Data is not the new gold, data is the new uranium.
Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated.
Why keep uranium you don't need?
Follow
Click to Follow FiloSottile
Filippo Valsorda @filippo.abyssdomain.expert
@FiloSottile
Cryptogopher / Go crypto maintainer / -knower / RC F'13, F2'17 / #BlackLivesMatter / he+him
mkcert.dev / age-encryption.org / filippo.io/newsletter
Filippo Valsorda @filippo.abyssdomain.expert’s posts
Alright, actually unpopular opinion thread time. Might delete later.
Allowing pets in the office is not an inclusive policy.
whoami.filippo.io, the SSH server that knows who you are, got some newly refreshed intel! Try it out!
$ ssh whoami.filippo.io
I have some personal news 👀
Today is my last day at Google! 🛫🏝🌅
I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid.
I want to make words.filippo.io/professional-m a thing, starting with Go cryptography!
read image description
ALT
Replying to
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.
"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding 's work: Michael, Glenn, Matt"
People, what are we doing.
I just saw a professional electrician follow a YouTube video, and I was confused for a second.
Then I remembered I have 15 StackOverflow tabs open, and it all made sense.
I'm being downvoted on HN for mentioning that a black person saying "all white people are bad" is not the same thing as a white person saying "all black people are bad", in case you were wondering how tech is doing on understanding systemic racism.
No one is paying the log4j2 maintainers!?
There is a whole page on the responsibilities of a "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html
Open Source needs to grow the hell up. Yesterday.
Quote
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…
Big news! ✨ ʕ◔ϖ◔ʔ
I am joining the Go team. 💥
In New York City. 🗽
Owning the crypto libraries. 🔐
On the new Open Source team. 🚀
things Go developers don't have to worry about: a thread
Earlier today, I kept getting "406 Not Acceptable" errors adding an embedded tweet to my blog post.
Spent 15 minutes trying to figure out what was wrong. No hits on Google.
Look at my Twitter name and tell me if you can figure it out 😅
mkcert: valid HTTPS certificates for localhost — a short blog post about github.com/FiloSottile/mk now that it's almost done 🔒
blog.filippo.io/mkcert-valid-h
“We don’t negotiate salaries” is a negotiation tactic.
Always. No, your company is not an exception.
Heh, maybe you should not have automated this.
Hiring engineering talent is hard.
And yet, there is a large pool of engineering talent up for grabs by any company that can muster the courage to say:
- remote policy is yes
- SF/NY mid-market rate worldwide after taxes/benefits
- unlimited immigration budget
- four day weeks
Replying to
I will donate $300 to RAICES to see this happen.
These checklists from Apple are gold.
If you want to see if anyone else has access to your device or accounts: support.apple.com/en-us/HT212021
If you want to stop sharing: support.apple.com/en-us/HT212022
If you want to make sure no one else can see your location: support.apple.com/en-us/HT212023
We all agree the status quo is unsustainable.
Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.
The thing is, companies need it as much as maintainers do.
Replying to
Software engineers will build the tools to burn the world down as long as they’re in the correct programming language and ace the benchmarks.
Maybe the most powerful people of our time reduced to puppets by basically “who’s a smart engineer? you’re a smart engineer, yes you are”
Sad to see all these cheap negative quips about Github & Microsoft. MS has been doing some awesome work in Open Source recently (just look at VS Code), and hired some excellent people. I see no reason to be worried.
A cosmic ray just murdered a Certificate Transparency log.
groups.google.com/a/chromium.org
Replacing loaded words in codebases might not change much, but opposing those changes speaks volumes.
Replying to
The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.)
The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month.
You see the problem?
StackOverflow question: “the police are making people on the street install spyware, how do I protect myself?”
Top HN comment: “discussing authoritarianism is pointless, more importantly, why doesn’t the spyware use HTTPS?”
I hate this soulless industry.
BlueCoat now has a CA signed by Symantec crt.sh/?id=19538258
Here's how to untrust it blog.filippo.io/untrusting-an-
Damn. has been the Linux random driver maintainer for like a hot minute, and /dev/[u]random is now 100% SHA-1 free and 370% faster. Amazing.
lore.kernel.org/lkml/202112231
lore.kernel.org/lkml/202112301
You are logged into an old server. The uptime is 788 days.
There are a lot of kernels here.
>
Kathryn, , did not bypass code review.
She didn't disrupt anyone's work.
She didn't target an individual.
She didn't violate any policy I'm aware of.
She linked to an NLRB notice from an extension that exists to show links to policies.
This only makes sense as retaliation. twitter.com/eiais/status/1
This Tweet is unavailable.
Wow. Linus admits his behavior was hurting people and Linux, recognizes being an asshole does not scale, apologizes, and takes time off to work on himself.
Hopefully others who looked up to his behavior can take the occasion for similar introspection.
lore.kernel.org/lkml/CA+55aFy+
Weird time to get this news, but after almost 7 years of fighting my way to NYC...
my Green Card I-140 petition was approved this week!
🙌🍾🗽📬🇺🇸👽🏁🥳
Setting up an iPhone as a secure travel device. Notes, tips and tricks for your next trip to an hostile network.
This US Government is down to two nines.
I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext.
Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.
Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore.
It's the only time I just try random upvoted commands from GitHub issues until it works.
How does anyone get any work done like this?
I just killed 500 lines of crypto/tls code. 🎉💥🔥
In Go 1.14, no more SSLv3. No ifdef, no option. It's deleted.
golang.org/cl/191976
I don't really care who this man-child is, but notice something...
He worked at Stripe for years.
This shit is everywhere in the industry. The next time you hear a story of discrimination that you find hard to believe, just remember this loser.
This little change must be the biggest security improvement to SSH's Trust on First Use in the past 20 years.
![$ ssh 10.11.99.1
The authenticity of host '10.11.99.1 (10.11.99.1)' can't be established.
RSA key fingerprint is SHA256:sUFyNeqmdLFctoU1uv18PXxGsZkTdAEX8uFayGdpxi4.
This host key is known by the following other names/addresses:
~/Sync/known_hosts:94: remarkable.home.arpa,172.27.10.217
~/Sync/known_hosts:209: 192.168.178.52
Are you sure you want to continue connecting (yes/no/[fingerprint])?](https://pbs.twimg.com/media/E98-cDJWQAACZtS?format=png&name=large)
read image description
ALT
People Magazine printed my title as Cryptogopher. That is all.
Quote
Replying to @FiloSottile
your Tweet was quoted in an article by @people people.com/human-interest
📣📣📣📣 It's here! 🥁🥁🥁🥁
💥🍾🏁✨ age v1.0.0 ✨🏁🍾💥
Java does what now?
I have... more concerns than fit in a tweet. twitter.com/ncweaver/statu
This Tweet is unavailable.
The TSA first made flying a miserable experience, then made you pay a bribe to skip most of it with Pre. Now they mismanaged the bribed line too, and you can pay a bigger bribe to Clear to skip most of that. 💯🇺🇸🦅💵
As a bonus, a private company has your biometrics now. 👁
The BUS DRIVERS are refusing to work for the police state, while software engineers, with the most leveraged profession of our time, still can't get their employers to stop working for ICE.
Cowards. Disorganized and cowards. All of us. I'm ashamed.
I'm a big fan of brew cask for its library of zap instructions, which remove all traces of an application, however it was installed.
The Zoom one has just been updated to remove the persistent server.
brew update
brew cask zap -f zoomus
github.com/Homebrew/homeb
For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands:
$ defaults read | pbcopy
# make changes in System Preferences.app
$ diff -u -F '^ "' <(pbpaste) <(defaults read)
Replying to
(BTW, I also know that guide dogs and emotional support dogs are critical to inclusivity, so that's not what I'm talking about. It's normal to have to accommodate conflicting needs sometimes. I'm taking about bringing your pet to work for fun.)
I am—or at least was in this picture—America's newest pilot! ✨🛩👨✈️
I passed my checkride today on this Piper. This was both a dream and a challenge like I haven't tackled in years.
48 hours, 35 days start to finish including weather days. It's been a ride 🍾
read image description
ALT
Woah, did not see this one coming. OpenSSH now uses hybrid post-quantum Streamlined NTRU Prime + X25519 by default!
openssh.com/txt/release-9.0
read image description
ALT
Folks, it works!!
I am officially a full-time independent open-source maintainer! 🧑💻💼
That means I spend most of my time on open-source maintenance, and I offer retainers to companies that benefit from my work and from access to me.
Full details 👉 words.filippo.io/full-time-main ✨
JWT is so bad that I find myself wondering what I was doing when it was being created and if I could have done something to stop it.
Also, note that this HN thread is full of developers just now learning that JWTs only does signing. Except it can also do encryption. 🤷♂️
There's some inane gatekeeping pushback on this absolutely mild take, so let me say it loud and clear:
I'm a Senior Software Engineer at Google who works on cryptography and open source, and I find email-based patch submission a meaningful barrier.
Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻
It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨
dev.gnupg.org/T5259
Replying to
I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.
Here's one thing I think we'll find unacceptable in 50 years.
The degree to which minors have no rights.
They are basically non-people: no right to privacy (school and parent spyware), no right to freedom (go to your room!), can't even make their own medical decisions.
I'm already tired of QR discourse.
Users click on links and scan QRs. It's what they are for.
Mentally model the security boundary where it is, not where you want it.
Replying to
It's ready! 💥 github.com/FiloSottile/yu
yubikey-agent is a seamless ssh-agent for YubiKeys. 🔒 Written in Go, it takes one command to set up, and never needs restarting. ✨
Occasional reminder of unevenly distributed knowledge.
Above $200k, you mostly negotiate equity, not salary.
Mid-career engineers in the US can go way beyond $200k at large tech companies and startups that compete with them.
YIKES.
It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING.
Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy.
YIKES. YIKES. YIKES.
Quote
Replying to @kashhill
Talkspace, a text therapy app made famous by Michael Phelps ads, keeps transcripts for about 7 to 10 years because they're medical records—and data-mines them, of course. But all the other stuff going on there was WILD. nytimes.com/2020/08/07/tec
Replying to
Other places are way worse. I get recruiting emails listing the "office dog" as a perk.
Guess what, me and a number of other people can't work for you now due to a completely work-unrelated medical reason.
Replying to
I know what I am biologically allergic to, tyvm stranger on the Internet.
So... guess who just got a Green Card, with perfect timing? 🎉
read image description
ALT
This is my main objection to password-encrypted key files.
If you get to read arbitrary files from my disk you can pull my pictures, messages, and cookies (including the AWS console ones).
But at least not the SSH key? Yay? Who cares?
read image description
ALT
Replying to
But here's the thing: the issue compounds. If you are already fighting a culture of sexism, are you going to spend political capital on... not letting people bring their dog to work?
Of course not, so maybe it has to be privileged people complaining about this.
The police is arresting, shooting, and macing journalists.
They are driving tanks into cities and escalating.
They're getting recorded and they don't care.
Defund the police. Disarm them. Drop qualified immunity.
Captive portals are the worst. So I made a tool to log into them from a dedicated Chrome w/o touching DNS settings. blog.filippo.io/captive-browse
Here's my response to that Google manifesto. If a recruiter emailed you, it's something concrete you can do, too: gist.github.com/FiloSottile/7e
The GNU project has no time to waste on silly stuff like providing an inclusive environment, it's all about the hard technic... *taps earpiece*
read image description
ALT
Quote
TIL that the gnu coding standards specify that you must not abbreviate "windows" as "win" because that's too positive and suggest standardizing on "woe", which is puerile even by the low bar I already had in mind for gnu gnu.ist.utl.pt/prep/standards
Feature request: block all accounts created in 2020.
Most of them are bots. And if someone actually joined Twitter in 2020, look, they clearly make bad life choices.
Journalists. When reporting about Telegram groups, I need you stop referring to it as a “secure messaging app” without context.
This is not crypto nitpicking. Telegram groups ARE NOT ENCRYPTED.
Can we talk about the fact that is systematically putting much of the news industry to shame?
This guide to filming police misconduct is grounded, useful, correct, insightful, actionable, sourced, and AFAICT flawless.
Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem.
... nope! systemd of course didn't!
🎉 mkcert made it to 10.000★ 🎉
v1.1.1 can make HTTPS certificates for localhost or any name on macOS, Linux and Windows, automatically trusted in Chrome, Firefox and Java.
github.com/FiloSottile/mk
Replying to
To be clear, they are absolutely correct.
A lot of Go criticism seems to be “Go does {simple thing} instead of {complex thing I know about and you don’t}”. I’m very ok with that.
Folks, the time to run debirdify.pruvisto.org or fedifinder.glitch.me is now.
You don't need to have an account elsewhere yet. Download the CSVs while you can, and you can import them later.
go go go go
Added a OpenSSH roaming vuln test to the whoami server
$ ssh whoami.filippo.io
(code: github.com/FiloSottile/wh)
Oh this is good. apple.com/newsroom/2021/
Replying to
Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥
age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp
Try it out and send feedback 👉 age-encryption.org
Replying to
Others have a phobia of dogs instead of allergies, and they feel even less legitimized to speak up and "be that person", but have to cope with a work space that does not feel safe.
Replying to
In summary, allergies and phobias don't get the same treatment as disabilities, but they are also issues that exclude people for no good reason, or force them to fight for a safe environment.
OMG YES YES YES
If you are into signing git commits, here's your answer!
Also, I'm happy any time I see SSH signatures in use. Every developer has SSH keys! We have robust tooling and hardware for them! They are simple!
You can use ssh-keygen(1) to produce and verify them. twitter.com/damienmiller/s
This Tweet is unavailable.
Replying to
To prove that crypto code can be understandable, I gave my best shot at writing a readable Poly1305 implementation. It tries to explain both what it’s doing and how. (It’s also 75% faster than the current one.) blog.filippo.io/a-literate-go-
read image description
ALT
PSA: don't rely on GnuTLS, please.
[CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially.
Also, TLS 1.2–1.0 session tickets are awful. blog.filippo.io/we-need-to-tal
Quote
GnuTLS was using an all-zero key for encrypting TLS session tickets. Whoops. gitlab.com/gnutls/gnutls/
Everyone is talking about the RSA key generation bug, and there's indeed a catalog of things that went wrong, but the thing is...
YOU DON'T GET TO IMPLEMENT A FALLBACK FOR RANDOMNESS
That's it. That's the tweet.
github.com/juliangruber/k
🚨 The age-encryption.org reference implementation reached beta! 🥳
age(1) — a simple, modern, secure file encryption tool.
Quote
Beta 2 is out! github.com/FiloSottile/ag
github.com/FiloSottile/age
When we say shipped from the floor of #36c3, we mean it.
Rust at the top of /r/golang and Go at the top of /r/rust. My job here is done.
Replying to
By the way, I like dogs! I like dogs so much that sometimes I take meds and cover every inch of my skin to play with them for half an hour (and then immediately jump in the shower and accept some mild asthma for a couple days). But no one should have to at work.
I was going to announce a newsletter, but instead I found an XSS in the service I'm using for it, so now the sign up page is a Proof of Concept and I'm not sure this story has a moral.
Parents, please check your kids' candy this Halloween. I just found ECB mode in my son's candy bar. Be safe.
read image description
ALT
I'm such a sucker for nice UNIX pipelines.
$ pngpaste - | zbarimg -q --raw - | pass otp append
This extracts a QR code from a screenshot in the clipboard (⌘⌃⇧4) and saves it as a TOTP 2FA entry in password-store.
$ brew install pngpaste zbar pass-otp
Linus is arguing against the whole secure-by-default philosophy in order to break the only correct randomness interface in Linux. (The one that works like all the BSDs.)
I can't, I just can't. I'm actually giving up.
Go will mitigate it if it happens, but that's it.
Quote
I disagree with Linus on this issue. It’s the situation where you’re sure you really *don’t need* secure random numbers that represents the special case. Put your API flag there. lore.kernel.org/lkml/CAHk-=wiG
Wireguard is up there with Mosh in terms of not leaking the network semantics into the user experience: I've had a Mosh session and a Wireguard tunnel open to my home server for days from home, to plane WiFi, to Italian tethering.
Other software, be more like Wireguard and Mosh.
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it.
It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it.
Quote
So, @ProtonMail had to give out information about one of their users. Navigating what has happened is a bit tricky, and I'm not going to complain about the fact that Proton handed out the data. Why? Thread. twitter.com/tenacioustek/s…
Holy mother of all vulnerabilities.
PSA: the git:// protocol is unencrypted like http://
GOOD: git clone https://example.com
GOOD: git clone git@example.com # uses ssh
BAD: git clone git://example.com
BAD: git clone http://example.com
Quote
Replying to @FiloSottile
Jesus Christ. /cc @hanno
Ticketbleed (CVE-2016-9244): leak of up to 31 bytes of memory via TLS Session IDs, affecting most F5 BIG-IP versions ticketbleed.com
