ya its still a wip, I appreciate the feedback though and I do want to keep tweaking stuff like this. Feel free to add feedback at the end of level prompts too if you feel like it, I'll be reading all of them
My pasteable "scorecard" was fairly simplistic, just 8 solid green circles followed by an ellipsis. I think you could improve this by dividing the course into regions (either visibly or invisibly - same number of regions as the par) and considering each hit to be green if it makes forward progress, amber if it doesn't, or red if it goes backwards. And don't truncate it if it takes more than 8 shots!
Also it was very disorienting especially after making into the circular hole thingy, hard to know which way to aim, some small sign which is the right way would be nice, other than that, quite nice.
(I will be copy/paste this answer for the other comments)
My bad - I misread the post.
To clear things up: I am completely aware about how to store passwords in services that check against them. You are likely to have read some of my prose on that topic in OWASP or at a conference :)
My point, after misreading the article, was that in order to authenticate to a service (the one that holds the hashed version of that password) you need to have access to its cleartext version. This is VERY bad, should never be stored without special considerations etc.
I read the articlae as if they accessed the source of the passwords, the one used to access to services (a vault, with its encryption, access restrictions etc.). 5k was a lot but that could have been bearers or similar ones.
So my comment, and the comments to it, actually yelled at me (that's good!) the way I yell at actual implemententions sometimes :)
In all seriousness - thanks for the reaction, we need more of these. My next obsession are servies that require "only digits" or "strictly 8 to 11 chars" for credentials :)
It has always been that way. Literally the only distro that encourages an update process with the requisite effort you should be putting in is Slackware. You should be reading the source code you build. You should be building from source. You should fully understand your toolchains. Binary only distros have always been the equivalent of wearing a condom to have sex. Usually fine, but technically outsourcing the hard work to someone that lets be real, 90% never get to know well enough to credibly trust to any degree. NPM & proglang level package management just doubled down on the real-estate you had to shift through.
Being a responsible programmer/sys admin has always been read heavy, as long as I've been alive. Write only code is antithetical to the basis of running a trustworthy system.
The fact that supply chains have always existed is not meaningful. The issue is that the occurrence is considerably increasing. It's factually riskier to administer systems.
> You should be reading the source code you build. You should be building from source. You should fully understand your toolchains.
This is not realistic for the vast majority of the companies.
The Internet is quite fine at delivering packages over encrypted channels which I can trust. (Except where interdicted by governments, like in China, India, Russia, Turkyie,..)
The Web is a rather different beast, but the question is not "can you trust the Internet", but "can you trust a random website", and now even "can you trust a previously trustworthy website".
You of course should not trust any pictures or videos as critical evidence, they should be corroborated by other means. But this has been true for several years now.
While there genuinely was fake content and astroturfed material on the web prior to LLMs, the cost to produce this stuff has fallen enormously. A major corporation or a state actor might pay a bunch of money for inorganic content but it was hard for some rando in Estonia to spin up a network of fake content to monetize on tiktok or whatever. This leads to way more fake content about a much wider range of topics.
To clarify, I meant it from a lay person's perspective. I do realize that one can argue if the average person will have developed this awareness now. The difference this time, I feel, is that the genAI tools are widely available for normal people to experiment with which will hopefully help develop this visceral feeling.
reply