Indeed. Still see advertisement on trucks, etc. that have email address in the dead .yu zone here in Montenegro. It seems that the transition period of 3 years was too short. On the other hand, .su (for Soviet Union) is still active.

Enchive’s author here. These are all good points. Most of the mistakes are me not knowing any better when I designed it, but, fortunately, none of them fatal as far as I know.

But for big files, it may be worth using chunked authenticated encryption to avoid spilling out unauthenticated plaintext

I did eventually figure out chunked authentication for myself months later, but too late for Enchive. If I ever redesign the file format, it would definitely use chunked authentication, among other corrections like using EtM.

If it’s scrypt-like, why not just use scrypt?

At the time (early 2017) I couldn’t find a drop-in scrypt library with a friendly license, and I didn’t want to try implementing it myself. A major design goal was ANSI C and no dependencies. As a result, Enchive can easily be compiled just about anywhere, probably even decades into the future (to, say, decrypt some old archives). As evidence of this, you can build it and run it on Windows 98 decades in the past.

I get the feeling most of those shortcomings are caused by direct use of primitives. I suspect that the author was trying to:

1. minimize dependencies – especially looking at optparse.h, which is (mostly) redundant on a POSIX system due to getopt(3) existing – and source files, and
2. keep the license unencumbered (all third party code seems to be in the public domain:, but then ended up making dangerous decisions given raw primitives.

argon2 not being in there is probably not an accident but a result of how difficult it is to implement and how he’d have two hash functions (SHA-256 and BLAKE2 for the argon2 state).

The author might’ve had a better result and less work with naive use of Monocypher, libsodium or TweetNaCl, though TweetNaCl still would’ve let him shoot himself in the foot with raw X25519.

If it’s scrypt-like, why not just use scrypt?

Yeah, it’s like they’re not aware that scrypt comes with a file encryption utility.

Partitioned bloom filters have a little worse false positive rate, no?

dumb enough to either run something random from the net

You literally opened a file from the net to write that. It’s not dumb, users should never be blamed for using files, it’s that’s what they do all the time.

Yeah — I use FreeBSD, sometimes GIMP (but more often Krita), occasionally with files from the internet…

but I have NOT even heard of FLIC before

In the past, D. Richard Hipp was very welcoming to contributions to Fossil. I don’t think anything changed. Your best bet would be probably to start from participation in the mailing list.

Whether he cares about ME is irrelevant here. By releasing the software under most (all?) free software and open source licenses, you forfeit the right to object even if the code is being used to trigger a WMD - with non-copyleft licenses you agree not to even see the changes to the code. That’s the beauty of liberal software licenses :^)

All that he had asked for is a bit of courtesy.

I think he is just happy he has a large company using minix.

Still, it’s sad that he doesn’t seem to care about ME.

Or just refrains from fighting a losing battle? It’s not like governments would give up on spying on and controlling us all.

He posted an update in which he says he doesn’t like IME.

How so?

[Comment removed by author]

Does Facebook actually have patents covering React? I’ve looked around a few times and have never seen a link to an actual patent covering it. I would assume there’s gobs of prior art for anything going on in there.

And yet, there are a number of big companies which undoubtedly have big legal teams, and which seem to be okay with using React somewhere. Just cherry-picking some from the list [0]

Airbnb, American Express, Chrysler, Atlassian, eBay, Expedia, Microsoft, NHL, Netflix, New York Times, Salesforce, Twitter, Visa, Walmart… At least some of these companies must have had their legal teams look at the license and decide it was okay to use to use React. Which makes me wonder if the hysteria (this is a bit of hyperbole, but it does seem to have some people really worked up) is justified.

[0] https://github.com/facebook/react/wiki/sites-using-react

Unfortunately SMS codes do not prove possession of the SIM card. Would that it were so - the SIM card does in fact implement a (reasonably) secure authentication process between the phone and network & in principle this could be used to bootstrap a 2FA authentication system.

All an SMS code proves is that the recipient was able to view texts sent to a given phone number: That’s it.

Given that a) phones are insecure, b) phone networks are insecure and c) the SS7 layer that lets mobile networks implement roaming is insecure, SMS messages are not a secure way to deliver authentication tokens for high-value assets.

SMS token does not require the actual SIM card to receive it. It’s transferred via a channel between the website and the operator (and most likely another service between them) and then from the operator to the phone. As you can see, it’s not a possession factor: everyone in the chain sees the token and decides its fate.

(I didn’t read the article because it was deleted.)

@tedu hasn’t gotten to the book about CA infrastructure yet

The scale of the problem they solve is a lot larger than what most people will ever work on. The fan-out nature of the product is challenging enough, but there’s more.

The 140 chars thing is inconsequential. It would be the easiest thing to change.

Twitter is all about pushing ads and trying to find ways to monetize their users. They have over 3k employees, and I have no idea WTF they’re doing to be honest. The site has terrible performance, and it’s buggy as hell. If you look at the source for the page, it’s downright nightmarish. They keep adding shit like moments that nobody wants or ever asked for, while ignoring actual user requests like the ability to edit tweets.

I started using Mastodon recently, and it’s just a better experience all around. The core functionality of Twitter is not that hard to implement,. If you’re not trying to monetize, then you can provide a much better experience for the users.

Personally, I’d really like to see the internet go back to being a distributed system where anybody can run a server and interact with people, as opposed to current centralized model where a few sites dominate all the social media.

Running your own servers is cheaper and easier than ever. You can get a Digital Ocean droplet for 5 bucks a months nowadays, and the prices are only going down.

Meanwhile, setting up and managing apps like Mastodon has become much easier as well thanks to Docker. Run the container that the maintainer packages, and you can get it up and running in minutes.

I think Mastodon is a great example that this model absolutely does work today. I also think that it’s more robust than the startup model.

Mastodon is open source, and it will be around as long as people want to use it. The features get added based on user demand, as opposed to demand of investors. Anybody can run their own node, and set it up any way they like. No central entity decides how Mastodon is used, or what it’s used for.

This is what internet was meant to be. We took a terrible detour with walled gardens like Facebook and Twitter, but it doesn’t have to be that way.

they make a considerable amount of money. is it net profit? no. mostly because they have an insane head count.

This is one good reason why I always use full, explicit paths in my scripts.

but then they are not portable

qbit@slip[0]:~λ which bash
/usr/local/bin/bash
qbit@slip[0]:~λ

Keep in mind, for this to happen, the user probably changed the system default PATH to put Dwarf Fortress first. sudo usually scrubs the environment to default settings unless you’ve taken steps.

Here are some interesting FreeBSD 11 code stats from The Design and Implementation of the FreeBSD Operating System (2nd edition): https://imgur.com/a/sF3aV

Hmm, they didn’t just count CVEs; according to the slides, they did a three-month audit of BSDs and then made conclusions based on the found bugs. So, although close, it’s not exactly “vulnerability statistics”.

[Comment removed by author]

That’s a great presentation despite deficiencies I’ll overlook. Especially on the relationship between what vulnerability researchers focus on and what the CVE lists show. A good example of this I’ve been discussing in another thread is OpenVMS. It lives up to its legendary reliability as far as I can tell so far but I learned that its security was an actual legend: mix of myth and reality. The reality was better architecture for security than its competitors back in the day, attention to quality in implementation, and low CVE’s in practice with famous DEFCON result. I figured what actually was happening is most hackers didn’t care about it or just couldn’t get their hands on the expensive system (same with IBM mainframe/minicomputers). I predicted they’d find significant vulnerabilities in it which happened at a later DEFCON. So, nice work, highly reliable, and not as secure as advertised by far. ;)

Another good example to remember is Linux kernel. I slam it on vulnerabilities but that’s because they (esp Linus) don’t seem to care that much. The vulnerability count itself is heavily biased due to its popularity like Windows once was before Lipner of high-assurance security implemented Security, Development Lifecycle. I’ll especially note the effect of CompSci and vendors of verification/validation tools. They love hitting Linux since it’s a widely-used codebase with open code. Almost every time I see a new tool in static analysis, fuzz testing, or whatever they apply it to Linux kernel or major programs in Linux ecosystem. They find new stuff inevitably since the code wasn’t designed for security or simplicity like OpenBSD or similar project. So, there’s more to report just because there’s more eyeballs and analysis in practice instead of just in “many eyeballs” theory. Same amount of attention applied to other projects might have found similar amount of vulnerabilities, more, less, or who knows what.

https://paragonie.com/blog/2016/09/untangling-forget-me-knot-secure-account-recovery-made-simple

I wish the ASF would still be using APlv1. It’s sad that the US legal system and patent situation caused this mess. The ASF is a very US-centric organisation (even though they don’t tend to view themselves as such), and from a perspective of a country where software paternts are not (yet) a thing, the differences between APLv1 and APLv2 appear as a solution looking for a problem.

And now they’re trying to persuade every project they use to switch to Apache License 2

No, they are asking politely if the projects might be willing to consider changing their licensing to be compatible. There is no persuasion going on by ASF people (which I assume you mean by “they”).

‘pure’ implementations of libraries (for interpreted languages) are generally popular (imo because figuring out how to configure your system to support an unfamiliar build toolchain is wrongly seen as more difficult than porting and maintaining code).