HackerLangs
TopNewTrendsCommentsPastAskShowJobs

nmadden

no profile record

Submissions

Cryptography 101 with Alfred Menezes

cryptography101.ca
120 points·by nmadden·8 месяцев назад·19 comments

comments

nmadden
·в прошлом месяце·discuss
> The pads are split into three pieces that are XORed to create the actual pad to reduce risk of compromise.

Thus creating a two-time pad, which is completely insecure…
nmadden
·3 месяца назад·discuss
Re: cheap - Anthropic’s write-up said it cost $20,000 of runs to find that bug (and a few others). So not that cheap compared to other tools - more similar in cost to human review/pentest, but probably more exhaustive.

> This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

They don’t talk about the other findings, so I’m guessing they are minor.
nmadden
·8 месяцев назад·discuss
> Crashing is not an outage.

Are you in the right thread?
nmadden
·8 месяцев назад·discuss
MBP = Macbook Pro AW = Apple Watch? What is APP?
nmadden
·8 месяцев назад·discuss
Not sure why you're being downvoted for recommending a classic textbook!
nmadden
·8 месяцев назад·discuss
> Because in practice, everything is finite.

Indeed! https://neilmadden.blog/2019/02/24/why-you-really-can-parse-...
nmadden
·8 месяцев назад·discuss
100% reproducible deterministic bugs are absolutely the easiest class of bugs.
nmadden
·9 месяцев назад·discuss
The proprietary/commercial TALA engine is really excellent too. I’ve been using it to do complex dataflow diagrams, and the results are so incredibly well laid out.
nmadden
·9 месяцев назад·discuss
I guess. But it would only impact you if you’re using cookies with curl (I assume the middleware is only applied to requests with cookies?) — and it seems pretty easy to add a -H ‘sec-fetch-site: none’ in that case.
nmadden
·9 месяцев назад·discuss
The article has a whole section about requiring those headers by forcing the use of TLS 1.3 — the theory being that browsers modern enough to support 1.3 are also modern enough to support the headers. But why not just enforce the headers?
nmadden
·9 месяцев назад·discuss
Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?
nmadden
·9 месяцев назад·discuss
Yes, of course it’s (largely) subjective. But I have actually read much of the source code of Spring. I know it _very_ well.
nmadden
·9 месяцев назад·discuss
Java is sprawling now. It wasn’t 26 years ago.
nmadden
·9 месяцев назад·discuss
Yes, in theory they are good. In practice they cause enormous amounts of pain and work for library maintainers with little benefit to them (often only downsides). So, many libraries don’t support them and they are very hard to adopt incrementally. I tried to convert a library I maintain to be a module and it was weeks of work which I then gave up and reverted. As one library author said to me “JPMS is for the JDK itself, ignore it in user code”.

Given how much of a coach and horses modules drove through backwards compatibility it also kind of gives the lie to the idea that that explains why so many other language features are so poorly designed.
nmadden
·9 месяцев назад·discuss
Do you really think that in 26 years of professional Java programming I’d have never touched Spring? I’ve been using Spring since it was first released. I’ve found CVEs in Spring (https://spring.io/security/cve-2020-5408). Trust me when I say that my dislike for Spring (and annotations) is not based on ignorance.
nmadden
·2 года назад·discuss
Do they do attestation by default? I thought for Apple at least that was only a feature for enterprise managed devices (MDM). Attestation is also a registration-time check, so doesn’t necessarily constrain where the passkey is synced to later on.
nmadden
·7 лет назад·discuss
It is, although COSE is significantly different to JOSE in many ways.