HackerLangs
TopNewTrendsCommentsPastAskShowJobs

CiPHPerCoder

no profile record

Submissions

[untitled]

1 points·by CiPHPerCoder·3개월 전·0 comments

Post-Quantum Cryptography for the PHP Community

paragonie.com
3 points·by CiPHPerCoder·3개월 전·0 comments

Building Cryptographic Agility into Sigstore

blog.trailofbits.com
3 points·by CiPHPerCoder·5개월 전·1 comments

How we avoided side-channels in our new post-quantum Go cryptography libraries

blog.trailofbits.com
5 points·by CiPHPerCoder·8개월 전·0 comments

comments

CiPHPerCoder
·6개월 전·discuss
> However, donating money to an open collective is prohibitively hard for most big companies.

You are absolutely correct. However, that's the mechanism that Frank has made available, and that's what the comment I was replying to was asking, so I was just connecting the dots between the question and answer.
CiPHPerCoder
·6개월 전·discuss
> Did you also check all of the libraries that implement the check differently to libsodium?

Yes, but it was a breadth-first search sourced from the ianix webpage, so I certainly missed some details somewhere. I'll continue to search over the coming weeks in my spare time (if I can get any).
CiPHPerCoder
·6개월 전·discuss
I found several libraries that simply didn't implement the check, but none that implemented in incorrectly in the same way as the vulnerability discussed above.

If you didn't receive an email from me, either your implementation isn't listed on https://ianix.com/pub/ed25519-deployment.html, I somehow missed it, or you're safe.
CiPHPerCoder
·6개월 전·discuss
From the article:

  If libsodium is useful to you, please keep in mind that it is maintained by one person, for free, in time I could spend with my family or on other projects. The best way to help the project would be to consider sponsoring it, which helps me dedicate more time to improving it and making it great for everyone, for many more years to come.
The "sponsoring it" links to https://opencollective.com/libsodium/contribute

Hope that helps.
CiPHPerCoder
·6개월 전·discuss
This also affected the PHP library, sodium_compat. https://github.com/FriendsOfPHP/security-advisories/pull/756

I'm planning to spend my evening checking every other Ed25519 implementation I can find to see if this check is missing any where else in the open source ecosystem.
CiPHPerCoder
·9개월 전·discuss
Most people don't make their spam public, but I did when I ran this bounty program:

https://hackerone.com/paragonie/hacktivity?type=team

The policy was immediate full disclosure, until people decided to flood us with racist memes. Those didn't get published.

Some notable stinkers:

https://hackerone.com/reports/149369

https://hackerone.com/reports/244836

https://hackerone.com/reports/115271

https://hackerone.com/reports/180074
CiPHPerCoder
·7년 전·discuss
There isn't one within 20 miles of my house, so I think I'll pass on that. :P
CiPHPerCoder
·7년 전·discuss
I never disputed the premise anyway. Just that the conclusion doesn't follow from it.

If communities die when bookstores die, sure, you can blame that on what killed the bookstore. But regardless of blame, whose responsibility is it to ensure communities continue? (This isn't the same thing as blame.)

My point isn't "bookstores are the wrong answer". My point is "bookstores aren't the only correct answer". Diversify.
CiPHPerCoder
·7년 전·discuss
> They've ran a ton of brick and mortar bookstores out of business, which has effectively destroyed community centers.

Can you really blame Amazon for destroying community centers because they put bookstores out of business?

Bookstores aren't the only viable community center, after all. Most cities and counties have a public library that's supposed to exist for the community's benefit. Additionally, in rural parts of the US, the only real community center you used to find was a church, not a library or a bookstore.

Personally speaking, my community centers exist on Signal, WhatsApp, IRC, Mastodon, Slack, Twitter, Telegram, and Facebook. (And I neglect half of those entirely.) I don't see any need to have a physical watering hole.
CiPHPerCoder
·7년 전·discuss
> Specifically, do experienced PHP programmers stick to a subset of PHP, as in "PHP: The good parts"?

See: https://phptherightway.com

Modern PHP development comes in the form of loading dependencies from Composer/Packagist, rather than offloading a lot of bloat to the language. Lots of things have been deprecated (and even removed, like ext/mcrypt).
CiPHPerCoder
·7년 전·discuss
This line of discussion ("Make it so we can pay you $xxK/mo, don't ask for donations.") comes up a lot on HN.

Here's what I did:

First, I spent four years developing security libraries for PHP developers that can be considered core infrastructure. Random_compat was an API-compatible polyfill of PHP 7's random_bytes() and random_int() functions for PHP 5 projects (and has over 100 million downloads). sodium_compat reimplemented most of libsodium in pure-PHP, and currently powers WordPress's signature verification functions. That's just two examples, I have over a dozen of distinct and useful libraries-- many of which have been adopted into popular frameworks-- that make your software materially more secure. If you're a serious player in the industry and your code base is PHP, you're running my code.

Okay, value delivered through open source? Check.

All of the above was also published through an LLC rather than just under an individual's name.

Then, I began offering the usual HN recommendations (support contracts, especially for EOL versions of PHP for Enterprise Linux customers).

I even created a streamlined workflow section on the company website and linked all of our open source projects to it: https://paragonie.com/enterprise

To date, the SQL tables that power that section of our website only has test records I created to make sure it was turned on correctly.

So I believe this to mean one of two things:

1. There's a missing step that I'm not doing that, once executed, will rake in the dollars.

2. The prescribed advice on message boards about how to run an open source business doesn't work.

(Until I figure out which it is, I'll have to continue doing code audits and penetration tests. Not exactly hurting for money, but it's not coming from the channels that people expect for open source. Enjoy the anecdata.)

https://packagist.org/packages/paragonie/random_compat

https://packagist.org/packages/paragonie/sodium_compat

https://make.wordpress.org/core/2019/05/17/security-in-5-2
CiPHPerCoder
·8년 전·discuss
It doesn't have to be any one person, either.

As scientific progress becomes increasingly interdisciplinary, communication becomes increasingly valuable both within teams and with the greater public.

I would be perfectly happy seeing tens of enthusiastic and brilliant physicists stepping up to become the celebrity scientists of the upcoming generation, rather than just one or two.

Until they surface, however, the responsibility falls upon each and every one of us to stoke the fires of passion and wonder in our fellow humans.

I started watching Niel deGrasse Tyson's Cosmos reboot the other day, and the first episode is definitely worth a watch for everyone reading this thread. It was also covered in Business Insider: http://www.businessinsider.com/inspiring-story-young-neil-de...

You don't need a platform or a massive following to ignite a spark of curiosity in another person. Small acts of kindness and encouragement can last a lifetime.
CiPHPerCoder
·9년 전·discuss
Sure, a couple of questions:

1. How do you measure "largeness" of a git repo?

2. How are you confident that you have the largest?

3. How much technical debt does that translate to?