@hazelnoot@enby.life avatar

hazelnoot

@[email protected]

Hazel (she/her) - Transfem software developer.

[ Admin of Enby.Life ]

Hi! I'm Hazel, a transfem software developer with an interest in gaming, retrocomputing, open-source software, and queer life.

General CW: I often post and interact with sensitive content (NSFW, triggering, or just generally not-work-appropriate), but I try to keep it behind an appropriate Content Warning. Please let me know if I ever forget, and I'll fix it immediately!

Before following, please have a bio/intro and a few public posts. I review all follow requests for safety reasons. Minors are welcome to follow and interact, but not with my NSFW posts / boosts please.

Please don't flirt with me without specific consent.

I am not looking for new partners at this time.

PFP source and alt text:> Pixel art of a light-skinned cat-girl with long and messy blue hair adorned with gold stars. She smiles at the viewer with a "W" expression. Her face is covered with a slight blush and a large band-aid right across the nose.

#NoArchive #NoIndex #NoSearch #NoBridge #NoBot #NoAI

This profile is from a federated server and may be incomplete. View on remote instance

@hazelnoot@enby.life avatar hazelnoot , to random

btw I'm still very available for hire!

Full-Stack Software Engineer experienced with System Design / Architecture, Software Development, Computer Security, and other DevOps processes (Testing, Deployment, Operations, Monitoring). Experienced with Cloud, On-premises (bare-metal), and Embedded system environments. Excellent team player described as "genuine", "charismatic", and "a joy to work with" by current and former leadership.

Greatly experienced in Software Development positions, but looking to pivot to a more security-oriented role within the development field, ideally using my experience in Computer Security and Secure Software Development to help build safe and reliable backend software. My ideal job would be a long-term position on a team with a healthy work environment and friendly (but professional) work relationships.

Decade of experience in Software Development and Computer Security, plus non-professional experience in Linux System Administration, Embedded Software Development, and Security Auditing. I've got a Bachelor's Degree in Computer Science (Cyber Security concentration) and have training in GDPR, PCI, HIPAA, FERPA, and other compliance requirements.

I work well on a team and have experience with many common work management platforms (Azure DevOps, Jira, RTC), office suites (Microsoft Office, Google Cloud / Workspace, Office 365, Open/Libre Office), and other collaboration tools (Skype, Zoom, WebEx, Google Meet, Microsoft Teams).

My experience is primarily in C# (DotNet Framework, Core, and Modern), Web Platform Technologies (TypeScript, JavaScript, HTML, CSS, SCSS, SASS), and Relational (SQL) Databases (PostreSQL, Oracle, SQLServer, SQLite), but I'm a quick learner and could easily adopt any technology that's similar to something I know. I have extensive experience with Cloud Development (Microsoft Azure), On-Premises Deployment, and Hosted Servers (VPS, managed, abd bare-metal).

I also have experience in customer support, and while I'm not willing to accept any IT Helpdesk or Support role, I do believe that experience helps me in the software development field as well. I've been commended by managers for my ability to explain technical information in non-technical terms, work with inexperienced or non-technical staff in a supportive way (I never talk down or judge anyone for lacking knowledge), and participate constructively in cross-functional discussions beyond my area of expertise.

I enjoy a good challenge, as long as I have the support and tools I need. I pride myself in delivering robust, well-tested, and reliable solutions that can last long-term with minimal maintenance requirements or tech debt.

While I'm generally flexible in most things, I do require a position with strong healthcare benefits, remote work options, and an inclusive work environment. I also strongly desire time flexibility to support my role as a caretaker for my physically-disabled wife. I prefer a role that does not use AI-based coding tools, but I'm willing to use them if required.

If this sounds like someone you'd like at your organization, then please send a DM (Private Message)! Resume and professional contact details available upon request. Otherwise, please boost for visibility!

@hazelnoot@enby.life avatar hazelnoot , to random

PSA: Google Calendar will start leaking your personal event labels in one month

Google Workspace logo Dear user, You’re receiving this communication because you’re using Google Calendar color labels for events and you have your primary calendar shared with “Make changes to events” permissions granted to someone else. Key changes: We’re writing to inform you that starting February 27, 2026, anyone who has “Make changes to events” permission to your primary calendar will be able to view the color labels. Currently, they are only able to see the colors, not the labels. This change helps us prepare for an upcoming enhancement to color labels. What you need to do Action advised: * Review who your calendar is shared with * Ensure only users you are comfortable sharing color label information with are listed with “Make changes to events” or “Make changes and manage sharing” permissions * Review the instructions on how to Use color labels to track calendar entries Timelines: Starting February 27, 2026, any users who have “Make changes to events” permission to your calendar will be able to view your color labels Thanks for choosing Google Workspace. – The Google Workspace Team Was this information helpful? A smiling face A neutral face A sad face
ALT
@hazelnoot@enby.life avatar hazelnoot , to random

Just added this comment to a codebase ​:neofox_woozy:​

/**
 * TODO this is fucked, remove it ASAP
 * @deprecated for the love of god, please don't use this 😭
 */
@hazelnoot@enby.life avatar hazelnoot , to random

Auditing an organization's website

Notice that some email links automatically log in as the recipient

Observe GET https://[redacted domain].com/directlogin.php?userid=[redacted base64] in the redirect chain

decode [redacted base64]

it's my email address and nothing else

replace it with someone else's email

immediately logged in as that person

​:neofox_googly_shocked:​ ​:neofox_googly_shocked:​ ​:neofox_googly_shocked:​

hazelnoot OP ,
@hazelnoot@enby.life avatar

maybe I should switch careers, seems like computer security still has a lot of low-hanging fruit

hazelnoot OP ,
@hazelnoot@enby.life avatar

and I just found a different vuln that allows enumerating all email addresses registered to the system ​:neofox_melt_2:​

hazelnoot OP ,
@hazelnoot@enby.life avatar

holy shit it embeds user passwords plaintext in a hidden field ​:senko_horrified:​

@hazelnoot@enby.life avatar hazelnoot , to random

Do you:

@hazelnoot@enby.life avatar hazelnoot , to random

Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

are you kidding me

RE: @natashenka@infosec.exchange avatar natashenka : Today, Project Zero released a 0-click exploit chain for the...

@hazelnoot@enby.life avatar hazelnoot , to random

This instance runs on

​:ubuntu:​Ubuntu Linux​:ubuntu:​

and feels no shame

@hazelnoot@enby.life avatar hazelnoot , to random

Related observation: every user with an AI PFP so far has been a 20s - 40s cishet white man.

RE: https://enby.life/notes/afqpusk5bl

@hazelnoot@enby.life avatar hazelnoot , to random

Feeling irrationally proud that all my 13,000 line pull requests are the result of ADHD-fueled scope creep, not because I just asked some chatbot to do the work! ​:neofox_laugh:​

RE: https://monads.online/users/dankwraith/statuses/115622842059394793

@hazelnoot@enby.life avatar hazelnoot , to random

federation test - please react to this message if you can see it!

hazelnoot OP ,
@hazelnoot@enby.life avatar

ok, please try reacting to this - especially if you're on a non-mastodon instance!

@hazelnoot@enby.life avatar hazelnoot , to random

Enby.Life's ActivityPub inbox is broken, so all messages, reactions, and posts sent since yesterday evening have been lost. I'll update when a fix is implemented

@niko@gts.niko.lgbt avatar niko , to random

(yes there is alt text your instance isn’t accepting it :neofox_box:)

hazelnoot ,
@hazelnoot@enby.life avatar

@niko have you ever federated that image (by URL or content hash) without alt text before? If so, that would explain why some instances can't see the alt text you wrote.

@hazelnoot@enby.life avatar hazelnoot , to random

The general sense I’ve been getting from my neurodivergent clients is that they are sick and tired of masking. It appears that many of us are frantically running back to the dumpster to reclaim our hidden-gem personalities. Or we’re at least expressing a desire to do it while feeling torn between a fear of potential rejection and a longing to tear off the mask that has been suffocating us for too damn long. This is unsurprising, considering that neurodivergent individuals who report engaging in masking also report struggling with trauma histories, lower self-esteem, a poorer sense of authenticity, depression, anxiety, burnout, and exhaustion.

https://aeon.co/essays/the-hidden-costs-of-masking-for-women-with-adhd-and-autism

@hazelnoot@enby.life avatar hazelnoot , to random

My roll of toilet paper came with a free screw ​:neofox_owo:​

Close-up photo of a shiny metal screw laying on a brown paper towel. It's headless with the "flat head" groove cut directly into the shaft, machine-threaded, and tapers to a fine point. The point is slightly worn from wear, but the part is otherwise in pristine condition.
ALT
@hazelnoot@enby.life avatar hazelnoot , to random

federation test 2/2

@hazelnoot@enby.life avatar hazelnoot , to random

Another cloud outage, still zero impact to fedi ​:neofox_sip:​

@hazelnoot@enby.life avatar hazelnoot , to random

I should add LRU or LFU logic to Sharkey's media cache eviction ​:senko_think_2:​

@hazelnoot@enby.life avatar hazelnoot , to random

A troll just referred to me as "Hazel Terrorist [LastName]", and I think that's the coolest thing anyone's ever called me ​:neofox_laugh:​

@hazelnoot@enby.life avatar hazelnoot , to random

@theking Fruit Towards Iowa

@hazelnoot@enby.life avatar hazelnoot , to random

you can't call it that! omfg ​:neofox_googly_shocked:​

Cropped screenshot of an email reading: Team, October is here, which means it's time to kick off Cybersecurity Awareness Month (CSAM). This year, we're turning up the energy with engaging activities to help everyone stay informed and alert with practical information you can use to 'Secure our World' at work and at home.
ALT
hazelnoot OP ,
@hazelnoot@enby.life avatar

"My company has arranged 'CSAM activities' for the whole month of October."

Do you know how that sounds?????? ​:shironeko_dead:​

@hazelnoot@enby.life avatar hazelnoot , to random

Sunsetting IFTAS Connect mirror

Despite several hundred moderators signing up and expressing early interest, sustained engagement across the Connect portal and its associated Matrix Space [...] has remained limited. As we evaluate our role in this evolving ecosystem, we believe it is time to step back from hosting a dedicated community platform and refocus our resources where they are most impactful.

After 18 months of operating Connect, it is clear that this particular space has not provided the kind of active collaboration we had hoped for. We believe that this may be a reflection of the need for smaller, more targeted, and organically driven networks of support. This is not a failure of the community, but rather an opportunity to rethink how collaboration can best be facilitated across diverse, decentralised projects.

(emphasis mine)

@hazelnoot@enby.life avatar hazelnoot , to random
@hazelnoot@enby.life avatar hazelnoot , to random

Enby.Life Service Update

Mastodon API emulation will be disabled in 24 hours for performance reasons. This is temporary, but I don't have an ETA for service restoration yet.

@hazelnoot@enby.life avatar hazelnoot , to random

Your mind: ​:neofox_happy:​
Your mind on Sharkey development:

Photo of three sticky notes on a desk next to a pile of red, black, and blue pens. The notes depict crudely drawn timelines with annotations and math calculations in various colors.
ALT
@hazelnoot@enby.life avatar hazelnoot , to random

wait what happened to pghrt.diy??

hazelnoot OP ,
@hazelnoot@enby.life avatar

@cortex dang, that sucks! I was gonna link it to someone!

@hazelnoot@enby.life avatar hazelnoot , to random

I'm curious whether bridgy will pick up my older posts if I boost them

@hazelnoot@enby.life avatar hazelnoot , to random

Enby.Life is now testing a custom Sharkey branch with a patch for account migrations. Please let me know if you notice any weird behavior around that, even if you're a remote user migrating to another remote account!

While this bug specifically affected local account migrations, my fixes could potentially impact remote accounts. In Sharkey, all migrations go through the same code path so any changes can impact both options.

Here's the specific changes:

  • Add missing JSON-LD context for as:movedTo (this fixes the main bug).
  • Add more await statements to ensure everything runs in-order.
  • Process the phase 2 steps on a worker queue so that they can be retried on failure.
  • When copying a user block / mute from source to destination account, don't block if we follow the destination. (this prevents mutuals from being auto-blocked by a migration.)
  • A bunch of caching fixes, including one that was also breaking temporary user mutes.
  • Run phase 2 steps one-at-a-time to prevent contention, timeouts, and a caching race condition.
  • Respect "enable proxy account" setting when updating user lists containing the old account.
  • Synchronize user caches when updating follower / followee count metadata.

@hazelnoot@enby.life avatar hazelnoot , to random

yes I am weird, I like my computer mice with 2 buttons, 1 wheel, and a wire. I am not the target audience for gaming mice lol

@hazelnoot@enby.life avatar hazelnoot , to random

ughhh another fedi software started using fragment components (#) in the object URIs. now I really gotta add support for that in Sharkey ​:neofox_sob:​

hazelnoot OP ,
@hazelnoot@enby.life avatar

@Misofist ohhh my god, I think I know. They're trying to avoid the Mastodon Bug ™️ that breaks federation if you naively use a querystring w/ authorized fetch, but for some reason they ignored the obvious solution of just encoding everything into path components

hazelnoot OP ,
@hazelnoot@enby.life avatar

@Misofist when you paste a URL into the search bar, it's fetched over HTTPS with some AP security signatures attached. If that URL includes a fragment component, then it's stripped out by the HTTP code. The same thing happens if the system itself needs to look up an object by ID, which happens very often. (A common example is when a mutual replies to a post that your instance hasn't discovered yet.)

If the object's ID (also known as URI) contains a fragment, then the fetched URL will be different because the fragment is excluded. This can cause federation glitches or even complete breakdowns, depending on which objects include fragments and how important they are.

hazelnoot OP ,
@hazelnoot@enby.life avatar

@Misofist the correct fix is for software to not use fragments at all. A workaround, although I'm not sure it's possible, is to force our HTTP client library to include the fragment component in outgoing requests.

hazelnoot OP ,
@hazelnoot@enby.life avatar

@Misofist I'm not sure, but maybe it just never came up? The only place I'm seeing it is in collections which most software doesn't fully support. They publish collections, but never fetch them, which means that a broken implementation could go un-noticed.

hazelnoot OP ,
@hazelnoot@enby.life avatar

@Misofist I think proxies are the issue, but if that's it then it might be safe to use over HTTPS ​:neofox_think:​

@hazelnoot@enby.life avatar hazelnoot , to random

For the love of everything, please use content warnings when discussing politically-charged gun violence!

I should not have to keep saying this! Yes the events of yesterday are big news and we should definitely talk about it, but that doesn't mean it's ok to not use a CW!

I've had to manually fix 170 posts in less than 24 hours. That's more than my entire staff has moderated in the entire time since that feature became available!

@hazelnoot@enby.life avatar hazelnoot , (edited ) to random

Please remember to use Content Warnings!!

@hazelnoot@enby.life avatar hazelnoot , to random

Mobile apps peaked when they had to request permission to use the internet, run in the background, or send notifications. It kept them in line, made sure they knew their place. Apps have only gotten worse since we gave them more permissions by default.

soph , to random
"euler in shambles, solution found to the seven bridges of koenigsberg", the seven bridges are pictured that you must all cross exactly once, the proposed solution includes circumnavigating the globe to come out on the other side to cross the previously unreachable bridge
ALT
hazelnoot ,
@hazelnoot@enby.life avatar

@soph my preferred solution is to build a giant catapult to launch you across to the final bridge, which you then cross as usual

@hazelnoot@enby.life avatar hazelnoot , to random

Misskey/Sharkey administration tip:
Hi friends! Here's a little trick you can use if you ever need to log into an account without using the password. Assuming you have the native token, an API key, or an OAuth token, you can log in interactively by doing this:

  1. Open the instance in a tab, then open browser dev tools.
  2. Expand the console section and enter this:
window._fetch = window.fetch;
window.fetch = (url, ...args) => {
    if (url.endsWith('api/signin-flow')) {
        return Promise.resolve({
            status: 200,
            statusText: 'OK',
            json: () => Promise.resolve({
                finished: true,
                id: 'account ID here', // Place the account ID (not username!) here
                i: 'access token here', // Place the token (native, API, or oauth) here
            }),
        });
    } else {
        return window._fetch(url, ...args);
    }
};
  1. Press enter to run the code, then close dev tools.
  2. Click "sign-in", or "add account" if you're already logged in to at least one account.
  3. Enter the username of the target account and click next.
  4. You will be immediately logged in without prompting for the password or 2FA code.
  5. Reload the page to clear out the monkeypatch.

Please be aware that this does not trigger "account logged in" notifications, so only use it for emergency situations like being locked out of the root account. And if using a non-native token, certain parts of the UI may be glitchy or broken because the frontend doesn't check for restricted permissions.

Hope this helps someone!

@hazelnoot@enby.life avatar hazelnoot , to random

relatable tbh

Screenshot of Honkai Star Rail showing Cyrene talking to the Trailblaizer in Eyides Elysiae. She says: "I don't know... It sounds weird, doesn't it? It's something that happened to me, but I'm talking as if I'm an observer.
ALT
hazelnoot OP ,
@hazelnoot@enby.life avatar

also a big mood ​:neofox_cry:​

@hazelnoot@enby.life avatar hazelnoot , to random

this bugs me so much tbh

Screenshot of a big wall of Sharkey logs. The data is arranged into columns with tabs, but one log category name is so long that it overflows and shifts the other columns by one. All the rows are perfectly aligned except those, which stick out like a sore thumb.
ALT