HackerLangs
TopNewTrendsCommentsPastAskShowJobs

nmadden

no profile record

Submissions

Cryptography 101 with Alfred Menezes

cryptography101.ca
120 points·by nmadden·hace 8 meses·19 comments

comments

nmadden
·el mes pasado·discuss
> The pads are split into three pieces that are XORed to create the actual pad to reduce risk of compromise.

Thus creating a two-time pad, which is completely insecure…
nmadden
·hace 3 meses·discuss
Re: cheap - Anthropic’s write-up said it cost $20,000 of runs to find that bug (and a few others). So not that cheap compared to other tools - more similar in cost to human review/pentest, but probably more exhaustive.

> This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

They don’t talk about the other findings, so I’m guessing they are minor.
nmadden
·hace 8 meses·discuss
> Crashing is not an outage.

Are you in the right thread?
nmadden
·hace 8 meses·discuss
MBP = Macbook Pro AW = Apple Watch? What is APP?
nmadden
·hace 8 meses·discuss
Not sure why you're being downvoted for recommending a classic textbook!
nmadden
·hace 8 meses·discuss
> Because in practice, everything is finite.

Indeed! https://neilmadden.blog/2019/02/24/why-you-really-can-parse-...
nmadden
·hace 8 meses·discuss
100% reproducible deterministic bugs are absolutely the easiest class of bugs.
nmadden
·hace 9 meses·discuss
The proprietary/commercial TALA engine is really excellent too. I’ve been using it to do complex dataflow diagrams, and the results are so incredibly well laid out.
nmadden
·hace 9 meses·discuss
I guess. But it would only impact you if you’re using cookies with curl (I assume the middleware is only applied to requests with cookies?) — and it seems pretty easy to add a -H ‘sec-fetch-site: none’ in that case.
nmadden
·hace 9 meses·discuss
The article has a whole section about requiring those headers by forcing the use of TLS 1.3 — the theory being that browsers modern enough to support 1.3 are also modern enough to support the headers. But why not just enforce the headers?
nmadden
·hace 9 meses·discuss
Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?
nmadden
·hace 9 meses·discuss
Yes, of course it’s (largely) subjective. But I have actually read much of the source code of Spring. I know it _very_ well.
nmadden
·hace 9 meses·discuss
Java is sprawling now. It wasn’t 26 years ago.
nmadden
·hace 9 meses·discuss
Yes, in theory they are good. In practice they cause enormous amounts of pain and work for library maintainers with little benefit to them (often only downsides). So, many libraries don’t support them and they are very hard to adopt incrementally. I tried to convert a library I maintain to be a module and it was weeks of work which I then gave up and reverted. As one library author said to me “JPMS is for the JDK itself, ignore it in user code”.

Given how much of a coach and horses modules drove through backwards compatibility it also kind of gives the lie to the idea that that explains why so many other language features are so poorly designed.
nmadden
·hace 9 meses·discuss
Do you really think that in 26 years of professional Java programming I’d have never touched Spring? I’ve been using Spring since it was first released. I’ve found CVEs in Spring (https://spring.io/security/cve-2020-5408). Trust me when I say that my dislike for Spring (and annotations) is not based on ignorance.
nmadden
·hace 2 años·discuss
Do they do attestation by default? I thought for Apple at least that was only a feature for enterprise managed devices (MDM). Attestation is also a registration-time check, so doesn’t necessarily constrain where the passkey is synced to later on.
nmadden
·hace 7 años·discuss
It is, although COSE is significantly different to JOSE in many ways.