HackerTrans
TopNewTrendsCommentsPastAskShowJobs

CarpaDorada

no profile record

Submissions

Show HN: Communal Growth, find others with similar interests in books or papers

communalgrowth.org
2 points·by CarpaDorada·vor 12 Monaten·0 comments

OpenLDAP from a Mathematician's Perspective

createyourpersonalaccount.github.io
3 points·by CarpaDorada·vor 2 Jahren·1 comments

comments

CarpaDorada
·vor 8 Monaten·discuss
You too will grow old and then... you too will be blamed for everything.
CarpaDorada
·vor 8 Monaten·discuss
The Baumol effect is only one component and not the entire story. Those that run these services will extract as many profits as possible for themselves. When the robots will manage geriatric care, there is no reason to not continue exploiting the patients' wallets.
CarpaDorada
·vor 2 Jahren·discuss
"A good critical comment teaches us something." That's what I thought I was doing.

I did not intend to break the rules badly (nor do I believe I did; I didn't fulminate nor called names). Instead I was called names by others replying to me. I will not participate in HN anymore.
CarpaDorada
·vor 2 Jahren·discuss
[flagged]
CarpaDorada
·vor 2 Jahren·discuss
If you see a phishing link, you can perform a DNS A record request to find their IPs, typically behind Cloudflare. You can report them to Cloudflare. Their WHOIS record will tell you who their registrar is, and again you can report them there too. If they use URL shorteners, you can report those.
CarpaDorada
·vor 2 Jahren·discuss
>Applications of category theory to computer science predate the first US computer science department.

This doesn't sound plausible: according to Wikipedia, Eilenberg and Mac Lane introduced concepts of CT in 1942, and CT was originally used mainly homological algebra, with applications in logic/semantics later. Certainly CT was given credence by Grothendieck and Serre, working on (and solving) Weil's conjecture in the 50s and 60s. Lawvere's 1963 thesis predated categorical logic (according to his own words, <http://www.tac.mta.ca/tac/reprints/articles/5/tr5abs.html> p. 12, "but the method here, and indeed in the whole ensuing categorical logic, is to exploit the uniqueness by using adjointness itself as an axiom"). The first computer science department in the US was started in 1962 in Purdue University. Meanwhile for contrast the proofs of Church and Turing were published in 1936.

>I would wager that you can't name a logic not expressible in category theory.

I prefaced my statement with an "if"; you're not talking about toposes apparently. The interpretability of one theory in another is a concern of logicians and I'm not familiar with any restrictions on category theory, indeed it can be used for logics. I do not know topos theory but I was basing my statement on what I heard Colin McLarty say in an interview of his <https://www.youtube.com/watch?v=81sPQGIWEfM>, can't give timestamp; he definitely named logics that cannot be expressed by the topos of a space.

I feel that you've used two straw men: 1) specifically naming US 2) ignoring my "if topos" and saying "expressible in CT".
CarpaDorada
·vor 2 Jahren·discuss
During an afternoon someone who understands the concepts can explain the relevant parts without requiring an understanding of CT from the other party. Hence: don't bother with CT.

I don't mean to be rude, but what has Bartosz Milewski done that is relevant in programming?
CarpaDorada
·vor 2 Jahren·discuss
If you're talking about toposes, many logics do not correspond to them. It's the other way around: many category theorists/logicians needed jobs and found computer jobs and hence the category theoretic perspective in CS.
CarpaDorada
·vor 2 Jahren·discuss
This is a phony work in progress (I do not mean to disparage the author, just the work itself, or perhaps the YC submission). There's no direction, it's just "let's do it because ... ?" Here is the authors' answer to "Why Category theory?":

>The answer lies in the abstraction and generalization capabilities provided by category theory. It allows us to see beyond the specifics of a particular programming language, problem, or system, revealing the underlying structures that are common across different domains

Rest assured you will not find much of that by reading category theory (CT). This type of studying of CT reminds me of Shaolin monks trying to fight boxers (hint: the boxer wins).

Another peculiar thing about these notes is that the author colored every CT diagram (and worse even, there is no logic to the color choices, it's just randomized.)

CT is a nice subject as any other, and useful to those doing research. You don't need it if you're not doing specific math/CS research that uses it. Anything that could be useful to you from CT can be explained in one afternoon over some coffee or beer. For example, the notion of universality could be useful to many programmers: the "most general" object of its kind, and how that is reflected in relation to other objects of its kind; a brief example would be that the "free" language of all strings in the letters A and B is universal amongst all languages of strings A, B with relations, (relations such as AAAB = A.)

Don't enter turbulent waters if you're not a swimmer! Maybe you can take a boat instead. For those who already know CT because of other motivations (in particular, because they're mathematicians who have spent many years studying mathematics), the applications of CT to computer science can come somewhat naturally, but for others, it's an uphill battle and a waste of time.
CarpaDorada
·vor 2 Jahren·discuss
FIDO would be for authentication, not signing. It also supports SSH (and X.509, see <https://git-scm.com/docs/gitformat-signature>) but it does not support minisign or signify. There's a git module for signify, <https://leahneukirchen.org/dotfiles/bin/git-signify> but don't count on it being widely supported.
CarpaDorada
·vor 2 Jahren·discuss
This is an anonymous blog, and the author conceals their identity, which is already an issue for me. Let's look at the alternatives to PGP that the blog recommends, I will paraphrase:

1) Sign software with sigstore.dev

The issue here is that you delegate trust to places like GitHub or other OIDC providers. You also have to trust Fulcio and their CAs. <https://docs.sigstore.dev/about/security/> for details. Maybe you don't want to do that, in part because you're not guaranteed that the service will remain free, or perhaps you're more serious about security than GitHub.

1-alt) Sign software with minisign.

Maybe I don't want to use Ed25519. Maybe I want to revoke the signatures. There's many issues one may have with minisign.

2) Signing git tags/commits

Advises to use SSH, no explanation why. Advises Ed25519, why not Ed448? The explanation to not use RSA is by linking to <https://blog.trailofbits.com/2019/07/08/fuck-rsa/>. I will only quote one thing from this article:

>RSA was an important milestone in the development of secure communications, but the last two decades of cryptographic research have rendered it obsolete.

You can't say it is obsolete when it is still in use. I'm not sure what the author(s) mean by "obsolete", but it is not true that RSA is obsolete. (If Ed25519 breaks but RSA doesn't, who will be obsolete?)

3) Sending files between computers

Here it recommends Magic Wormhole. That's shocking to me, I don't understand why it is recommended. Why not rsync? If you look at the 2016 presentation for Magic Wormhole <https://www.lothar.com/~warner/MagicWormhole-PyCon2016.pdf>, the pitch is that it is especially useful when the computers are unrelated. How often is that the case? Rsync is a much better solution for anyone who wants to transfer files between servers they have access to.

4) Encrypting Backups

Here they recommend tarsnap as "the usual recommendation", I've got to say, it's definitely not the usual recommendation.

5) Encrypting Application Data

They say to use Tink or libsodium. Tink has many implementations in each language, (how does that help security?) and libsodium doesn't support RSA, two things on top of my head that may be deal breakers.

6) Encrypting Files

They recommend age; wishful thinking as most people do not use age. In fact most people do not bother encrypting files, and it is not something that is done often. The author likes to talk about footguns, well there's certainly many footguns to file encryption. This is where the most analysis is on this blog article too, but this is a niche case.

7) Private Messaging

It recommends Signal. What about e-mail?

>(Unless you’re legally required to use PGP because of a government regulation… in which case, why do you care about my recommendations if you’re chained by the ankle to your government’s bad technology choices?)

It comes off as know-it-all.

Let me close with this: Cryptography is infamous for debates. It never ends, and many people have ended up with egg on their face for their claims. Tread carefully and don't rely on others too much!
CarpaDorada
·vor 2 Jahren·discuss
The issue is mostly with git itself, e.g. take a look at

  git cat-file commit HEAD
to see something like:

  tree <tree-hash>
  parent <parent-hash>
  author <author-name> <author-email> <timestamp>
  committer <committer-name> <committer-email> <timestamp>
  gpgsig -----BEGIN PGP SIGNATURE-----
   
   <ascii-armored RFC9580 signature>
   -----END PGP SIGNATURE-----

  <commit message>
You can view an example of the structure of this ascii-armored signature here <https://cirw.in/gpg-decoder/#-----BEGIN%20PGP%20SIGNATURE---...>.

You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.
CarpaDorada
·vor 2 Jahren·discuss
>For example, signing commits with minisign or signify.

These tools don't work well with git or the git forges, and they do not work at all with fossil. (Obviously signify is a good choice if you're using OpenBSD.) Furthermore they lock you in entirely in their choice of algorithm, Ed25519, which may not be what you want (Why not Ed448?)

As far as adoption goes, and adoption is hard to get going, GnuPG is what is used in Linux the most...
CarpaDorada
·vor 2 Jahren·discuss
>Well, how about the fact that gnutls allowed passive cleartext recovery attacks to go unpatched for about 2 years?

They patched it when they became aware of it in <https://gitlab.com/gnutls/gnutls/-/issues/1011>, it was not "allowed" to go unpatched.

>How about the fact that GnuPG is predicated upon the web of trust

No it is not, the web of trust is one mode of operation out of infinitely many that you can come up with, it's not forced upon the user. It was evangelized for a long time until the keyservers got DOSed. In retrospect obvious, but also gnupg is more-or-less an "activist" project -- big corps and govs are against encryption for the masses by and large. Had it had institutional backing from the beginning (which it never got) it'd have a much more robust model for users to work with.

>encourages misuse in the form of long-lived identities which discourages key rotation

You can automate key rotation with gpg. The long-lived identity argument can be seen as a strength too, short-lived isn't always better.

>a littany of vulnerabilities involving authentication and downgrade attacks?

I'm not aware of these; do you mean that GnuPG is not secure by default in its algorithm list? It chooses compatibility over security, but you're free to change the configuration. I think it's too harsh to say that GnuPG is inadequate because of that.

>GNU is just organizationally incapable of producing secure code.

I don't see why that'd be true, anyone can contribute to GNU so there is nothing inherent about GNU that makes its projects insecure.

>GPG is not good. It is broken at a fundamental level.

Works for me! I use it to sign my git commits and tarball releases, and with gpg-agent I get to authenticate to SSH servers.
CarpaDorada
·vor 2 Jahren·discuss
What about GnuTLS and GnuPG do you think makes them insecure? I think that they offer something unique and that must be factored in; i.e. if you compare them to competitors, you can't compare apples to oranges when making judgments for them. In mind I have projects like Open/Bear/Boring SSL to compare GnuTLS with, and sequoia for gpg. I really like sequoia, but it offers a different product to gnupg.

Emacs is a mosaic of 50 years of computer history, security is not its priority, but I guarantee you that in bug-gnu-emacs any security/network-related patches are most welcome.
CarpaDorada
·vor 2 Jahren·discuss
The article says Kim Dotcom is fighting deportation to the US. Isn't the right term extradition?
CarpaDorada
·vor 2 Jahren·discuss
They say it takes a long time to build Guile, the Scheme compiler, not Artanis. I can build guile in less than 2 minutes on my old laptop.
CarpaDorada
·vor 2 Jahren·discuss
If you just want to try it out you can compile it from source, see <https://www.gnu.org/software/artanis/manual/manual.html#org3...>.
CarpaDorada
·vor 2 Jahren·discuss
With DNSSEC you can be certain that the response you got was issued by the nameserver that is claimed (well, by someone who owns the private key). The domain owner, and registrar can both be at fault, the CA is the last entity to blame because they are performing an automated check of domain ownership. For maximum security you'd want to buy your own TLD as my YT video talks about, to circumvent any other registries, registry wholesalers, and registrars' security models, but an adequate protection for most is to use registry/registrar lock and implement DNSSEC correctly. IP hijack will then not work when all of the above is done correctly.

Another option is manual certificate issuance with a CA whose security model is better than yours, but not implementing DNSSEC leaves you open to other attacks.
CarpaDorada
·vor 2 Jahren·discuss
A lot of people are not aware that HTTPS certificates do not necessarily guard you from certain types of attacks like DNS injection. You can see <https://www.youtube.com/watch?v=exy5JwAU8qk> for one example where an attack campaign called DNSPionage obtained valid certificates for their attacks.

To explain the issue with HTTPS certificates simply, issuance is automated and rests on the security of DNS, which is achieved via DNSSEC and most do not implement.