varx boosted
@bagder Telling a programmer not to write a function because a library function exists is like telling a musician not to write a song because there is already a song about love.
varx boosted
Some "fun" commentary on activitypub and httpsig and the don

Every AP user has a private key stored somewhere on the server, which it uses to sign outgoing messages to other servers, in an http header. On first contact, the receiving server has to fetch the public key from the sending server, and then usually caches it.

Two weeks ago I decided it was unwise to cache keys forever. If a remote loses their private key, the baddie can forge messages. Recovery is generally the origin rotates all keys, but there's no way to clear a distributed cache. Just have to wait until a receiving server notices a sig failure, then refetches the public key to check again. So there's a large window to forge messages to servers that aren't in regular contact. So I changed honk to not cache forever.

This is fine. I delete the cached public key after a few days, a new message arrives, I refetch the public key. Except for the magical mastodon secure mode. Super secure mastodon will send me messages, but not allow me to fetch the corresponding public key. This seems suboptimal.

The punchline is a few people I used to follow can no longer be followed because I can't verify the messages their server sends me. Used to work because the key was cached from years ago, before the time of super duper security, but after I expired the key, I can't refetch it. Whoops.

varx boosted

Tell us what you think in the curl user survey 2022, now up! daniel.haxx.se/blog/2022/05/17 - this is our primary way to get user feedback in a wider scale. Your input is vital.

varx boosted

@dl @cwebber I'd just like to interject for a moment. What you're referring to as Chrome, is in fact, Chrome/Chrome, or as I've recently taken to calling it, Chrome plus Chrome. Chrome is not an operating system unto itself, but rather another free component of a fully functioning Chrome system made useful by the Chrome corelibs, browser utilities and vital browser components comprising a full OS as defined by Chrome.

(yes I know it uses linux as a kernel but this is funnier)

varx boosted

"non-genuine windows isn't safe, activate windows now"

yes because as we all know typing a product key into an evil copy of windows magically purges all the trojans and reconfigures it to be secure

varx boosted

Screwing around with a friend doing some evolutionary algorithms - and we already had the damn machine start reward hacking. Feeling good about the future, bring on the robocars! I'm sure things will go great... :X

varx boosted

While this is hilarious and mostly a good thing on this occasion, letting John Deere or anyone else have the ability to lock you out of your equipment is not.

theverge.com/2022/5/2/23053944

varx boosted
Obviously, the main shortcoming of the Scratch development ecosystem is the lack of a robust cryptography library.

Until now!

Here's x25519 ECDH key exchange, blake2s hashing, and ChaCha20-Poly1305 AEAD - in Scratch

Second part is up: What to actually do about parser mismatch vulnerabilities!

brainonfire.net/blog/2022/04/2

I'd be especially curious to hear if people can think of any approaches other than the ones I listed and discussed.

Show thread
varx boosted

I've been threatening to make this since A. A. Milne's work entered the public domain earlier this year. Introducing "Leet Pooh"

Because I think it's hilarious, I've set up a redbubble shop so you can get this nonsense on anything you want.

redbubble.com/people/esun-nasa

#PleaseBoost
#PleaseShare
#PleaseEnjoy

#OhBother
#0hB0+h3r

varx boosted

Can we agree that Web 2.0 has ended on the 1st of July 2013?

That's when Google Reader shut down. It was a symbolic death of RSS, and it deflated enthusiasm in syndication and open APIs.

Death of RSS was the final blow for XML, and with this the last dreams of namespaced data mashups of Semantic Web died too. That year JSON became an ECMA standard. Access-controlled JSON-over-HTTP eventually replaced public/scraped XML/microformats.

There's more:

Now that I'm using a static site generator, I'm kind of tempted to start evolving the styles over time and *keeping* the old styles. Like, after a post is more than X years old, maybe it never gets regenerated, and keeps an old copy of the stylesheet.

Could be interesting.

"I'm a security engineer and I still almost got scammed" robertheaton.com/almost-scamme

More on the theme of businesses (especially banks) having such bad practices that it's almost impossible to tell legitimate-but-asinine from scam.

varx boosted

pronouncing the P in JPEG 'ph' as in "photographic"

varx boosted

"Our findings show that gradual
deployment of safe programming languages, if not done with
extreme care, can indeed be detrimental to security." -- Cross-Language Attacks

ndss-symposium.org/wp-content/

In comparison, if I generate all the inputs and just skip the actual hashing and comparison, I get a 10x "speedup". I think this means that only 10% of my time is being spent on input generation, which isn't too bad—and doesn't explain where the time is going. Maybe Rust is sneakily optimizing something away, though. 🤔

I guess I need a profiler.

Show thread

I rewrote a hash-reverser script from Python into Rust and got a 3x speedup, which isn't as much as I expected:

github.com/timmc/avvo-reverse

From 290 kH/s in Python to 910 kH/s in Rust. But if I just loop over the numbers 1 to 100M and compare the hashes of their strings against a value, I get up to 3400 kH/s.

Room for a 3-4x improvement just by changing how efficiently I construct inputs, I suppose. And I'm still not doing multicore.

varx boosted

:brain1: off
:brain2: wake-on-LAN
:brain3: wake-on-WLAN
:brain4: wake-on-Internet
:brain5: wake-on-WWAN
:brain6: wake-for-no-reason

The "Freedom Phone" appears to be a dangerous pile of junk created by a scientologist or something: mjg59.dreamwidth.org/59479.htm

Neat, you can have an HTML form use a mailto: URI as an "action":

lab.brainonfire.net/test/form-

I'm toying with the idea of using something like this as my blog's comment box, but my guess is that most people won't have a mail client configured and will just get confused.

(Only tested on Firefox and Chromium. No idea what kind of support there is out there.)

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.