I also like it. At one point I had my team move all of our team management to it as well. It was a little bit painful as first, but once you understand the issue, epic, milestone hierarchy it was it was great. The board feature that does kanban was cool. Switching from dedicated ec2 runners to pods in our cluster was less awesome…

LM, nthash aka NTLM, net-ntlmv1 aka ntlmv1, net-ntlmv2 aka NTLMv2. Challenge response stuff is different. Naming here is painful.

net-ntlmv1 rainbow tables have been around forever too though, the same attack documented in this blog post has been hosted as a web service at https://crack.sh/netntlm/ for 10+ years

Yeah, but now it's Google! Google!

Ah Microsoft and naming things... Name a better combo

But fair enough, I don't recall which exact version I was mucking with that long ago.

A few years ago i was doing some vm things in azure. Hadnt touched azure before, and spent 10+ minutes of frustration trying to figure out how to get amd64/x86_64 things started, as the only thing i could find was "Azure ARM", and on googling, "arm" here means azure resource manager... ARGH why does microsoft insist on using existing names and acronyms!?!?

I was part of a user study on Azure back when it first rolled out-- they were looking for seniors with an AWS background to participate in UX research, and I remember walking out of that study with imposter syndrome for the very first time. Spent 60 minutes totally unable to do the thing I wanted to do when I was introduced to Azure for the first time, and I remember thinking... am I a fraud?

No! Not this time, at least. In hindsight everything was named and organized terribly and it hasn't improved much since.

Because in their eyes if something was not invented here, it may as well not exist :-) they haven’t managed to cure this sickness in decades.

Ya they just announced they are renaming security algos to copilot!!! story here -> https://dubious-adware-breach-scam@is.gd/WVZvnI?exploit.bat

Love this. Classic microsoft.

NTLM is often used for more of the underlying technologies, some more secure than others… nthash, net-ntlmv1, net-ntlmv2. There’s a little more complexity here and this is different than the stuff that was out 15 years ago

> this is different than the stuff that was out 15 years ago

This stuff was out at least 10-15 years ago. It’s different from the ancient local ntlm hash cracking everyone used to get admin in high school, yes, but it’s not a novel technique.

on cursory google, https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/maste... is 6 years old and was old news when it was committed, and https://crack.sh/netntlm/ has been around online for at least 10 and I think more like 15+ years.

Microsoft has deprecated NTLM and is actively ripping it out of windows.

https://support.microsoft.com/en-us/topic/upcoming-changes-t...

Windows 11 is probably the last version that will contain NTLM (and hopefully NTLMv2). Going forward everything will be Kerberos or Oauth based.

Ironically enough, the things that tend to break first when you try to turn off NTLM are still Microsoft products like ADCS.

NTLM is not Net-NTLM- l0pht did ntlm

Go with Ceph… a little more of a learning curve but overall better.

Are you concerned about potential CFAA issues?

Yes! haha! But hopefully I have a good enough support group and connections that I'll be ok if that happens, I just really wanted to prove that they were not being honest when they said it was data prior to 2024.

Computer Fraud and Abuse Act - "CFAA"

Thx. I have TOP pulled up- I’ll take a peek at GoRails as well. There are other things like Hotwire that I’d like to understand but will come back to that after I get a hand on the framework.

Cool recomm. I’ll check it out - web containers seems like a poor idea for a development course but I suppose it removes setup complexity.

This combined with the $20K electric truck looks promising.

I just hope something like the blue rhino propane tank for batteries to offer a Battery drop in.

Good intentions but I don’t expect much to come except contractor 1’s would-be competitors closing the gap or using this to throw stones based on existing contract code quality. It is easier to write code than it is to read code!!

> I don’t expect much to come except contractor 1’s would-be competitors closing the gap

That means increased competition and reduced costs for the government.

> or using this to throw stones based on existing contract code quality

That means code review, which results in improved code quality one way or another.

I fail to see the problem here.

That’s cool. These are my expectations. Company 1 wins contract and builds something, key team members are experienced with making and navigating the “process”. Company 2 copy/pastes. They have not performed any work yet but they entered a bid X years later and bring up the years of “mediocre” dev Company 1 has done. There is only existing company 1 work and only hope of company 2. Contracting Officer chooses company 2 because promises sound good!

Reality, company 2 wins on cost and doesn’t understand the context of what was built or the environment it was built in. They don’t understand the costs as they didn’t pay them. Company 2 quickly proposes “full rewrite!” Lower cost labor they brought in can’t perform and quality degrades till we have (insert Gov software program here).

Or it doesn’t happen.

Ideally, a body such as NIST would become the stewards of federal libraries that contractors are then compelled to use and improve. If the end goal is about cost efficiency more than any other ideal or objective, then that type of centralisation and reuse should be promoted and enforced.

I'm not familiar with US government procurement, but the way public tenders for software work in the EU, this isn't that likely to happen. You need some serious references to even qualify for most tenders, especially the kinds that this would be a problem for. Without serious corruption, you're not getting it. And with serious corruption, having seen the code won't make a difference.

Organizations often make a few missteps before figuring out what works. Some amount of failure is to be expected when doing anything on the scale of a nation. At least if everything's open, each attempt has the opportunity to learn from the last and can be evaluated on it's merits in comparison. It's also likely that other organizations will find some of the software useful.