#stackvm 2014-11-29 | index | previous (2014-11-28) | next (2014-11-30) | latest
00:00:01  * ircretaryquit (Remote host closed the connection)
00:00:09  * ircretaryjoined
00:03:05  * phatedquit (Read error: Connection reset by peer)
00:03:26  * phatedjoined
00:18:32  * thlorenzquit (Remote host closed the connection)
00:31:51  * thlorenzjoined
00:34:08  * thlorenzquit (Remote host closed the connection)
00:54:09  * domanic_joined
00:54:34  * brianloveswordsquit (Quit: Computer has gone to sleep.)
00:58:05  * domanicquit (Ping timeout: 264 seconds)
01:00:20  * phatedquit (Remote host closed the connection)
01:00:58  * phatedjoined
01:05:33  * phatedquit (Ping timeout: 258 seconds)
01:06:17  * defunctzombie_zzchanged nick to defunctzombie
01:08:53  * domanic_quit (Ping timeout: 264 seconds)
01:10:26  <defunctzombie>kumavis: this is why iframe signin is insecure and no one does it with iframes
01:10:35  <defunctzombie>you have to use a new window for that sort of thing
01:11:10  <kumavis>Yeah I was suspicious when I realized no one seems to do it : )
01:11:39  <kumavis>im curious about the double iframe though --- do iframes have an origin of their src ?
01:12:55  * contrahaxquit (Quit: Sleeping)
01:13:04  * domanic_joined
01:13:41  <defunctzombie>there are headers you can set to prevent an page from being inserted as an iframe
01:16:59  <kumavis>right i understand that
01:17:44  <kumavis>so lets say i disallow embedding in my app except for one page example.com/embed
01:18:28  <kumavis> /embed has a sandboxed iframe that points to some entrypoint for my app
01:19:20  <kumavis>so the 3rd party can insecurely include an iframe pointing at my /embed wrapper, which then securely encases my app
01:20:05  <defunctzombie>you cannot securely encase your app
01:20:18  <defunctzombie>the problem is not the iframe, it is clickjacking on top of the iframe
01:20:42  <kumavis>but that requires /embed 's iframe to claim its origin is example.com
01:21:01  * contrahaxjoined
01:21:14  <kumavis>can clickjacking extract the user's password?
01:22:40  <kumavis>defunctzombie: im not sure what the risks / attack vectors are
01:23:27  <defunctzombie>probably not for passwords, don't remember
01:24:05  <defunctzombie>the danger is always that there is an invisible div on top of your iframe. and whatever someone can do with that
01:24:42  <joepie91_>kumavis: some people *do* actually do iframe sign-in, but typically only with sign-in scenarios where both auth server and end user service are under their own control
01:25:10  <kumavis>in this case it would be with whitelisted 3rd parties
01:25:41  <kumavis>but money is involved, so its a desirable target
01:26:11  <joepie91_>kumavis: "money is involved" in what sense?
01:26:26  <kumavis>its a crypto asset exchange
01:26:43  <joepie91_>kumavis: okay, quick competency test, just to make sure
01:26:48  <joepie91_>if I say floating point, you say...?
01:27:15  <joepie91_>(I'll explain in a moment)
01:27:34  <kumavis>jittery frustum when wandering in 3d worlds far from the origin
01:27:48  <kumavis>er i mean rounding error
01:28:13  <defunctzombie>if money is involved avoid iframe
01:28:35  <joepie91_>kumavis: okay, so you are using integer(-like) types everywhere? :)
01:29:20  <kumavis>im not in charge of the backend, but ill prod them about it
01:29:34  <joepie91_>alright, make sure please, far too many exchanges have failed on this in the past :P
01:29:35  <joepie91_>anyway
01:29:43  <joepie91_>to continue; avoid using iframes for anything, really
01:30:21  <joepie91_>aside from headers disallowing iframing your pages, you'll likely also want to add some "break-out" JS to deal with older browsers that don't understand the headers
01:30:34  <joepie91_>as for SSO... be very, very careful with it
01:30:48  <joepie91_>it's easy to get wrong, like most security/crypto stuff
01:30:57  <joepie91_>preferably use an existing, well-tested solution, even if it seems clunky
01:31:18  <joepie91_>the ideal option would be to avoid SSO altogether, but I'm not sure exactly what functionality you're trying to build, so that may not be an option
01:31:59  <joepie91_>even if you trust your third parties, you still don't have full access to their systems, so you can't verify that they don't have the appropriate security controls in place to prevent somebody from compromising their systems
01:32:09  <joepie91_>so for all practical purposes, they're to be considered untrusted entities
01:33:02  <joepie91_>I think there was actually an example of clickjacking that used a bank as an example...
01:33:55  <kumavis>so if a 3rd party is breached and someone puts login and password inputs over mine, the user would be breached.. but if we handled sign-on out of band (another window), would it be possible to safely provide some functional widget via double iframes?
01:34:14  <kumavis>i agree about considering the 3rd parties as untrusted
01:34:28  <joepie91_>basically, just don't bother with iframes at all
01:34:36  <joepie91_>they're handled in wildly different manners by different browsers
01:34:47  <joepie91_>there's too much risk that you overlook some kind of edge case and end up being vulnerable
01:34:53  <joepie91_>and as you said, money's involved, it's a desirable target
01:34:58  <kumavis>yeah
01:35:26  <joepie91_>oh, kumavis, related: please make sure that there's CSRF protections in place :)
01:35:35  <joepie91_>commonly forgotten
01:35:40  <kumavis>yep
01:35:48  <joepie91_>also, what language is the backend in?
01:36:01  <kumavis>its a rails project
01:36:02  <joepie91_>(might as well go all the way)
01:36:09  <joepie91_>ah, I'm not familiar with the Ruby ecosystem
01:36:17  <joepie91_>do the DB libraries use parameterized APIs by default?
01:36:24  <joepie91_>or mysql_ like escaping crap?
01:37:18  <defunctzombie>kumavis: still in stealth mode?
01:37:44  <kumavis>nah we're launched, its just small melotic.com
01:38:03  * joepie91_goes look
01:38:37  <kumavis>joepie91_: good questions, i'm not really familiar with rails or our backend enough to speak to it
01:38:46  <kumavis>im part timing the front end
01:38:51  <joepie91_>hm
01:38:54  <joepie91_>kumavis: a few comments
01:39:06  <joepie91_>1) the API page refers to "Nonce" on the Chinese wikipedia
01:39:09  <kumavis>and was asked to look into embedding stuff in partners pages
01:39:12  <joepie91_>should probably be the English one, for English docs :)
01:39:35  <joepie91_>2) it recommends using a timestamp as the nonce... depending on your implementation, that may not be a good idea
01:40:04  <joepie91_>(what happens on multiple requests within the same second, when your platform of choice provides timestamps with a 1-second resolution?)
01:41:32  <joepie91_>hrm. access_key == secret?
01:41:36  <joepie91_>or are those two different things
01:42:01  <kumavis>well it would fail if you're not providing a "A constantly increasing number," as is stated as required. We could add a note I suppose.
01:42:20  <joepie91_>API docs indicate that it's to be kept private, but doesn't indicate whether the access_key is the account identifier or the signing key
01:42:35  <joepie91_>if it's the latter, then you definitely shouldn't be encoding it into the request :P
01:42:52  <joepie91_>right, yeah - these kind of edgecases are not what an average dev is going to think about
01:43:08  <joepie91_>they'll just go 'well, they recommended using a timestamp', use the first timestamp they can find, and then wonder after a week why they're getting API errors
01:43:28  * phatedjoined
01:43:36  <kumavis>im curious what the error message looks like
01:44:23  * joepie91_continues trying to poke holes
01:44:31  * thlorenzjoined
01:44:40  <kumavis>yeah plz
01:45:52  * mmaleckiquit (Ping timeout: 255 seconds)
01:46:02  <joepie91_>kumavis: hrm. I reloaded the login form twice, and both instances have the same authenticity_token (which I presume is the CSRF token)
01:46:35  <joepie91_>the token also does not change after a form submission
01:46:44  <joepie91_>that's probably not good :P
01:47:16  <joepie91_>yeah, and the token is identical across forms
01:47:21  <joepie91_>sign up and login have the same token
01:47:46  <joepie91_>(I'm also wondering why it's in base64?)
01:48:10  <joepie91_>(leads me to believe that the token may be generated from predictable source data, rather than being truly random... and it really should be random)
01:48:37  <joepie91_>also, your captcha is very weak, you may want to consider replacing it with a reverse captcha instead
01:49:40  <joepie91_>hrm. most API calls are correctly returning numeric values as strongs, but "Obtain Market Depth" does not appear to do so
01:50:12  <joepie91_>"Get Deposit History" returns "confirms" as a number, while "Get My Withdrawal History" returns it as a string
01:51:47  <joepie91_>mm, Incapsula...
01:52:28  <joepie91_>kumavis: be aware that you are sending all your traffic through Incapsula in such a way that they can see its contents - if Incapsula were to be compromised, an attacker could theoretically intercept all your traffic as well
01:52:34  <joepie91_>the same problem as with exchanges behind Cloudflare, really
01:52:59  <defunctzombie>cloudflare has some new option where they don't store your cert
01:53:07  <defunctzombie>I haven't looked into it but it seemed interesting
01:54:33  <joepie91_>defunctzombie: SNI cert passthrough?
01:54:42  <joepie91_>because I've been waiting for that for a while :)
01:54:47  <defunctzombie>dunno what it is called, let me see
01:55:09  <joepie91_>anyway, bit annoying, incapsula is keeping me from putting apostrophes in random places to see whether it uses parameterized queries :P
01:55:42  <joepie91_>that's interesting... if you give a negative number to buy_depth, it will cut off the last X items
01:55:50  <joepie91_>wonder if that's intended functionality.. :)
01:56:04  <defunctzombie>http://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cloudflare-without-having-to-turn-over-your-private-ssl-keys/
01:57:17  * joepie91_dicks with parameters
01:58:59  <joepie91_>kumavis: found you a problem: https://www.melotic.com/api/markets/ltc-btc/buy_depth?count=1e25
01:59:06  <joepie91_>it's 500ing :)
01:59:15  <joepie91_>rather than returning a JSON error
01:59:27  <joepie91_>probably just a "number too big" or whatever, but hey
01:59:57  * pelletierjoined
02:02:28  <joepie91_>kumavis: also, may I suggest having the API return a 503 for "server too busy" rather than 500? 500 is only meant as generic server error fallback
02:02:48  <joepie91_>and in this particular case, it makes it hard to distinguish between "server is too busy" and "you triggered an edgecase that is currently broken but shouldn't be"
02:03:43  <kumavis>yeah thats legit
02:03:53  <joepie91_>kumavis: okay, that's all issues I've run across without registering an account, I think
02:04:02  <joepie91_>footnote: I'm not a professional (security) auditor :P
02:04:35  <kumavis>i claim imposter syndrome
02:07:23  <kumavis>I'll pass this on, do you want to share some contact info in case peeps are a fan of your auditing
02:07:44  <joepie91_>so, tl;dr: 1) Nonce link on English version of site should reference English Wikipedia, 2) It shouldn't advise timestamp or only do so with caveats clearly mentioned, 3) captcha needs to be improved, possibly including a reverse captcha, 4) API key needs to be clarified - is an "access_key" the user ID or the signing key? 5) there should be unique CSRF auth keys for each form/pageload, and they DEFINITELY shouldn't be reused, 6) should
02:07:46  <joepie91_>verify that the token is indeed really random and not derived from (guessable) data, 7) string/number return inconsistencies in API - should be "string everywhere", 8) Incapsula is a potential security issue as they can intercept all traffic, 9) double check whether negative 'count' params are a feature rather than a bug, because edgecases, 10) it does not handle large numbers correctly, 11) "too busy" should be 503, not 500
02:07:52  <joepie91_>consider that a free amateur audit report :D
02:08:04  <joepie91_>kumavis: sure, [email protected] for email or [email protected] for XMPP
02:08:43  <joepie91_>and nah, I'm really not a professional auditor, just a dev with a slight obsession for security :P
02:09:43  <kumavis>as soon as someone pays you to do it you're professional
02:09:46  <joepie91_>also, kumavis, for context; overall, it seems pretty solid
02:09:51  <kumavis>yeey
02:09:52  <joepie91_>definitely better than most stuff I run across
02:10:01  <joepie91_>and well, I don't think I've ever done paid auditing :P
02:10:07  <joepie91_>not money-paid, anyway
02:10:12  <joepie91_>reputation-paid, perhaps...
02:10:21  <kumavis>"will audit for food"
02:12:12  <joepie91_>haha
02:20:51  * thealphanerdjoined
02:25:40  * domanic_quit (Ping timeout: 258 seconds)
02:34:16  <joepie91_>kumavis: something I just remembered; do you have two-factor auth?
02:34:26  <joepie91_>on melotic
02:44:08  * defunctzombiechanged nick to defunctzombie_zz
02:53:33  * dguttmanjoined
02:55:20  <kumavis>joepie91_: yes but i think its optional
02:56:26  <joepie91_>kumavis: should probably make it very heavily encouraged :) assuming it's a somewhat platform-neutral method like SMS (so, not Google Authenticator or somesuch)
03:05:58  * thlorenzquit (Remote host closed the connection)
03:10:32  * dguttmanquit (Quit: dguttman)
03:17:07  * dguttmanjoined
03:27:00  * kid_icarusjoined
04:11:08  * michaelrhodesjoined
04:11:25  * contrahaxchanged nick to _contrahax
04:17:46  * dguttmanquit (Quit: dguttman)
04:31:52  * fotoveritequit (Quit: fotoverite)
04:36:26  * pfrazequit (Quit: Leaving)
04:54:29  * thlorenzjoined
04:59:17  * thlorenzquit (Ping timeout: 264 seconds)
05:05:18  * shamaquit (Remote host closed the connection)
05:08:51  * _contrahaxchanged nick to contrahax
05:22:15  * contrahaxchanged nick to _contrahax
05:29:53  * DamonOehlmanquit (Ping timeout: 264 seconds)
05:37:59  * kesslerquit (Remote host closed the connection)
06:00:50  * thealphanerdquit (Quit: thealphanerd)
06:01:18  * thealphanerdjoined
06:06:21  * shamajoined
06:10:09  * stagasjoined
06:10:42  * shamaquit (Ping timeout: 245 seconds)
06:19:20  * knownasilyaquit (Quit: Connection closed for inactivity)
06:28:26  * feross_joined
06:30:56  * jjjohnny_joined
06:30:57  * ahdinosa1rjoined
06:34:45  * rwaldron_joined
06:37:14  * ircretaryquit (*.net *.split)
06:37:15  * rwaldronquit (*.net *.split)
06:37:15  * ferossquit (*.net *.split)
06:37:15  * sh4lquit (*.net *.split)
06:37:15  * ahdinosaurquit (*.net *.split)
06:37:15  * jjjohnnyquit (*.net *.split)
06:37:54  * feross_changed nick to feross
06:38:50  * kesslerjoined
06:39:00  * sh4ljoined
06:43:16  * kesslerquit (Ping timeout: 256 seconds)
06:43:36  * thlorenzjoined
06:48:22  * thlorenzquit (Ping timeout: 256 seconds)
07:06:55  * shamajoined
07:11:38  * shamaquit (Ping timeout: 258 seconds)
07:15:24  * fotoveritejoined
07:17:59  * brianloveswordsjoined
07:28:34  * brianloveswordsquit (Quit: Computer has gone to sleep.)
07:29:37  * Mso150_pquit (Ping timeout: 240 seconds)
07:32:17  * peutetrejoined
07:42:07  * Mso150_pjoined
07:42:51  * peutetrequit (Quit: peutetre)
07:42:58  * shamajoined
07:48:16  * shamaquit (Quit: (╯°□°)╯︵ɐɯɐɥs)
07:53:02  * thealphanerdquit (Quit: thealphanerd)
07:54:36  * kesslerjoined
07:55:29  * fotoveritequit (Quit: fotoverite)
07:59:10  * kesslerquit (Ping timeout: 258 seconds)
08:32:25  * thlorenzjoined
08:36:52  * thlorenzquit (Ping timeout: 244 seconds)
08:56:30  * thealphanerdjoined
09:22:01  * gorhgorhjoined
09:28:06  * gorhgorhquit (Quit: gorhgorh)
09:33:13  * aulaitquit (Remote host closed the connection)
09:36:33  * kid_icarusquit (Ping timeout: 272 seconds)
09:40:34  * aulaitjoined
09:43:23  * kesslerjoined
09:47:47  * kesslerquit (Ping timeout: 245 seconds)
10:02:55  * phatedquit (Remote host closed the connection)
10:03:41  * phatedjoined
10:21:19  * thlorenzjoined
10:26:02  * thlorenzquit (Ping timeout: 265 seconds)
10:28:41  * stagasquit (Ping timeout: 264 seconds)
10:48:37  * Mso150_pquit (Ping timeout: 240 seconds)
10:59:07  * kesslerjoined
11:01:31  * oldskirtjoined
11:03:56  * kesslerquit (Ping timeout: 256 seconds)
11:05:04  * oldskirt_quit (Ping timeout: 256 seconds)
11:41:17  * domanic_joined
11:42:04  * peutetrejoined
11:49:18  * DamonOehlmanjoined
11:49:30  * oldskirt_joined
11:53:11  * oldskirtquit (Ping timeout: 252 seconds)
11:53:49  * DamonOehlmanquit (Ping timeout: 255 seconds)
12:10:01  * thlorenzjoined
12:12:06  * brianloveswordsjoined
12:14:17  * thlorenzquit (Ping timeout: 240 seconds)
12:14:24  * DamonOehlmanjoined
12:14:51  * kesslerjoined
12:17:13  * domanic_quit (Ping timeout: 255 seconds)
12:19:27  * kesslerquit (Ping timeout: 258 seconds)
12:21:03  * peutetrequit (Ping timeout: 252 seconds)
12:22:09  * brianloveswordsquit (Quit: Computer has gone to sleep.)
12:22:12  * peutetrejoined
12:22:27  * mmaleckijoined
12:24:49  * DamonOehlmanquit (Ping timeout: 258 seconds)
12:35:19  * peutetrequit (Quit: peutetre)
12:39:16  * gorhgorhjoined
13:00:53  * phated_joined
13:03:55  * phatedquit (Ping timeout: 258 seconds)
13:15:37  * kesslerjoined
13:19:56  * kesslerquit (Ping timeout: 256 seconds)
13:58:48  * thlorenzjoined
14:00:16  * kesslerjoined
14:03:21  * thlorenzquit (Ping timeout: 252 seconds)
14:08:37  * kessler_joined
14:09:07  * kesslerquit (Read error: Connection reset by peer)
14:20:57  * kessler_quit (Read error: Connection reset by peer)
14:20:59  * kesslerjoined
14:21:05  * stagasjoined
14:34:31  * kesslerquit (Ping timeout: 252 seconds)
14:49:45  * kesslerjoined
14:56:56  * kesslerquit (Read error: Connection reset by peer)
14:56:57  * kessler_joined
15:02:24  * oldskirtjoined
15:05:17  * oldskirt_quit (Ping timeout: 240 seconds)
15:07:51  * kessler_quit (Read error: Connection reset by peer)
15:08:11  * kesslerjoined
15:09:12  * kesslerquit (Read error: Connection reset by peer)
15:09:46  * kesslerjoined
15:14:00  * pfrazejoined
15:15:13  * kesslerquit (Ping timeout: 244 seconds)
15:15:20  * kesslerjoined
15:27:00  * kessler_joined
15:29:48  * brianloveswordsjoined
15:29:52  * kesslerquit (Ping timeout: 245 seconds)
15:30:18  * domanic_joined
15:30:21  * fotoveritejoined
15:38:49  * _contrahaxquit (Ping timeout: 255 seconds)
15:40:03  * contrahaxjoined
15:42:01  * peutetrejoined
15:47:33  * thlorenzjoined
15:52:07  * thlorenzquit (Ping timeout: 272 seconds)
15:56:46  * kesslerjoined
15:58:57  * kessler_quit (Ping timeout: 240 seconds)
16:05:24  <ogd>"Unlike other package management systems such as NPM, NuGet and RubyGems, Go does not provide a centralized repository for Go packages. The Go package management system is designed to work with modern scenarios where developers share source through repositories hosted on Github." lolwut
16:05:24  <ogd>http://thenewstack.io/a-closer-look-at-golang-from-an-architects-perspective/
16:12:06  <domanic_>ogd, github is a force of nature!
16:12:53  <domanic_>data scientists first predicted the possibility of github back in the 50's
16:13:09  <domanic_>but only recently was it's existance proven
16:19:44  * pfallenopquit (Ping timeout: 250 seconds)
16:20:47  * pfallenopjoined
16:32:43  * thlorenzjoined
16:34:57  * thlorenzquit (Remote host closed the connection)
16:35:31  * thlorenzjoined
16:35:48  * thlorenzquit (Read error: Connection reset by peer)
16:35:56  * thlorenzjoined
16:37:09  * thlorenzquit (Remote host closed the connection)
16:37:56  * kid_icarusjoined
16:38:51  * thlorenzjoined
16:39:28  * pilijoined
16:41:07  * thlorenzquit (Remote host closed the connection)
16:41:48  * thlorenzjoined
16:42:19  * peutetrequit (Quit: peutetre)
16:46:12  * thlorenzquit (Remote host closed the connection)
17:05:53  * domanic_quit (Ping timeout: 240 seconds)
17:13:50  <jjjohnny_>feross: u back in the big BA?
17:38:28  * thlorenzjoined
17:42:04  * kid_icarusquit (Ping timeout: 250 seconds)
17:43:28  * stagasquit (Read error: Connection reset by peer)
17:45:23  * stagasjoined
18:05:42  * kid_icarusjoined
18:05:45  * piliquit (Ping timeout: 272 seconds)
18:08:50  <mikolalysenko_>versions without immutable names don't work
18:15:56  * Mso150_pjoined
18:24:29  <jjjohnny_>thats what hashes are for
18:32:23  * fotoveritequit (Quit: fotoverite)
18:34:34  * reqsharkquit (Quit: Be back later ...)
18:35:00  * reqsharkjoined
18:35:12  * thlorenzquit
18:36:32  * thlorenzjoined
18:42:09  * mikolalysenko_quit (Ping timeout: 264 seconds)
18:43:46  * mikolalysenko_joined
18:45:44  * aulaitquit (Ping timeout: 264 seconds)
18:45:44  * jden_quit (Ping timeout: 264 seconds)
18:45:58  * jden_joined
18:47:42  * thlorenz_joined
18:52:17  * thlorenz_quit (Ping timeout: 240 seconds)
18:53:48  * gorhgorh_joined
18:54:47  * dguttmanjoined
18:56:35  * gorhgorhquit (Ping timeout: 256 seconds)
18:56:35  * gorhgorh_changed nick to gorhgorh
18:57:09  * stagas_joined
19:00:16  * dguttmanquit (Quit: dguttman)
19:00:47  * stagasquit (Ping timeout: 265 seconds)
19:00:57  * stagas_changed nick to stagas
19:12:29  * kid_icarusquit (Ping timeout: 264 seconds)
19:22:14  * fotoveritejoined
19:30:25  * aulaitjoined
19:59:26  <jjjohnny_>you guys could at least spam yr twitter feeds RTing me, so i dont do this in vain
20:04:32  * thealphanerdquit (Quit: thealphanerd)
20:12:34  <jjjohnny_>i mean if yr not gonna pipe out yr damn selfie
20:12:46  * jjjohnny_silencio
20:19:51  * yoshuawuytsjoined
20:20:03  * yoshuawuytsquit (Client Quit)
20:34:09  * pfrazequit (Quit: Leaving)
20:39:25  * Mso150_p_ljoined
20:40:19  * Mso150_pquit (Ping timeout: 255 seconds)
20:40:24  * thlorenzquit (Remote host closed the connection)
20:41:47  * anvaka_quit (Remote host closed the connection)
20:43:27  * anvakajoined
20:47:25  * pfrazejoined
21:02:21  * ednapiranhajoined
21:03:08  * Mso150_p_lquit (Ping timeout: 264 seconds)
21:03:44  * Mso150_p_ljoined
21:13:34  * ednapiranhaquit
21:23:50  * anvaka_joined
21:23:53  * anvakaquit (Read error: Connection reset by peer)
21:25:31  <mikolalysenko_>jjjohnny_: you can't upgrade a hash
21:25:44  <mikolalysenko_>you can pin to a specific name with a hash, but you can't have versions with hashes
21:26:02  <mikolalysenko_>basically you need a naming service if you want to have upgradeable versions for libraries
21:27:09  <mikolalysenko_>on the other hand, if you reject the whole concept of versions/upgrades anyway, then maybe hashes will appeal to you
21:41:30  <feross>jjjohnny_: what is BA?
21:50:46  <jjjohnny_>Bay Area
21:52:18  * AvianPhonejoined
22:00:28  <ogd>oh i thought it was buenos aires (where jsconfar is happening)
22:01:03  <jjjohnny_>thats lil BA
22:01:17  <jjjohnny_>this the big BA
22:01:42  <jjjohnny_>ogd: you might appreciate this release right here
22:01:45  <jjjohnny_>https://folkstack.bandcamp.com/album/intoreducing
22:02:35  <jjjohnny_>two bass drums, mine and yours, make some awesome dual booting
22:03:57  <jjjohnny_>also, your sessions will be released by "folk stack", as well as recordings by substack and others
22:05:25  <jjjohnny_>thats me btw obv
22:28:54  * thlorenzjoined
22:33:17  * thlorenzquit (Ping timeout: 240 seconds)
22:54:59  * contrahaxquit (Quit: Sleeping)
22:58:00  * anvaka_quit (Remote host closed the connection)
23:04:25  * anvakajoined
23:14:29  * devhoagjoined
23:28:45  * contrahaxjoined
23:30:50  * kid_icarusjoined
23:32:47  * domanic_joined
23:33:07  * pfrazequit (Quit: Leaving)
23:36:44  * thlorenzjoined
23:49:43  * contrahaxquit (Quit: Sleeping)
23:52:11  * contrahaxjoined