1. 23

What are you doing this week? Feel free to share!

Keep in mind it’s OK to do nothing at all, too.

Weekend: https://lobste.rs/s/ltf1il/what_are_you_doing_this_weekend

Last week: https://lobste.rs/s/fb7svw/what_are_you_doing_this_week

    1. 13

      Releasing Monocypher 4.0.0. I vaguely hope to be done tonight. Many breaking changes for this one, but I think they’re worth it.

      Some bookkeeping:

      • The makefile will no longer requires GNU make.
      • I’m removing the deprecation mechanism, and support support older versions instead.
      • Function names will be more consistent, and clearly separated into different sections.
      • The manual will be reorganised.

      Some additions:

      • Argon2 now supports everything: Argon2i, Argon2d, Argon2id, multiple lanes. Still single threaded though.
      • Adding HKDF-SHA512, and documented how to do KDF with BLAKE2b.
      • Adding streaming authenticated encryption. It’s different from what libsodium does. It’s more efficient and does a symmetric ratchet for free. It doesn’t have a tag mechanism, so we have to add it manually when there’s no out-of-band way to denote the end of a stream (size, socket close…).
      • Adding Ed25519ph, and documented how to implement XEdDSA.

      Some changes:

      • Safer EdDSA: I’m using the NaCL API, where the private key is 64 bytes and includes its public half. Key pairs are generated from a seed. (This is the main reason for the new release.)
      • Simpler and more flexible low-level EdDSA API. The incremental and custom hash are being replaced by 5 low-level routines. Those routines were used to implement Ed25519ph. I also document how to implement XEdDSA with them.
      • EdDSA is now specified to the bit-level: batch equation, low-order and non-canonical A and R are allowed. Non-canonical S is still forbidden, to avoid malleability. This is different from what the RFC allowed. I believe the RFC is not ideal, so I’ve chosen to imitate Zebra instead.
      1. 2

        Done.

    2. 9

      I’m working on a draft for a blog post about database cryptography, as a follow-up to a footnote on a friend’s blog post.

      Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.

      1. 9

        I knew a guy who believed that setting the column encoding to “binary” meant that the column was encrypted and safe for directly storing passwords.

        He was a senior developer. He got paid very well while believing this.

        1. 7

          I wish I was making this up… Back in the day (before JWT was a well-established thing), we had a JSON blob that the the client needed to retain and send back to the server for reasons, and I pointed out that the JSON had data in it that was a) slightly sensitive and b) could be modified by the untrusted client to do bad things. The following sprint he stated that he’d addressed the problem by encrypting it. I had a look and it was literally ROT-13 “encrypted”. When I raised the following concern… his response was “you only know that it’s ROT-13 encrypted because you looked at the code. No one’s going to guess that.”

          1. 6

            This kind of thing is why I am glad I always work with a red team when building anything I want to make security claims about. They may not find everything I’ve done wrong, but they at least find anything I’ve done embarrassing wrong.

            1. 3

              That’s the right mindset! I mean, when someone’s learning or has a knowledge gap, I’m more than happy to help out. When they double down on being wrong… that’s a frustration I’m not great at dealing with.

              1. 3

                “Tell me more. When _____ why do you believe _____?” is a good tool to use.

          2. 5

            Lmao rot13 is literally one of the first cryptography challenges you encounter when learning

            1. 3

              I am no cryptographer, but I probably could solve the ROT-13 using just pen and paper.

    3. 7

      Probably, going to start putting together my plan for exiting my current position for something new. I’m ready to move on.

      1. 4

        I wish you the best of luck! I’m waiting until hiring unfreezes before I begin seriously looking again.

        1. 4

          Eek, yeah, it’s time for me to start looking now and the wave after wave of layoffs is of course a pretty scary backdrop to do that against.

          1. 3

            You’ll be okay! You kick ass and you’re more qualified than most of the people on the market.

        2. 2

          Thanks! I have a fairly strong network and I’m not in a rush so I can take my time which is certainly a luxury I’m grateful for. One that many do not have.

      2. 2

        Break a leg!

    4. 6

      Probably gonna finish a post or two for work and write something about how surreal it is to control your computer with voice commands via Talon.

    5. 5

      Got fired on Friday, so I’m taking some time to relax. Maybe going to try to publish some blog posts, maybe going to try to work on my music backup site. If I’m feeling especially active, I’ll try to contribute some code to Emacs.

      1. 3

        Suck that you got fired, but I’m sure it’ll workout long-term!

        Best of luck with your next ventures!

      2. 2

        Obligatory “stay strong” <3

    6. 4

      I’m going to revamp a fun little side project of mine that gets a reasonable amount of traffic, hosting bunny gifs: https://www.bunnies.io/

      It’s very manual and the frontend is pretty basic. I love working with Kotlin on the backend so I’ll likely end up doing something server-rendered so link previews work better. Might write about it over at https://www.carrot.blog too

      1. 1

        it doesn’t look like https://🐰🥕.blog (xn–4o8hk6f.blog) works, is it supposed to?

        1. 2

          Tragically it doesn’t seem like the .blog domain supports it, otherwise I would have totally made it work

    7. 3

      I’m planning the release tomorrow of an article I’ve been working on for a long time, about access control on Unix-like system. Also, preparing the usual nixers community newsletter.

    8. 3

      Cooking up a special thing(s) for us code CAD lovers. Stay tuned.

      1. 1

        Curious 🧐

    9. 2

      Has the “what are you doing this week{,end}” torch been passed from @caius to you? :D

      1. 22

        I woke up early and rolled a 20 on my initiative.

      2. 7

        For ages now it’s been whoever is first to post rather than a specific person - I think I’m just ahead of most timezone-wise. I’d not looked at my reminders yet today and had entirely forgotten it was waydtw day. So, er, thanks @soatok!

    10. 2

      Working, ideally.

      Sleeping, hopefully.

      In reality, probably gnawing on the last, difficult 15% or so of Garnet’s typechecker rewrite and playing too many video games.

    11. 1

      At work I’m working on PHP version upgrades for our legacy codebase. While it’s nice that new PHP versions have support for type declarations, it is very difficult to confidently upgrade old code. This should have been started well before I joined the team and it’s a lot of work…

      Outside of work I have been on a roll making consistent updates to my various open source projects. I’m still working on my fuzzy finder and it gets better by the day!

    12. 1

      I’m out on vacation! Which probably means a bit of reading and maybe a touch of studying for the Kubernetes certifications I have lined up from work. Might end up designing a side project as well but I’ll be constrained to my iPad to not much actual work will be able to be done on it :)

    13. 1

      I started a blog last year, but predictably didn’t post as much as I’d hope. I’m trying to start to address that, and kicked off a new week log today. I’ve got a few other pieces in the works related to RISC-V / WebAssembly / LLVM or other topics so hope to make some incremental progress to line those up for future weeks.

      Also the usual LLVM hacking, hoping to post more of my WebAssembly GC types work for upstream review this week and tick off some ABI related items on the RISC-V LLVM side.

    14. 1

      Investigating how to diff SQL reliably. Plan is to see if you create a view in the database, and the SQL for the view changes on the disk, can we reliably say it is different. Problem here is if the database modifies the SQL before storing to the information schema, giving us false positives in subsequent runs.

      1. 2
        1. 2

          Oh, that’s really interesting project. What I’m looking for now is something that can take an SQL String, and compare it to another SQL string and tell me are they same or not. So, an AST parser.

          So for example this:

          CREATE VIEW foo    AS SELECT a, b FROM bar;
          

          should match

          -- my new view
          CREATE VIEW "foo" AS SELECT "a", "b" FROM "bar";
          

          This is still easy, so I’m using Rust and there’s an excellent parser crate sqlparser available. The AST enables PartialEq, and it normalizes the query so these two are equal.

          What kind of still worries me a bit is how sometimes, when you store SQL to PostgreSQL, it does more to the query before saving it to the information schema. I’m not yet sure does this happens with views, but for example defaults get sometimes typecasts added. For the view code, it could mean it’s stored as:

          CREATE VIEW "foo" AS SELECT "a"::int4, "b"::int8 FROM "bar";
          

          Now, if the columns a and b in the table bar are of those types, this should match the original query. If there is conversion to some other type, we don’t have a match. This is just hypothetical, I haven’t started this experiment yet. Just some problems that might come around with PostgreSQL.

          1. 2

            Looks doable. Sounds like you just need a normalization step after parsing.

            1. 1

              Yep. Not super hard, and it’s definitely a fun task!