HackerLangs
TopNewTrendsCommentsPastAskShowJobs

nmadden

no profile record

Submissions

Cryptography 101 with Alfred Menezes

cryptography101.ca
120 points·by nmadden·8 mesi fa·19 comments

comments

nmadden
·mese scorso·discuss
> The pads are split into three pieces that are XORed to create the actual pad to reduce risk of compromise.

Thus creating a two-time pad, which is completely insecure…
nmadden
·3 mesi fa·discuss
Re: cheap - Anthropic’s write-up said it cost $20,000 of runs to find that bug (and a few others). So not that cheap compared to other tools - more similar in cost to human review/pentest, but probably more exhaustive.

> This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

They don’t talk about the other findings, so I’m guessing they are minor.
nmadden
·8 mesi fa·discuss
> Crashing is not an outage.

Are you in the right thread?
nmadden
·8 mesi fa·discuss
MBP = Macbook Pro AW = Apple Watch? What is APP?
nmadden
·8 mesi fa·discuss
Not sure why you're being downvoted for recommending a classic textbook!
nmadden
·8 mesi fa·discuss
> Because in practice, everything is finite.

Indeed! https://neilmadden.blog/2019/02/24/why-you-really-can-parse-...
nmadden
·8 mesi fa·discuss
100% reproducible deterministic bugs are absolutely the easiest class of bugs.
nmadden
·9 mesi fa·discuss
The proprietary/commercial TALA engine is really excellent too. I’ve been using it to do complex dataflow diagrams, and the results are so incredibly well laid out.
nmadden
·9 mesi fa·discuss
I guess. But it would only impact you if you’re using cookies with curl (I assume the middleware is only applied to requests with cookies?) — and it seems pretty easy to add a -H ‘sec-fetch-site: none’ in that case.
nmadden
·9 mesi fa·discuss
The article has a whole section about requiring those headers by forcing the use of TLS 1.3 — the theory being that browsers modern enough to support 1.3 are also modern enough to support the headers. But why not just enforce the headers?
nmadden
·9 mesi fa·discuss
Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?
nmadden
·9 mesi fa·discuss
Yes, of course it’s (largely) subjective. But I have actually read much of the source code of Spring. I know it _very_ well.
nmadden
·9 mesi fa·discuss
Java is sprawling now. It wasn’t 26 years ago.
nmadden
·9 mesi fa·discuss
Yes, in theory they are good. In practice they cause enormous amounts of pain and work for library maintainers with little benefit to them (often only downsides). So, many libraries don’t support them and they are very hard to adopt incrementally. I tried to convert a library I maintain to be a module and it was weeks of work which I then gave up and reverted. As one library author said to me “JPMS is for the JDK itself, ignore it in user code”.

Given how much of a coach and horses modules drove through backwards compatibility it also kind of gives the lie to the idea that that explains why so many other language features are so poorly designed.
nmadden
·9 mesi fa·discuss
Do you really think that in 26 years of professional Java programming I’d have never touched Spring? I’ve been using Spring since it was first released. I’ve found CVEs in Spring (https://spring.io/security/cve-2020-5408). Trust me when I say that my dislike for Spring (and annotations) is not based on ignorance.
nmadden
·2 anni fa·discuss
Do they do attestation by default? I thought for Apple at least that was only a feature for enterprise managed devices (MDM). Attestation is also a registration-time check, so doesn’t necessarily constrain where the passkey is synced to later on.
nmadden
·7 anni fa·discuss
It is, although COSE is significantly different to JOSE in many ways.