varx @varx@infosec.exchange
- pronouns
- he/they
- alts
- https://cybre.space/@varx (varx at i.write.codethat.sucks is dead)
- languages
- 📖 en, es; ✍️ en, ~es
- that cavern thing I'm always nattering about
- https://gitlab.com/timmc/cavern
Boston-area meat construct ␥ I just do what the plants tell me ␥ I'd rather be pentesting^Wsleeping^Wundermining the client-server paradigm
Joined Oct 2017
varx
boosted
@bagder Telling a programmer not to write a function because a library function exists is like telling a musician not to write a song because there is already a song about love.
varx
boosted
Some "fun" commentary on activitypub and httpsig and the don
Every AP user has a private key stored somewhere on the server, which it uses to sign outgoing messages to other servers, in an http header. On first contact, the receiving server has to fetch the public key from the sending server, and then usually caches it.
Two weeks ago I decided it was unwise to cache keys forever. If a remote loses their private key, the baddie can forge messages. Recovery is generally the origin rotates all keys, but there's no way to clear a distributed cache. Just have to wait until a receiving server notices a sig failure, then refetches the public key to check again. So there's a large window to forge messages to servers that aren't in regular contact. So I changed honk to not cache forever.
This is fine. I delete the cached public key after a few days, a new message arrives, I refetch the public key. Except for the magical mastodon secure mode. Super secure mastodon will send me messages, but not allow me to fetch the corresponding public key. This seems suboptimal.
The punchline is a few people I used to follow can no longer be followed because I can't verify the messages their server sends me. Used to work because the key was cached from years ago, before the time of super duper security, but after I expired the key, I can't refetch it. Whoops.
varx
boosted
Tell us what you think in the curl user survey 2022, now up! https://daniel.haxx.se/blog/2022/05/17/curl-annual-user-survey-2022/ - this is our primary way to get user feedback in a wider scale. Your input is vital.
varx
boosted
@dl @cwebber I'd just like to interject for a moment. What you're referring to as Chrome, is in fact, Chrome/Chrome, or as I've recently taken to calling it, Chrome plus Chrome. Chrome is not an operating system unto itself, but rather another free component of a fully functioning Chrome system made useful by the Chrome corelibs, browser utilities and vital browser components comprising a full OS as defined by Chrome.
(yes I know it uses linux as a kernel but this is funnier)
varx
boosted
"non-genuine windows isn't safe, activate windows now"
yes because as we all know typing a product key into an evil copy of windows magically purges all the trojans and reconfigures it to be secure
varx
boosted
Screwing around with a friend doing some evolutionary algorithms - and we already had the damn machine start reward hacking. Feeling good about the future, bring on the robocars! I'm sure things will go great... :X
varx
boosted
While this is hilarious and mostly a good thing on this occasion, letting John Deere or anyone else have the ability to lock you out of your equipment is not. #righttorepair
varx
boosted
Obviously, the main shortcoming of the Scratch development ecosystem is the lack of a robust cryptography library.
Until now!
Here's x25519 ECDH key exchange, blake2s hashing, and ChaCha20-Poly1305 AEAD - in Scratch
Until now!
Here's x25519 ECDH key exchange, blake2s hashing, and ChaCha20-Poly1305 AEAD - in Scratch
Second part is up: What to actually do about parser mismatch vulnerabilities!
https://www.brainonfire.net/blog/2022/04/29/preventing-parser-mismatch/
I'd be especially curious to hear if people can think of any approaches other than the ones I listed and discussed.
varx
boosted
I've been threatening to make this since A. A. Milne's work entered the public domain earlier this year. Introducing "Leet Pooh"
Because I think it's hilarious, I've set up a redbubble shop so you can get this nonsense on anything you want.
https://www.redbubble.com/people/esun-nasa/shop
varx
boosted
Can we agree that Web 2.0 has ended on the 1st of July 2013?
That's when Google Reader shut down. It was a symbolic death of RSS, and it deflated enthusiasm in syndication and open APIs.
Death of RSS was the final blow for XML, and with this the last dreams of namespaced data mashups of Semantic Web died too. That year JSON became an ECMA standard. Access-controlled JSON-over-HTTP eventually replaced public/scraped XML/microformats.
There's more:
Now that I'm using a static site generator, I'm kind of tempted to start evolving the styles over time and *keeping* the old styles. Like, after a post is more than X years old, maybe it never gets regenerated, and keeps an old copy of the stylesheet.
Could be interesting.
"I'm a security engineer and I still almost got scammed" https://robertheaton.com/almost-scammed/
More on the theme of businesses (especially banks) having such bad practices that it's almost impossible to tell legitimate-but-asinine from scam.
varx
boosted
pronouncing the P in JPEG 'ph' as in "photographic"
varx
boosted
"Our findings show that gradual
deployment of safe programming languages, if not done with
extreme care, can indeed be detrimental to security." -- Cross-Language Attacks
https://www.ndss-symposium.org/wp-content/uploads/2022-78-paper.pdf
In comparison, if I generate all the inputs and just skip the actual hashing and comparison, I get a 10x "speedup". I think this means that only 10% of my time is being spent on input generation, which isn't too bad—and doesn't explain where the time is going. Maybe Rust is sneakily optimizing something away, though. 🤔
I guess I need a profiler.
I rewrote a hash-reverser script from Python into Rust and got a 3x speedup, which isn't as much as I expected:
https://github.com/timmc/avvo-reverse
From 290 kH/s in Python to 910 kH/s in Rust. But if I just loop over the numbers 1 to 100M and compare the hashes of their strings against a value, I get up to 3400 kH/s.
Room for a 3-4x improvement just by changing how efficiently I construct inputs, I suppose. And I'm still not doing multicore.
varx
boosted
off
wake-on-LAN
wake-on-WLAN
wake-on-Internet
wake-on-WWAN
wake-for-no-reason
The "Freedom Phone" appears to be a dangerous pile of junk created by a scientologist or something: https://mjg59.dreamwidth.org/59479.html
Neat, you can have an HTML form use a mailto: URI as an "action":
https://lab.brainonfire.net/test/form-email.html
I'm toying with the idea of using something like this as my blog's comment box, but my guess is that most people won't have a mail client configured and will just get confused.
(Only tested on Firefox and Chromium. No idea what kind of support there is out there.)
- pronouns
- he/they
- alts
- https://cybre.space/@varx (varx at i.write.codethat.sucks is dead)
- languages
- 📖 en, es; ✍️ en, ~es
- that cavern thing I'm always nattering about
- https://gitlab.com/timmc/cavern
Boston-area meat construct ␥ I just do what the plants tell me ␥ I'd rather be pentesting^Wsleeping^Wundermining the client-server paradigm
Joined Oct 2017
