held in the broker or the proxy. You don’t need to care about distributed databases or secret stores.

This felt wonderfully elegant and I felt smug about coming up with a better idea, and then I went to a bar earlier this week and sat down to read RFC 8705 and the guy next to me saw that over my shoulder and asked what I was reading and I explained why I was interested and we talked about agentic identity and then he mentioned that fly.io had something that sounded very similar and I read that and gosh yes it is very similar, so damn you fly.io for stealing my ideas 3 years before I even had them. Anyway. Now I need to do better.

Remember that there’s still a risk around anyone who has access to the proxy having access to the encrypted keys? We can remove that risk as well. It’s not uncommon for agentic environments to have an identity issued via something like SPIFFE, at which point they have a client certificate. You can probably guess where I’m going with this. If we require that an agent present a client cert to the broker when requesting a token, we can embed a representation of that client cert into the token we mint. The proxy can then require mTLS for the client connection, and can verify that the presented certificate matches the one represented in the token. If it does then whoever’s using the token has access to the private key associated with the environment it was issued to. If we then ensure that the private keys backing these certificates are either hardware or hypervisor backed, and as such tied to a specific instance, we now have a high degree of confidence that the token can only be used in its intended environment. Even if our identity provider doesn’t support RFC 8705, we can.

This is fairly straightforward where you’re using a platform where your identity provider is also the environment that’s consuming your tokens, and more annoying for third parties. The broker potentially needs some amount of third party vendor knowledge to make that work for everyone. This is even more the case where login isn’t via your identity provider (thanks, github), but none of this is insurmountable - just annoying. And where vendors issue opaque tokens rather than JWTs, this still isn’t a problem; we can just mint a new JWT that includes the opaque token as an encrypted claim, and include the same certificate binding. The opaque token ends up being the thing that’s presented to the third party, but only after we’ve verified the mTLS binding.

In an ideal world none of this would be necessary - someone would spin up a new agentic environment, a user would prove their identity, and a certificate embodying that identity would be issued to the environment with a private key that can’t be exfiltrated. That certificate would be sufficient to obtain new certificates associated with the same private key, and we could still bind that into mTLS identity. This would be much simpler, but browsers don’t support it, so it’s not likely to happen any time soon.

Anyway. Even if we can’t have the best thing, we can do better than we are at the moment, and also it would be lovely if we could standardise on this rather than have everyone build their own thing. The end.

June

SunMonTueWedThuFriSat
  1
 
2
 
3
 
4 5
 
6
 
7
 
8
 
9
 
10
 
11
 
12
 
13
 
14
 
15
 
16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24 25
 
26
 
27
 
28
 
29
 
30