Notices by Filippo Valsorda :go: (filippo@abyssdomain.expert)

@ryanc @matthew_d_green @jawnsy the appropriate person was paged to the courtesy phone

In 2022, I left Google in search of a sustainable approach to open source maintenance. A year later, I was a full-time independent professional open source maintainer.

Today I’m announcing the natural progression of that experiment: Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.

Nicola Murino, the maintainer of x/crypto/ssh, and @dominik, the maintainer of Staticcheck and Gotraceui, are Geomys’ first Associate Maintainers ✨

https://words.filippo.io/dispatches/geomys/?source=Mastodon

@GossiTheDog No reason to make it personal. We’ve all introduced bugs, especially over a long open source career. Please don’t.

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

@foone With Bluesky announcing federation today, how is Bluesky Social PBC more in the position to make arbitrary changes than Mastodon gGmbH?

@FediThing @foone

"Technically any hosting provider can do this for any online platform."

Not really? I host my website on Fly.io but they can disappear tomorrow and I will just change my DNS records. (Registry and registrar are strictly regulated.)

Likewise, my newsletter is on Ghost but I can take my subscribers with me unilaterally.

If chinwag.org goes offline though, you can't move your followers. Whether that's intentional or not.

Alas, the Mastodon spam wave found my instance. Anything I can do aside from turning off notifications?

Thanks for the scripts, but I’m on @mastohost and anyway I can’t run a script every time I want to check notifications.

Turned on the @ivory filter (which got two false positives) and turned off push notifications 🤷♂️

Why is the Mastodon default to allow open registration, anyway? It should be a heavily discouraged setting, with moderated signups being the default.

If the moderation team can't keep up with registration requests surely they can't moderate those accounts either.

We've seen this before with open SMTP relays.

@ryanc @matthew_d_green

IIRC @agl made an online test for it, a page that would only load for vulnerable clients.

That was the inspiration for making the Heartbleed test, which kickstarted my career.

So thank you :)

@ryanc I opened one at a Red Cross training 8am in the morning. Had to explain multiple times 😅

@icing git add -p 🧐

@icing oh it’s probably top 3 things that make git work for me. Lets me do a cursory review of everything I’m committing and encourages well scoped commits. Also works well with git-revise.

There's everything to love in

"X-Wing: The Hybrid KEM You’ve Been Looking For"
https://eprint.iacr.org/2024/039

- concrete choices!
- strong proofs
- easy to implement
- good performance
- "quantum superiority fighter"

\./
/^\

@durumcrustulum can I haz CCTV test vectors? <3

This is not a carefully worded statement, but fuck Appelbaum, fuck the people who sheltered and supported him these past years, and fuck those who are allowing his unrepentant attempt at a comeback and putting people and communities at risk. #37c3

I wonder if all the people commenting on how Chrome is killing ad blockers with MV3 have tried an MV3 ad blocker.

I’ve been using one (uBO Lite) with Firefox for security reasons for a while now. It works.

I’ve read the uBO wiki page, I know the limitations, but I wonder if other people notice them in practice more than I do.

Here's the UK Government stating—like NIST did—that 128 bit keys are enough against quantum computers. No need to migrate to 256 "because quantum".

https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography#section_4

@dangoodin @ryanc @sophieschmieg That's a very simplified model, which I initially took as good myself, but it's effectively incorrect. In practice, 128 bits is enough. Not only that, but post-quantum crypto of Category 1 is defined by NIST as "as hard to break as AES-128".

https://words.filippo.io/dispatches/post-quantum-age/#128-bits-are-enough

The app is doing what it’s designed for ?♂️

You can’t make an invasive consent-less “parenting app” that’s not a victim control app because the two tasks are not different.

It’s just somehow socially acceptable to subject minors to it, because they are apparently property without rights, not people.

https://www.forbes.com/sites/thomasbrewster/2023/04/06/sex-traffickers-use-parenting-apps-like-life360-to-spy-on-victims/

There's a fairly broken hand-rolled cryptographic protocol on the HN front page. Its messages can be reordered, dropped, replayed, and reflected.

This is why I *don’t* like the “don't roll your own crypto” saying: it didn't stop this from being written and spending hours on the HN front page (but does stop smart folks from getting into the field).

https://news.ycombinator.com/item?id=34857411