HackerLangs
TopNewTrendsCommentsPastAskShowJobs

indolering

no profile record

Submissions

LionsOS Design, Implementation and Performance

arxiv.org
13 points·by indolering·7 tháng trước·0 comments

The World of OCR (C. 1960) [video]

youtube.com
25 points·by indolering·7 tháng trước·11 comments

comments

indolering
·2 tháng trước·discuss
That's not how I remember it: it was an experiment that was useful at the time but didn't work out. It was useful internally to sandbox Flash player, but the limitations of the LLVM based approach were soon evident to everyone involved.
indolering
·3 tháng trước·discuss
I really wish I had messed with Windows Phone when it was a thing. They were the only ones not to just ship a clone of an existing interface ASAP. But it was closed source and offered no advantages for carriers or device makers compared to Android.

WebOS needed WASM and a lot more to be successful. I think WASM/WASI is to the point that the next major platform build out can use it.
indolering
·3 tháng trước·discuss
The floating point "standard" was basically codifying multiple different vendor implementations of the same idea. Hence the mess that floating point is not consistent across implementations.
indolering
·3 tháng trước·discuss
The answer is unequivocally yes: RISC-V is designed to be customizable and a vendor can put whatever they like into a given CPU. That being said, profiles and platform specs are designed to limit fragmentation. The modular design and core essential ISA also makes fat binaries much more straight-forward to implement than other ISAs.
indolering
·3 tháng trước·discuss
I think it's a joke: you REALLY don't want to own your own servers.
indolering
·4 tháng trước·discuss
[flagged]
indolering
·4 tháng trước·discuss
I'm not unaware of this and I agree that WebPKI has greatly reduced global risk. New DNS tech takes a lot longer to implement but that doesn't mean we should kill DNSSEC support like the trolls insist upon!

Why would Let's Encrypt not also be interested in safeguarding DNS, SSH, BGP, and all the others? Those middle boxes will have to get replaced someday and we could push for regulation requiring that their replacements support DNSSEC. These long-term societal investments are worth making and it would enable decentralized DNS.

I'm also concerned that none of this will happen if haters won't stop screaming, "DNSSEC doesn't do anything but ackchyually harms security!".

(@tptacek: please stay out of this comment thread)
indolering
·4 tháng trước·discuss
> The same reasons not to deploy DNSSEC that face large organizations apply to you: any mistake managing your DNSSEC configuration will take your domain off the Internet (in fact, you'll probably have a harder time recovering than large orgs, who can get Google and Cloudflare on the phone).

Set your TTL to five minutes and/or hand over DNS management to a service provider.

> Meanwhile, you get none of the theoretical upside, which in 2026 comes down to making it harder for an on-path attacker to MITM other readers of your site by tricking a CA into misissuing a DCV certificate for you --- an attack that has already gotten significantly harder over the last year due to multiperspective. The reason you don't get this upside is that nobody is going to run this attack on you.

Didn't save Cloudflare from a bad TLS certificate being issued. I still think that reducing the number of bad actors from 300 to the root servers and your registrar is a meaningful reduction in attack surface.

> DNSSEC attempts to address just a subset of these; most especially MITM attacks, for which there are a huge variety of vectors, only one of which is contemplated by DNSSEC.

How would authenticating DNS records cryptographically not address cache poisoning, MITM, and DNS spoofing in relation to DNS lookups? Also, DNSSEC doesn't have to solve all problems to make it worth doing.

> Finally, I have to tediously remind you: when you're counting signed domains, it's important to keep in mind that not all zones are equally meaningful. Especially in Europe, plenty of one-off unused domains are signed, because registrars enable it automatically. The figure of merit is how many important zones are signed. Use whichever metric you like, and run in through a bash loop around `dig ds +short`. You'll find it's a low single-digit percentage.

Yet you complain about DNSSEC being to hard to deploy and not getting enough deployment. Wouldn't it be nice if they could leverage that automatic signing to also generate TLS, SSH, and other certificates?
indolering
·4 tháng trước·discuss
It can be used alongside WebPKI. And as someone who is worried about other protocols, it sure would be nice if I could setup DNSSEC for my domain and have clients pick up on that automatically.
indolering
·4 tháng trước·discuss
More rhetorical dunking instead of engaging with the substantive technical issues. I'm done.
indolering
·4 tháng trước·discuss
But it also applies to every other part of the stack, including WebPKI. Would you accept this as a valid argument against using HTTPS everywhere?
indolering
·4 tháng trước·discuss
DNSSEC also solves a bunch of real world threat models that do cause massive security issues. I think we should put that effort into DNS as well.
indolering
·4 tháng trước·discuss
That's fair! My primary gripe was about the need for non-profits to step in to begin with. Sorry if I didn't communicate that well.

However, I'm don't feel sorry for registrars or TLDs. Verisign selling HTTPS certs while running the root TLDs is a conflict of interest and I believe the perverse incentives are a big part of the reason why DNSSEC and DANE are stalled out. TLDs are a monopoly business and ICANN is quasi-commercial entity that should never have been a for-profit business.

I certainly think it is fair to ask them to pay for all this.
indolering
·4 tháng trước·discuss
I would really appreciate it if you would respond to my points instead of just moving on to another argument.

Do you hardcode Github and AWS keys in your SSH config? Do you think it would be beneficial to global security if that happened automatically?
indolering
·4 tháng trước·discuss
DNS is where domain name authority is delegated. Anything you build on top of that is also going to be a world of hurt if it gets compromised.
indolering
·4 tháng trước·discuss
DNSSEC PKI does not preclude one from hardcoding specific keys in the client as well.

Providing global PKI and enabling end-to-end authentication by default for all clients and protocols certainly would make the internet a safer place.
indolering
·4 tháng trước·discuss
Phishing existing isn't a good argument against cryptographically authenticating DNS records.
indolering
·4 tháng trước·discuss
The engineering effort! ECC solves the theoretical concerns around latency anyway yet we have people arguing that it shouldn't be done. But if it was worth making HTTPS faster to secure HTTP, why not DNS?
indolering
·4 tháng trước·discuss
If DNS PKI is compromised, so is HTTPS. So yes, they would be scrambling too.
indolering
·4 tháng trước·discuss
HTTPS also has expiring keys that also need to be rotated. Most people outsource this to a service provider for them - as is the case with DNS. It's weird how people gripe about standard cryptography/PKI when it comes to DNSSEC but not HTTPS.