HackerLangs
トップ新着トレンドコメント過去質問紹介求人

nmadden

no profile record

投稿

Cryptography 101 with Alfred Menezes

cryptography101.ca
120 ポイント·投稿者 nmadden·8 か月前·19 コメント

コメント

nmadden
·先月·議論
> The pads are split into three pieces that are XORed to create the actual pad to reduce risk of compromise.

Thus creating a two-time pad, which is completely insecure…
nmadden
·3 か月前·議論
Re: cheap - Anthropic’s write-up said it cost $20,000 of runs to find that bug (and a few others). So not that cheap compared to other tools - more similar in cost to human review/pentest, but probably more exhaustive.

> This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

They don’t talk about the other findings, so I’m guessing they are minor.
nmadden
·8 か月前·議論
> Crashing is not an outage.

Are you in the right thread?
nmadden
·8 か月前·議論
MBP = Macbook Pro AW = Apple Watch? What is APP?
nmadden
·8 か月前·議論
Not sure why you're being downvoted for recommending a classic textbook!
nmadden
·8 か月前·議論
> Because in practice, everything is finite.

Indeed! https://neilmadden.blog/2019/02/24/why-you-really-can-parse-...
nmadden
·8 か月前·議論
100% reproducible deterministic bugs are absolutely the easiest class of bugs.
nmadden
·9 か月前·議論
The proprietary/commercial TALA engine is really excellent too. I’ve been using it to do complex dataflow diagrams, and the results are so incredibly well laid out.
nmadden
·9 か月前·議論
I guess. But it would only impact you if you’re using cookies with curl (I assume the middleware is only applied to requests with cookies?) — and it seems pretty easy to add a -H ‘sec-fetch-site: none’ in that case.
nmadden
·9 か月前·議論
The article has a whole section about requiring those headers by forcing the use of TLS 1.3 — the theory being that browsers modern enough to support 1.3 are also modern enough to support the headers. But why not just enforce the headers?
nmadden
·9 か月前·議論
Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?
nmadden
·9 か月前·議論
Yes, of course it’s (largely) subjective. But I have actually read much of the source code of Spring. I know it _very_ well.
nmadden
·9 か月前·議論
Java is sprawling now. It wasn’t 26 years ago.
nmadden
·9 か月前·議論
Yes, in theory they are good. In practice they cause enormous amounts of pain and work for library maintainers with little benefit to them (often only downsides). So, many libraries don’t support them and they are very hard to adopt incrementally. I tried to convert a library I maintain to be a module and it was weeks of work which I then gave up and reverted. As one library author said to me “JPMS is for the JDK itself, ignore it in user code”.

Given how much of a coach and horses modules drove through backwards compatibility it also kind of gives the lie to the idea that that explains why so many other language features are so poorly designed.
nmadden
·9 か月前·議論
Do you really think that in 26 years of professional Java programming I’d have never touched Spring? I’ve been using Spring since it was first released. I’ve found CVEs in Spring (https://spring.io/security/cve-2020-5408). Trust me when I say that my dislike for Spring (and annotations) is not based on ignorance.
nmadden
·2 年前·議論
Do they do attestation by default? I thought for Apple at least that was only a feature for enterprise managed devices (MDM). Attestation is also a registration-time check, so doesn’t necessarily constrain where the passkey is synced to later on.
nmadden
·7 年前·議論
It is, although COSE is significantly different to JOSE in many ways.