Threads for soatok

  1. 1

    This is generally correct, but there’s a case where I saw recently where a “security researcher”, attempted to get RCE on an OSS project’s CI infrastructure. They did this not by filing a bug report saying “your CI looks suspicious may I do C?”, but by creating a new GitHub account and posting a bunch of different patches targeting the CI.

    It was only during the work being spent trying to identify whether things were under an attack did it come out that they were actually employed by a “pentesting” company that had no relationship with anyone or thing involved with the project. Their presumed intent was a server compromise and then a bug report saying “look we compromised your servers”.

    Your right to pull the “I’m a security researcher and they shit in me card” goes out the window once you’re actively attacking and targeting code execution on a system that does not belong to you.

    1. 5

      Yeah, that’s why I never send traffic to any systems I don’t control. I only study source code, and rarely reverse engineer apps.

      Criminal activity is a horrible way to start a relationship with a business.

      (n.b. I never do API testing. Yes, even if there’s a Safe Harbor declaration somewhere. Aaron Swartz’s prosecution happened despite MIT and JSTOR not wanting to pursue hacking charges. I do not trust the US government, so it’s best to never run afoul of the Computer Fraud and Abuse Act if you can help it.)

    1. 8

      What really bothers me about the poor responses is the lack of humility. For some strange reason, a lot of people believe that software with positive functionality (e.g. storing passwords) must lack negative functionality (e.g. data-exfiltration side-channels). The ideal response should include an emotional component which indicates an openness and willingness to improve software without ego.

      I would like to think that my response to security research is amusement. Not to be derisive, but to celebrate their effort and acknowledge their achievement.

      1. 9

        My default emotion response to someone telling me about a security flaw in my code is a mix of curiosity, excitement, and good humor.

        I’m alwaus worried it won’t come across that way, however.

        1. 9

          Mine is closer to panic: “oh shit that looks bad, I need to investigate right this second”.

          So far my panic has been warranted once. The rest were either false positives or minor issues. I still believe it’s worth it: without the pressing need to thoroughly pin down the issue, I could have missed the one time it turned out to be a critical vulnerability. Heck, even the false positives are interesting: they cause me to understand things I didn’t before, and that’s progress.

          1. 5

            Yep. I always learn from security people.

            That’s why I fursuit at DEFCON.

      1. -9

        Here are two rough uBlock rules to remove most of those stupid furry-pictures. This makes the blog much more bearable for me. I hope it helps somebody.

        ||*soatok.blog*soatok*^
        ||*soatok.blog*Soatok*^
        

        Regarding the topic itself: The author raises a valid point. I am often surprised how unprofessional even large corporations are in this regard. In the long term, quite a few whitehats will probably choose to become grey- or blackhats. Not only is the pay much better and consistent (you don’t have to nudge companies to pay promised bounties like an idiot), it also usually is safer, given there have been quite a few cases where companies “killed the messenger” and sued the security researcher instead of thanking them for the free service.

        1. 20

          Was there a need to post these ublock rules though? Or a need to refer to the pictures in such a way as “stupid”, it seems fairly unkind to me and not really living up to the standards of this site.

          1. 26

            The rules you provided also filter out some of the screenshots, so you end up missing important context by doing this. Not sure I would recommend hobbling the communication to others, just because of a weird personal aversion to cartoon animals.

            1. 12

              those stupid furry-pictures

              Do you really expect anyone to read any further, if that’s how you open your comment ? You could have added this separately, as a P.S. or anything else.. Oh and without getting personal.

              Let me quote you from 1 month ago:

              arrogance and toxicity

              Now I feel like I need some ublock rules for users.

              1. 12

                the ublock rules work just as well if you don’t throw unnecessary hurtful insults. i appreciate the illustrations 🤷.

              1. 10

                While I have a lot of respect for the author, I do sympathize with LastPass in this situation.

                There are a lot of people that blast out low quality security reports so it can be hard to triage those reports. So I can see the temptation in handing over triaging responsibilities to a vendor who can specialize in that skillset. Now Bugcrowd should be better if they are going to provide triaging services. It’s a hard problem but that’s the entire business they are in.

                But once Bugcrowd messes up, I am not surprised that LastPass’s support folks had no idea how to handle actual security issues. They wouldn’t be trained for it because the assumption would be that the existing process for getting security issues would handle the security reports.

                So to me, the only problem is with Bugcrowd not handling security reports properly.

                1. 16

                  The typos and sentence structure in the LastPass emails suggests to me that it’s being outsourced to a developing-world support farm which may not even be familiar enough with LastPass to provide any kind of support beyond “read this webpage”.

                  1. 13

                    Yeah, I had the same reaction. I totally get being frustrated at Bugcrowd but from an outside perspective it seemed to me like this author shot the messenger when talking to support.

                    It almost always pays to put in the effort to be polite. It’s VERY rare that you’re going to be better off being harsh, because when you do, the other person’s defenses automatically go up. It doesn’t matter if it’s their job to listen to you, it’s an evolutionary reaction and ultimately it’s mutually beneficial to be nice (you have a greater chance of your stuff being resolved, they have a better day).

                    Perhaps the author’s email to LastPass support would have gone better if they had politely explained (very broadly) to support why Bugcrowd had screwed up, instead of harshly asserting that they had. For example:

                    Bugcrowd incorrectly closed my report because it did not include proof of concept code. However, proof of concepts are not industry standard for the type of vulnerability I’m reporting (a flaw that makes LastPass’s encryption weaker than it should be) because they’re difficult and expensive to develop.

                    This is much better than what was actually sent to support - something along the lines of:

                    Bugcrowd triage shat the bed.

                    The reason it’s better is because it’s empathetic to support’s situation (they don’t know anything about security) and doesn’t talk down to them. Instead, it explains the situation in an understandable way and gets support on your side. The last email did this a little bit, but by then it’s too late - to this support person you’re already just another rude rando they have to deal with.

                    To be clear, it’s absolutely ridiculous that support needed to be involved at all and Bugcrowd needs to do way better. They did shit the bed. But given that imperfect reality I don’t really have a lot of sympathy for someone who curtly contacted people who know nothing about security and expected an instant correct response.

                    1. 8

                      I disagree. If you hand over something to a third party and they mess up that’s your problem.

                      If then someone tries hard to get around it and you still are unable to handle it. You it’s your problem and if that repeats it’s even worse

                      You have all the responsibility for your product. If you use a third party and outsource that doesn’t mean it’s not your problem, because after all is still your product and your decision to outsource.

                      1. 5

                        While I have a lot of respect for the author, I do sympathize with LastPass in this situation.

                        There are a lot of people that blast out low quality security reports so it can be hard to triage those reports. So I can see the temptation in handing over triaging responsibilities to a vendor who can specialize in that skillset.

                        This is challenging for password managers and encrypted messaging apps. You need cryptographic expertise. Bug bounty hackers typically don’t have the same skillsets.

                        I’m sympathetic to anyone running a bug bounty program (I used to in my professional name), but that only goes so far.

                      1. 14

                        I’m somewhat surprised to see bitwarden left out of the comparison here. It’s open source and (I think) a very popular alternative to 1password and lastpass within the tech world. Perhaps there weren’t any security vulnerabilities found and the quality of their response could therefore not be compared?

                        1. 25

                          I hadn’t found any flaws in Bitwarden at the time, but I need to do a thorough review of it. Since it’s open source, it’s one of the few I can thoroughly review.

                          1. 13

                            I’d be interested in the results and their reaction when you get to it!

                          2. 2

                            My read’s the latter case, yeah. Two issues he found, and then another issue he’s familiar with.

                          1. 3

                            Outside of work (which will likely balloon to consume most of my week), I’m resuming work on end-to-end encryption for the Fediverse.

                            1. 1

                              What’s a doubly augmented PAKE? What does it do more than a “merely” augmented one?

                              (Also asked on Reddit.)

                              1. 2

                                See this slide deck, slides 44-46 specifically.

                                I can’t find the talk online yet.

                              1. 1

                                Derive a subkey (sk) using AES-DeriveSubKey with the first 16 bytes of N and K

                                I misread this as the first 16 bytes of N and the first 16 bytes of K for entirely too long.

                                1. 2

                                  Oh. I should make that clearer. Thanks.

                                1. 18

                                  I just got banned from Twitter for pointing out management’s attempts to prevent people from linking to the ElonJet account on Mastodon was poorly executed and could be trivially bypassed (append query string, capitalize any letter, etc.). I’m free!

                                  I think I’ll spend my weekend working on a proposal to add end-to-end encryption to Mastodon’s DMs

                                  1. 7

                                    Congrats!

                                    1. 5

                                      I’m free!

                                      So, time for more blog posts? Pleeeeeeease?

                                      1. 4

                                        Surprised there’s anyone left to ban you, tbh.

                                        1. 3

                                          I have a Twitter account I haven’t used in forever, so I think the appropriate use for it at this point is to just use it to tweet Elon Musk-themed furry art until it gets suspended. Most of the people I followed either got suspended or moved off, and with Nitter, I don’t need it to check out Twitter accounts, either.

                                          Is there such a thing as Elon Musk-themed furry art, or do I need to break out Stable Diffusion?

                                        1. 4

                                          obvious solution is just email right? and you can link it from the web page with mailto:

                                            1. 1

                                              fediverse is architecturally similar to email, with each party having a provider who may store metadata. so you have to weigh the risks introduced by email clients against the risk of using new JavaScript crypto implementations.

                                              1. 1

                                                Or just move the private messaging to Signal.

                                                1. 4

                                                  Signal has an instant-messaging UX, which is different from a mail UX and not suitable for the same use cases. Also, key management is lacking: I can change my phone whenever, and the worst my recipient will get is a small note saying “oh by the way Loup changed its phone”, without explicitly warning them that my previous keys are now invalid, and they probably want to authenticate me all over again.

                                                  Oh, and Signal requires your phone number. They try their hardest not to misuse it, but that’s still a deal breaker for some people.

                                                  1. 1

                                                    We’re discussing direct messages here, which are a good fit for Signal.

                                                    The way I see it, for E2EE DMs in fedi, we have

                                                    1. the proposal from @soatak (to be implemented)
                                                    2. Signal/Whatsapp side-band
                                                    3. encrypted email that works (still haven’t been informed what that is)

                                                    ….

                                                    99. security LARPing using PGP.

                                                    1. 3

                                                      You mean short direct messages?

                                                      Signal is explicitly only distributed through official palmtop stores (Google’s or Apple’s), to get it anywhere else you are supposed to compile it yourself. This means a phone keyboard and a small screen.

                                                      1. 1

                                                        Any future solution has to be mobile first for any meaningful mass adoption.

                                                        I already see people referring to Mastodon, like Twitter before it, as “an app”.

                                                        1. 6

                                                          My point is, Signal is mobile only.

                                                          1. 4

                                                            Signal has desktop apps for Mac, Windows, and Linux. It needs a mobile to create an account, because they outsource identity management to the phone network, but you can still use it on a big computer with a keyboard. Video conferencing also works on the desktop app.

                                                            1. 5

                                                              It’s not just the phone network. They only have apps for the ‘primary’ application on Android and iOS. You can’t use a Linux phone, KaiOS, etc. I very much dislike giving into this duopoly. As such, I don’t think it’s as suitable as folks act (and I’m someone that convince friends and family to use Signal to get them off of Messenger, LINE, and SMS).

                                                              1. 1

                                                                Oh… I stand corrected then.

                                                                1. 1

                                                                  Thise aren’t real apps, they forward everything through the phone, and can’t access message history at all.

                                                                  1. 1

                                                                    Uh, no. I can use the Signal app on my desktop and on my iPad when my phone is turned off. I can send and receive messages and use voice and video calling, and inspect my message history, all without my phone being turned on.

                                                                    The desktop apps do not get copies of messages sent before they were trusted. This is also true of the mobile apps, because Signal does not store message history server side and so you need to back it up and restore it to the new device. Until very recently, the backups were tied to a specific app, so you couldn’t move between Android and iOS and keep message history. That is now fixed for the mobile apps but there is not yet a mechanism for importing message history into the desktop apps.

                                                                    Everything that you said is true of the WhatsApp desktop clients.

                                                                    1. 1

                                                                      Everything that you said is true of the WhatsApp desktop clients.

                                                                      That hasn’t been true in a long while, those can run without your phone nowadays, and get full message history.

                                                                      Considering I have to re-pair the Signal Desktop app every single day, because it claims it’s been too long, I get no message history on Signal Desktop at all. I’ve moved entirely away from Signal because it’s utterly unusable.

                                                                      1. 2

                                                                        Considering I have to re-pair the Signal Desktop app every single day, because it claims it’s been too long, I get no message history on Signal Desktop at all. I’ve moved entirely away from Signal because it’s utterly unusable.

                                                                        Have you filed a bug report? I have the Signal deskop on two Windows PCs and a Mac, and the Signal iPad client installed. I needed to re-pair when I put my phone through the washing machine by mistake, but the only messages that aren’t in my history on the other devices are the handful that were received in between installing Signal on the new phone and re-pairing the other devices. I don’t know what’s going wrong for you, but I can confirm that this is not a problem that I have encountered, or seen anyone else encounter, so you’d be likely get help on the issue tracker if you can help narrow down the root cause.

                                                                        1. 1

                                                                          From what I can tell from my own debugging, it’s intended behavior. If you stop using a device for a few days/weeks, it’s supposed to automatically log you out.

                                                                          It just so happens that I’ve got many devices logged into signal, and only open signal desktop when I actually need to read/write messages, which can be several weeks apart for a single device.

                                                                2. 1

                                                                  This will still cover maybe 90% of use cases.

                                                                  Anyway, what working encrypted email solutions exist?

                                                                  1. 2

                                                                    Nothing. And from the look of it nothing ever will. But I do believe we could have a similar UX experience to email (federated servers & native clients), only secure. The Fediverse actually looks promising, though I know very little of it.

                                                                    1. 3

                                                                      I think if we manage to pull off E2EE in the fediverse, those solutions can be applied to email as well!

                                                                      1. 2

                                                                        seems more natural to start with email, rather than something like mastodon which bundles a lot more cuntionality.

                                                            2. 3

                                                              How about using matrix? The protocol supports E2EE and handles federated servers much better than Signal. And it’s free software.

                                                              1. 5

                                                                Everyone keeps suggesting Matrix, but I strongly urge everyone to read up on the design flaws and reconsider strongly.

                                                                1. 2

                                                                  What about OMEMO?

                                                                  1. 2

                                                                    I’d rather implement MLS.

                                                                  2. 1

                                                                    Most of those findings are implementation bugs and have already been fixed. Genuine issues in the spec are rare, and afaik already being worked.

                                                                    A new matrix implementation integrated into mastodon would be unlikely to make the same implementation mistakes.

                                                            3. 1

                                                              you can’t use Signal if you don’t have a smartphone.

                                                        2. 1

                                                          Um, you just used the word “email” in a thread about security. 🤯

                                                          (I know about PGP and S/MIME, but the fraction of people using those, or able to install them without expert help, is indistinguishable from 0.0.)

                                                        1. 12

                                                          I don’t see how you can do E2EE in a web-based service. Or rather, I know how, but it requires trusting the JS the server sends you, which means trusting the server. Which defeats the point of E2EE in a federated system where the server is run by some volunteer in Ruritania whom you’ve never met and don’t know by name.

                                                          I know you ultimately have to trust the software that’s doing the encryption, but in other E2EE systems like iMessage the software isn’t downloaded on literally any page view, and it’s only the app or OS vendor you need to trust this way, which is (a) one entity, and (b) one that’s very visible and has a lot of reputation to lose if they abuse this.

                                                          PS: Thanks for posting this. I’m working on E2EE myself, in a different system, and it’s useful to read more about how others have done it.

                                                          1. 16

                                                            I don’t see how you can do E2EE in a web-based service. Or rather, I know how, but it requires trusting the JS the server sends you, which means trusting the server.

                                                            Luckily, I already wrote the part that addresses this:

                                                            Users shouldn’t expose their keys to the webserver. This means using end-to-end encryption outside the context of the website. This implies a Browser Extension.

                                                            1. 3

                                                              I wish there was a way to do this with something like WebAuthN or FIDO, where the secret key is in a TPM of some sort and persists on the device. I know this works for authentication, but I don’t think you can use it to encrypt arbitrary data. This still doesn’t solve the issue of migrating devices, but it would be a neat way to securely store the private key, ensuring it never gets to the server.

                                                              1. 5

                                                                I do eventually want to write a W3C specification for using a FIDO2-compatible device to encrypt/decrypt keys in a browser context. That would give us a better key management solution than the ones listed on that page.

                                                              2. 1

                                                                maybe the idea of an eternally stored, private message is a fallacy.

                                                                Are short-lived keys like at https://privatebin.info be helpful?

                                                              3. 3

                                                                Honestly I think that mastodon would do itself a big favor by asking people to use native clients. Beyond this problem (web extensions are of course mentioned, and I think you can create isolated contexts that would be very hard for hijacked instances to deal with), there are loads of issues that come from “we are passing around instance-specific links to things”, that basically completely disappear if you are using a client.

                                                                “The follow button semantics are weird” native client resolves auth issues with HTTP. “Why is this link from instance A being hosted on instance B when shared” protocol links to allow clients to receive real things. “E2EE trust semantics” again, native clients mean your trust matrix is different (and theoretically easier to audit).

                                                                One side note on the web-based service issue, is that with a lot of effort mastodon instances could make it so that you could outright save an HTML page locally on disk and have that be “the software”, for people who are worried. There is still an audit step involved there, but it’s not impossible!

                                                                But ultimately the fact that instances host web interfaces (rather than “there are instances, get your client software from X/Y/Z”) is generating constant usability concerns.

                                                                1. 1

                                                                  You can have whatever download semantics you want with service workers and progressive web apps (PWA). You could only let the app update with the user’s permission, you could make all updates be signed by a predefined set of keys, etc.. This closes the gap between native apps and web apps and makes it more of a spectrum.

                                                                  If you rely on a browser extension then you’ve just ruled out 99% of people who are not able to, or will not, install a browser extension in their environment.

                                                                  1. 1

                                                                    Interesting. How does the end user know the web-app has these policies, though? If I create a Mastodon account at randomsite.io, can I verify that they are using an unmodified copy of a front end codebase I trust, and that it can’t be changed without my consent?

                                                                    99% of people who are not able to, or will not, install a browser extension

                                                                    [citation needed]

                                                                    Back to my original point, 99% of people will install apps on their phones/tablets though.

                                                                    1. 1

                                                                      You can verify the update policy by reading the (typically < 100 LOC) service worker code. They could also check the hashes of retrieved assets against some known value, which again you could inspect and compare against some other source with the values in the service worker source.

                                                                      EDIT: I’ve just dug deeper and I think I’m wrong. This only applies to all the website assets excluding the service worker script itself. This is still checked for updates regardless, and the browser will install the new version either on next load or immediately if it calls skipWaiting. Although that is also visible to the user (the SW has an incrementing version controlled by the browser).

                                                                      That 99% of people is based on the following: Take one of the most popular extensions like ublock origin, add up the number of installs across all browsers (23 million) divide by the number of internet users (~5 billion). this gives 0.5%. If this is the most popular extension then this would be an upper bound.

                                                                1. 0

                                                                  As you wrote already on your blog post : allowing for everything is just dumb, so I do not really understand why all of your cases that you presented allow user to do anything and everything.

                                                                  To shorten it, let’s establish a short glossary: CA – crypto agility

                                                                  First, let’s separate the concerns – language is abstract, design is abstract, we are talking not about specific implementations like JWT, SSH or anything – we are talking about CA as a concept. There are better and better and worse implementation out there and very different usages depending on application.

                                                                  1. CA does not state anywhere that you have to have a. backward compatibility and b. to be able to switch to anything anywhere – those are implementation-specific, and again you are saying that the concept itself is broken. This is False Attribution Fallacy,
                                                                  2. padding, oracle, and downgrade attacks, are also, implementation specific to the code, usage and application, Again, False Attribution Fallacy,
                                                                  3. the post is clearly made from the web-developer perspective, but talks about the general concept and its usage. You are not considering different usages that already exists and focusing mostly on the narrow, specialized usage (tiny slice of networking applications). This is Packaged Deal Fallacy.
                                                                  1. 6

                                                                    allowing for everything is just dumb, so I do not really understand why all of your cases that you presented allow user to do anything and everything.

                                                                    Because every implementation of a design that prioritized Crypto Agility inevitably fucked up in exactly this way.

                                                                    Real world cryptography is messy and full of mistakes.

                                                                    This is Packaged Deal Fallacy.

                                                                    I blog as my fursona, which I keep totally separate from my legal identity as much as reasonably possible.

                                                                    Most of the real world examples I could point to for why agility fails are under my legal name, and also restricted by NDA. This forces me to take some liberties in how I write.

                                                                    If you want to cross examine my experience (without forcing me to put myself in a legally precarious situation), simply ask other cryptography/security experts if their experience matches mine. Preferably one that you’re paying for their time, so that their incentives are aligned with your interests, not mine.

                                                                    Every solution that avoided the “allow everything stupid” pitfalls began with the premise of not doing Crypto Agility (i.e. WireGuard), or only doing minimal Crypto Agility (i.e. PASETO).

                                                                    1. -3

                                                                      I blog as my fursona, which I keep totally separate from my legal identity as much as reasonably possible.

                                                                      I do not care. Honestly, I’m not concerned with your social interactions. IMO, At the very moment you mix those things into discussion about the technology, which is ruled by specifications, RFCs, and is known for being precise, the strength of your arguments falls to the ground. I would also advise not to bring lawyers, sociology, gender, religious or political beliefs, race, or other non-technical things to the technical discussion; since those are both confusing to the readers and brings nothing to the table – just a free tip for the future.

                                                                      Because every implementation of a design that prioritized Crypto Agility inevitably fucked up in exactly this way. Real world cryptography is messy and full of mistakes.

                                                                      Does every implementation have done it? Mine was fine, it had no such problems that you mentioned? Was it good? fuck no – but does that mean that you saw what I wrote? Does that mean that you saw everything other people wrote? Are you saying you are an all-knowing being from another dimension, granting us your wisdom?

                                                                      You clearly said that all CA is wrong, but you do not know all the applications of it. Moreover, your core understanding of CA is very wrong. I wrote about that before.

                                                                      Most of the real world examples I could point to for why agility fails are under my legal name, and also restricted by NDA. This forces me to take some liberties in how I write

                                                                      To me, a sentence

                                                                      "i took some liberties to how i write"

                                                                      sounds like a fancy version of

                                                                      "i lied and/or overcolorized what i wrote, whatyougonadoabboutit".

                                                                      It’s like saying

                                                                      oh no your honor, i did not kill the man, i barely depraved him of oxygen in the mixture of air he was breathing, but I clearly stated by my actions he was not at liberty to use.”;

                                                                      a.k.a. "a word salad".

                                                                      Long story short – I am on the other side of the fence. What you are writing is being dishonest to the work i’ve done, and the work of other developers in the field. That’s why I started this discussion.

                                                                      That is also the reason I postulate that you are deliberately either:

                                                                      1. pose as someone, you are not, 
                                                                      2. advertising yourself having experience in the field you clearly lack, 
                                                                      3. or deliberately misguiding the audience.
                                                                      

                                                                      If you are not, then you have my sincerest, apology, but your last comment does not strike me as convincing – at least to this point.

                                                                      Every solution that avoided the “allow everything stupid” pitfalls began with the premise of not doing Crypto Agility (i.e. WireGuard), or only doing minimal Crypto Agility (i.e. PASETO).

                                                                      That’s again a lie, so let me rephrase that for you: "Every solution that I know or noticed did that". And that would be a valid statement, and I would totally emphasize with you. But, clearly, the one I was working on didn’t have such problem, and I already wrote why. Allow me to clarify that again, in simpler words, so it will be easier to understand – CA is like a pattern, a tool, let’s say a gun. Some guns are terrible, some are at least okay-ish, but clearly you got a bad one – you cheeped out, it blew your face off, and now you are ranting that all of them are bad. That is a very childish approach.

                                                                      Conclusion? If you are writing about your experiences, state it as such. Do not discredit or disregard other people’s work. What you wrote is good in theory as a beginning of a debate or a precise and directed rant, but not as an article stating the fact. If for every fallacy you committed I would get a dime, I could buy myself a very good coffee now.

                                                                      1. 8

                                                                        I do not care. Honestly, I’m not concerned with your social interactions.

                                                                        “I created an account just to comment on this post on Hacker News, and then created a Lobsters account less than an hour later to post a negative comment here too” - Someone who doesn’t care, apparently

                                                                        IMO, At the very moment you mix those things into discussion about the technology, which is ruled by specifications, RFCs, and is known for being precise, the strength of your arguments falls to the ground.

                                                                        Which IETF working group do you think is responsible, exactly, for my personal blog where the article was published?

                                                                        There are no real “rules” for personal blogs. I write in a conversational English style. I use furry art at my discretion to punctuate my points. Some people dislike it. I simply increase the amount of furry art I use when people complain.

                                                                        I would also advise not to bring lawyers, sociology, gender, religious or political beliefs, race, or other non-technical things to the technical discussion; since those are both confusing to the readers and brings nothing to the table – just a free tip for the future.

                                                                        This is a lot of unsolicited advice from someone who doesn’t care.

                                                                        I’m not going to bother reading the rest of your comment. You should familiarize yourself with the Lobsters rules. We strive to be more positive and constructive than HN or Reddit here.

                                                                        Also, if you think your implementation is special and perfect, at least have the decency to drop a link to the source code so it can be critiqued.

                                                                  1. 9

                                                                    Once upon a time I was trying to explain the problems with JWT to someone who allegedly was a “security person”, and that person told me, in about as many words, that all the vulnerabilities were due to bad developers using dynamically-typed languages, not due to the combinatoric explosion of stuff JWT forces you to think about and either defuse or disable.

                                                                    Unfortunately, JWT still ended up winning in both that debate and most of the SSO protocols :/

                                                                    1. 10

                                                                      And as an aside: I’ve been fighting against JWTs in Django for years, on similar grounds, and so far have been winning that fight. There are a bunch of third-party add-ons to Django that will give you JWTs if you really want them, though.

                                                                      1. 5

                                                                        Thanks for resisting JWT in Django. This builds up my confidence in Django as a Python framework. :)

                                                                    1. 1

                                                                      Is there any reason other than the author’s ideological problem with cryptocurrency to think that Secp256k1 is a bad curve to use for any purpose?

                                                                        1. 2

                                                                          Thanks for the additional information here.

                                                                          (Meanwhile, Ed25519 is designed to be side-channel and misuse-resistant, partly due to its Schnorr construction and constant-time ladder for scalar multiplication, so any library that implements Ed25519 is overwhelmingly likely to be constant-time.)

                                                                          Is an interesting observation - I wouldn’t mind reading a blogpost about how a cryptographer might build this kind of side-channel-resistance into a cryptographic protocol.

                                                                          1. 4

                                                                            You’re in luck

                                                                            I wrote a guide to side-channel attacks in 2020. A lot of the lessons here go into writing constant-time cryptography (especially the bignum stuff).

                                                                      1. 2

                                                                        I was researching this exact question recently and wish I had this article on hand. One additional property of ECDSA I stumbled across was the ability to reconstruct the public key from a message+signature for the cost of a single extra bit, which I thought was pretty neat if I don’t want to spend extra bytes explaining who it was that signed the thing.

                                                                        Also my research turned up considerably more discussion about the perceived trustworthiness of the NIST curves than in OP. Presumably opinions vary as to whether it’s a serious concern. :)

                                                                        1. 4

                                                                          I’m definitely skeptical of the NSA, and therefore NIST by extension, but Koblitz and Menezes tackles the NIST curve backdoor arguments pretty well. Matt Green has a good write-up about that subject.

                                                                          The common sense argument, of course, is that you don’t sh*t where you eat. In other words, the NSA wouldn’t deliberately choose weak elliptic curves given that they planned to use them for encrypting Secret and Top Secret data for the next 20 years.

                                                                          By calculating the number of possible curve families, Koblitz and Menezes show that a vast proportion of curves (for P-256, around 2^{209} out of 2^{257}) would have to be weak in order for the NSA to succeed in this attack. The implications of such a large class of vulnerable curves is very bad for the field of ECC. It dwarfs every previous known weak curve class and would call into question the decision to use ECC at all.

                                                                          In other words, Koblitz and Menezes are saying that if you accept the weak curve hypothesis into your heart, the solution is not to replace the NIST elliptic curves with anything at all, but rather, to leave the building as rapidly as possible and perhaps not shut the door on the way out. No joke.

                                                                          With that in mind, even though I vehemently distrust the NSA, I still don’t buy the “NIST curves are backdoored” argument at all. Some of this discourse might be due to confusion about the Dual_EC_DRBG backdoor (which used “elliptic curves”, so it may be viewed as a “proven elliptic curve backdoor”).

                                                                        1. 5

                                                                          I’m a dummy, what library will force me to use the right curve & other parameters and provides a high quality constant-time implementation of whatever tool I need?

                                                                          1. 16

                                                                            You want libsodium.

                                                                            1. 5

                                                                              I really like libsodium, but I don’t think I could have understood the bits of their docs where they justify their algorithm choices without your blog (the nice thing about libsodium is that I don’t need to understand those bits of the docs, of course, but that doesn’t mean that I don’t want to).

                                                                              1. 17

                                                                                Yeah, we’re tackling opposite sides of the problem.

                                                                                “I don’t know what I’m doing, please save me from making a bad decision” -> libsodium

                                                                                “I want to know what I’m doing” -> blogs from cryptography nerds

                                                                                They’re complementary features :)

                                                                              2. 4

                                                                                Monocypher is also a good choice IMHO — smaller and simpler.

                                                                                1. 3

                                                                                  Agreed. I generally recommend the original upstream NaCl, libsodium, or Monocypher depedning on your circumstances. All three are fantastic libraries with minimal footguns.

                                                                                2. 2

                                                                                  Great to know this is still the right choice! Thanks.

                                                                              1. 8

                                                                                My skip-level manager at work expressed concern last week that I’m not taking enough vacation time, so now I’m trying (and not succeeding) to figure out some sort of vacation plan.

                                                                                Before January, I had never taken a vacation before in my entire work career. Instead, I just did long weekends for tech/furry conventions here and there. In January I took a week off because of burnout from conducting too many interviews as an introvert. I also took a few days in March to visit my grandma before she died.

                                                                                I’m very bad at this.

                                                                                1. 4

                                                                                  Doesn’t help that current epidemiological events make it hard to justify anything other than sitting at home.

                                                                                  1. 3

                                                                                    “I’m in this picture and I don’t like it.”

                                                                                    1. 2

                                                                                      We travelled to a wedding weekend before last which, while fun, has led to a few confirmed cases (and more probables that are refusing to test). I’m going a bit stircrazy.

                                                                                      1. 1

                                                                                        Extremely true.

                                                                                        Maybe I’ll spend a week in VRChat.

                                                                                        1. 2

                                                                                          If you do that lemme know so I can join at some point and we can talk memes

                                                                                      2. 1

                                                                                        Take more long weekends, but not for conventions, just for funsies

                                                                                        1. 1

                                                                                          Are there any places you would like to visit during a vacation period? Or maybe you can take a break from work to simply relax and catch up on household duties? I’m not very travel oriented but a week break from work to simply relax and hang out with local friends is a perfectly ideal vacation for me.

                                                                                          1. 3

                                                                                            I’m not a traveler, but staycations tend to lead to me working on side projects since my home lab is right there.

                                                                                            1. 4

                                                                                              If travel is not your thing, consider staying at a hotel nearby to avoid “falling into” the home lab. Bring a suitcase of books (or a kindle) and enjoy not doing any chores for a week.

                                                                                              1. 1

                                                                                                Is there perhaps a (potential) side project that would require you to do some research somewhere else? That might be a reason to travel. Maybe the travel itself can be (part of) a side project. For instance, if you like building hardware you could build a gps tracker. And then travel to the north pole to see if it works.

                                                                                                In the past I had great fun to travel to visit confrences in another country. Book some more days and discover the city, etc.

                                                                                            2. 1

                                                                                              Just wondering what “skip-level” means?

                                                                                              1. 2

                                                                                                Manager’s manager

                                                                                                1. 1

                                                                                                  I use first-line manager, second-line manager, etc. The first-line is your direct manager, the second-line manager their manager, and so on. I picked this up at IBM..

                                                                                                  1. 1

                                                                                                    Skip-level (or just “skip”) is a term I picked up from an Amazonian a few years back.

                                                                                            1. 11

                                                                                              These are all worthy and probably excellent enhancements - but they don’t address my core beef with PHP: The APIs.

                                                                                              The weird mix of pre OO big_long_namespaced_function_names() with some OO libraries make my skin crawl :)

                                                                                              (I’m looking at you, get_file_contents() :)

                                                                                              1. 12

                                                                                                It’s file_get_contents() btw 😊

                                                                                                1. 17

                                                                                                  Details are important. Thanks for the correction.

                                                                                                  On the up-side, this means I have succeeded in my goal of wiping PHP from my brain :)

                                                                                                2. 4

                                                                                                  I think it’s probably hopeless to fix that stuff because there’s so much legacy code that depends on it.

                                                                                                  My core beef is the existence of the PHP configuration file, but same story there.

                                                                                                  1. 3

                                                                                                    Yeah. I worked for a PHP shop a few jobs back, and one of the web devs responding to my carping about it said “Yeah but you see, the thing is, PHP isn’t for YOU or even US. It’s for EVERYONE, even non programmers”.

                                                                                                    At the time I thought he was just defending it because I was tipping his sacred cow, but I do think there’s some truth in there.

                                                                                                  2. 6

                                                                                                    These are all worthy and probably excellent enhancements - but they don’t address my core beef with PHP: The APIs.

                                                                                                    There’s two ways to address this, as far as I’m aware.

                                                                                                    1. Use Composer to install an open source library that has the API you want. (e.g. https://github.com/thephpleague/flysystem)
                                                                                                    2. Demand the PHP core team break backwards compatibility with the software that powers 80% of the Internet to satisfy your aesthetic opinions about APIs.
                                                                                                    1. 4

                                                                                                      So just to be clear I realize I am absolutely being the Princess and the Pea with my API issues. PHP is clearly a tool that makes many MANY people around the world productive, and Wordpress and Drupal and their ilk power huge swaths of the internet.

                                                                                                      That said, I don’t have to particularly enjoy working with the language even if I do appreciate its many and varied strengths :)

                                                                                                  1. 2

                                                                                                    Due to insomnia, I updated my CV for the first time in like 3 years. Figured I might as well see if I can increase my annual compensation because of the highly competitive job market right now.

                                                                                                    Otherwise, just continuing to exist while I wait for inspiration to write to return to me.

                                                                                                    1. 7

                                                                                                      Staring into the gaping void of an empty “New Post” form for my blog until it stares back or I pass out from exhaustion.

                                                                                                      1. 2

                                                                                                        If you need inspiration: I’d love to read something from you about how to safely use the Argon2 family to derive a range of keys for different uses from a password. Reading some of the docs, it’s difficult to tell if it’s fine to just use a different salt, if the salt needs to be non-guessable, or if I should generate a single key and then use a KDF for deriving separate keys (and, if so, are there any other things that I should worry about when using a KDF with the output from a password hash function).

                                                                                                        1. 2

                                                                                                          The okta hack might be a nice topic for inspiration ;)

                                                                                                          1. 1

                                                                                                            Hope it stares back with intent! Love reading your stuff.