I’m sorry, I simply cannot be cynical about a technology that can accomplish this.
Follow
Click to Follow tqbf
Thomas H. Ptacek
@tqbf
Full of passionate intensity. @tqbf@infosec.exchange
Thomas H. Ptacek’s posts
The all-new Mac Pro, in its maxed-out configuration, will run as many as 12 concurrent Slack sessions. This workflow has never been possible before.
Welp. It’s the crypto bug of the year. Mark it down for April. Java 15-18 ECDSA doesn’t sanity check that the random x coordinate and signature proof are nonzero; a (0,0) signature validates any message. Breaks JWT, SAML, &c.
I know I’m a huge dork for saying this but this Wikipedia deletionist is now one of my heroes.
This is an important fact about Telegram that not a lot of people seem to understand:
The implications of this for bash scripting are terrifying.
Quote
TIL you can run SQL queries directly against CSV files as a one-liner using the default sqlite3 command line utility
til.simonwillison.net/sqlite/one-lin
read image description
ALT
Replying to
Come for the bible verses, stay for the Internet policy positions!
AWS does not “hold the keys to the Internet”. It is perfectly possible to run services on your own hardware, and plenty of companies do exactly that. twitter.com/daveyalba/stat
This Tweet is unavailable.
The cheapest and (probably) most popular TLS Certificate Authority is also the best and most trustworthy. Not the outcome I’d have expected 10 years ago. Congratulations, LetsEncrypt.
Every time I write a bash script, I celebrate by killing 19 Stack Overflow tabs in Chrome.
Moxie’s analysis of web3 is really, really good. I had no idea about a lot of this stuff. moxie.org/2022/01/07/web
The boy just asked if he should learn C++. It’s long past due for THAT conversation, and bad parenting that I waited for him to ask. I’m glad we caught him before he started experimenting on his own.
Talk all you want about Bolton or Pompeo or Mueller or Guccifer but the end result is the same:
The 2018 midterms are probably the most important election in our lifetimes.
Reminder that it’s 2017 and there’s still no reliable built-in way to encrypt a file to send to a peer on any mainstream OS.
TIL: OpenSSH’s default key encryption is so bad you might as well not set a password on your SSH keys. latacora.singles/2018/08/03/the
Or, “I kept 70 people late at the office 6 days a week for a year, then laid them off with 2 days notice 10 days before Christmas, and then bragged about it.”
If you’re telling people to stop using WhatsApp because it’s insecure, you’re a crypto antivaxxer. Please stop. Call people out on this.
The guy who maintains Helm, the most important package in Emacs, is a 57-year old alpine mountain guide who learned to program when he was 42, as a hobby. sachachua.com/blog/2018/09/i
Look, I am just not having this.
Vulnerabilities you discover internally — rather than in a security incident where they were discovered, or reported unbidden by a third party — ARE NOT BREACHES.
Words mean things.
DOWNVOTES
IMPRISONING ME
ALL THAT I SEE
ABSOLUTE HORROR
I CANNOT LIVE
I CANNOT DIE
TRAPPED IN THIS THREAD
COMMENTS MY HOLDING CELL
I love that it’s a $700 doorknob that only works if a company that sells $700 doorknobs can stay in business.
People who never, ever report vulnerabilities have the most interesting opinions about how people should report vulnerabilities.
Matrix is not the first group chat system to have this basic flaw, which is apparently non-obvious: if you can’t securely control group membership, the cryptography doesn’t much matter.
Hey, look. Reddit got owned up. STOP USING SMS 2FA. It doesn’t work.
Your periodic reminder that CS stands ALMOST ALONE among STEM fields for gender disparity. Mathematics, astronomy, biochem: ALL FAR BETTER.
This is so excellent. Several Japanese Unicode characters are meaningless, transcribed by mistake, and we’re stuck with them forever. 妛挧暃椦槞蟐袮閠駲墸壥彁
Mudge is the new head of security at Twitter, which got me talking about cDc, hacking groups, cliques, and the distinctions between them. I mentioned 8lgm and TESO as examples of hacking groups best understood as hacking groups, unlike cDc.
Someone said: “never heard of them”.
Reminder to techs: work is political whether you like it or not. Apolitical nerds simply accept the default settings of their employers.
Hats off to the SEO genius at “crontab.guru” who knew that people would be searching for “crontab every 7 minutes” (and every other number of minutes) and has a page ready for each of them.
OH: “if an attacker can figure out how to use Cloudwatch Logs's search, they deserve my password”
If I have to pick just one, the dumbest thing Hacker News believes about security is that phishing is a simplistic attack that only unsophisticated users fall for.
By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER.
This is the sickest burn of Internet message board culture I have ever read and it is from 1941.
Use Signal for messages.
Use Tarsnap for backups.
Use Magic Wormhole for file transfers.
Use age for file encryption (but make sure file encryption is actually what you need).
Wow. This is the most succinct explanation of the entire Bitcoin phenomenon I’ve ever read. twitter.com/BryceElder/sta
This Tweet is unavailable.
:eyeballs-falling-out-of-head-emoji:
Try harder, Vice News. This is embarrassing.
If you’re a Congressional campaign within 5 hours driving distance of Chicagoland (lookin’ at you, Londrigan and Dady) in any direction: Erin and I will give your staff hardware security tokens and train them how to secure their email with it. 2018. Don’t screw around.
Replying to
Fuck it. I give up. I believe in formal methods now. Show me proofs for everything. I was wrong, the proof nerds were right.
We have decided that January 1, 2020 will be the day we sunset C. You can’t run any C code after that.
Tailscale wrote an excellent blog post about using Litestream/SQLite as their internal database. So we bought Litestream. Your move, Tailscale!
This is such a smart idea and I’m kicking myself for not thinking of it myself.
Hi, I’m your CPU fan, installed as a friendly reminder that you may still have Flash enabled somewhere.
I’ve written like 1500 lines of bash in the last two weeks and my entire experience of bash is just Googling how to do anything and never retaining anything. I wonder if this is what Java felt like in the 2000s.
Everyone please take a moment to consider what a big deal it would be if this had been Google accounts rather than Facebook accounts.
Honestly? At this point? I don’t think Apple can do a public event that mentions the Macbook without STARTING WITH AN APOLOGY FOR THIS FUCKING KEYBOARD.
This paper is basically Github Copilot in reverse: researchers scraped open source code to build an NN model that can look at decompiled code and somewhat reliably recover the original types and variable names(!). Works with Hex-Rays now, but could be made to work with Ghidra.
Quote
This paper is awesome (h/t @tqbf): usenix.org/system/files/s
Turns out that machine learning can reconstruct reasonable variable names from decompiled source! I'd love to see this integrated with Ghidra.
Use an iPhone, reason #348793:
Here Assange pretends that he didn’t help sign the death warrants for his two most prominent supporters.
Quote
President Obama has a political moment to pardon Manning & Snowden. If not, he hands a Trump presidency the freedom to take his prize.
I don’t know how this isn’t the biggest story on the Internet right now. The key ceremony for the WHOLE INTERNET has been POSTPONED. THIS IS NOT NORMAL.
Replying to
Here’s a whole essay she wrote after talking to historians about scrubbing “Clean Wehrmacht” mythology from WP WW2 content, over the strenuous objections of war nerds who treated Wehrmacht personnel like Pokemon cards.
“Things were just starting to get boring in the field of computer security when somebody said, ‘Hey, let’s reinvent desktop applications in a way that transforms the most common web app vulnerability into native remote code execution!’.”
Reminder that if you’ve any opinions about VPNs, you should know about WireGuard, which is like the Signal of VPNs. wireguard.io
The fuck? We’ve never taken a dollar of funding, here or at Matasano, and we pay interns. Everyone we talk to pays interns. What dipshit founders is he talking about?
Quote
Congratulations to @AOC on fighting the hard fight to kill internship programs!
almost every founder I talk to has canceled their internship programs (or won’t start them) because they see no reason to pay for the right to slow down their A players to train young people twitter.com/AOC/status/115…
Tailscale has built one of the most valuable and widely-loved connectivity services of the last decade and the top comment on the orange site thinks that THEY’RE the joke because they did it by ignoring a lot of the conventional wisdom about n-tier app design.
I am so confused by the constant question of “well if not PGP then what?”
Huh? Nobody uses PGP. It’s like asking “if not Betamax then what?” It’s not even wrong. Use Signal and Wire like everyone else.
Congrats to David Wells on a really excellent vulnerability. Update your Zoom client, or throw it into a dumpster and light it on fire.
More Fly.io job stuff: I’m putting together a team dedicated to private networking — WireGuard, eBPF. Go, Rust, and BPF-C. I haven’t put a JD together, but feel free to reach out if you’re interested (thomas at fly io works, too).
Steal or write your dotfiles when you’re 17. Accrete lines over time; remove or edit rarely. The entries in your gradually expanding PATH like rings in a tree trunk. One day you may need your .profile to work on a SunOS 4.1.3 machine again, just wait.
Quote
What are people's dot files pro-tips? I keep my dot-files super small and boring (github.com/colmmacc/dotfi) but I couldn't live without "set bg=dark" in a .vimrc, or server keepalives in .ssh/config.
It is uncomfortable realizing how much higher a moral plane GWB probably occupies than the current POTUS. Deeply so. twitter.com/Susan_Hennesse
This Tweet is unavailable.
To get better IPR rights.
To not work in loud open offices.
To improve broken recruiting processes.
To fix broken performance tracking systems and end stack ranking.
To stop working nights and weekends to hit insane deadlines.
To allocate time to pay down tech debt, fix security. twitter.com/codinghorror/s
This Tweet is unavailable.
Fuck algebra. You can just set the base point to the public key of the cert you want to spoof. This is the best day. t.co/eQIFGjzDOe
This Tweet is unavailable.
I didn’t highlight any part of this paragraph because all of it is crazy talk.
Replying to
I suggest that’s because 95% of “computer science” isn’t science at all, and most of the nerds ranting about this have never done science.
thread for embarrassing debug log messages you’ve accidentally merged into main
Replying to
This is fucked up. We’ve been looking and can’t find a SINGLE expert that agrees with this. The lie is outrunning us.
I _absolutely do not believe_ that the culture across all of big tech is “security first” the way it’s “safety first” among major airlines. That is just not true. twitter.com/stevesi/status
This Tweet is unavailable.
“The CSO of Equifax has a music degree” is the very dumbest Equifax complaint; immediately suggests cluelessness about security field.
Reminder: recommended Google 2FA config:
1. U2F Security Key
2. iPhone Code Generator
3. Physically secure backup codes
4. NO SMS.
It's also good at "nasty rejection letters" for weird jobs, as long as you also tell it to "including specific details about the job and failings of the candidate."
It is absolutely off-the-charts crazy that antivirus programs proxy all your TLS connections. THIS IS NOT NORMAL. bugs.chromium.org/p/project-zero
Replying to
Here’s a huge fight she picked about whether every recipient of a particular Nazi medal was automatically notable (a team of editors believed so, and systematically created pages for all of them). Note how everyone who deals with her assumes she’s a dude.
Keep telling me it’s OK to ship software in memory-unsafe languages. openwall.com/lists/oss-secu
Replying to
The single most important cryptographic feature of Signal is Signal’s willingness to say “no” to feature requests, even for what seem like table stakes basic messaging features. No secure group messaging feature is ever simple.
This is the coolest thing I’ve seen in months: github.com/google/wychepr
Bleichenbacher and Thai Duong!
FOR FUCK’S FUCKING SAKE.
alg: none filtered; alg: nOnE not filtered.
insomniasec.com/blog/auth0-jwt
HN seriously on the verge of organizing a candle-light vigil over this firing.
This is the biggest, most impactful cryptographic result in years, and nobody is talking about it. You can have a whole successful career and not discover something half as important as this.
Quote
Tomorrow (Wednesday 6th) at @BlackHatEvents, we are presenting with @martinralbrecht, @DowlingBJ and @djwj_ our work on finding practically exploitable vulnerabilities in Matrix. Join us!! blackhat.com/eu-22/briefing (and check our paper: nebuchadnezzar-megolm.github.io)
If you’re freaked out that your browser turned something called “DNS over HTTPS” on, you’re being bamboozled. DoH is a good thing.
Best thing I’ve read on legality of Trump’s EO. Also: this is a great time to be following .
Quote
When he went after green cards, not even the vast power given the President could be be justified. twitter.com/faultXlines/st
Thing computer security people have done for years that will hit the mainstream in 2017: burning their phones before crossing borders.
New cryptographic “right answers”. Was going to be a tweet storm but I don’t want to lose more friends.
Holy shit, Facebook has released their #golang libraries, and with it, the best Go generics library! SUCK IT, C++!
Replying to
Every large company with _any_ security competence is continuously finding vulnerabilities in everything they build.
You will hear about virtually none of them.
This isn’t a massive cover-up.