Share this page!

Matthew Green Profile picture
Twitter logo
Aug 13 4 tweets 1 min read
Is there a good way to use the Wayback Machine to view the hashes of deleted Git repositories?
My naive poking around in the Wayback/GitHub Web interface keeps bringing me to dead UI elements (as expected). But maybe there’s a static page I should know to look for.
The sudden deletion of important Git repos from GitHub is now a thing, and while that *shouldn’t* mean all copies of the software are gone (thanks to Git being decentralized), it does make it hard to verify purported clones w/o knowing the hashes.
This service seems pretty great!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
Aug 8
I mean I don’t think this will work long term, but also makes you think that the lack of contract privacy on Ethereum is a pretty big weakness.
For non-experts: the strength and weakness of Ethereum-based mixers is that they exist at visible contract addresses, and while users *within* the mixer contract may have privacy, they identify themselves as using the service upon entrance and exit.
In the short term I expect that a straightforward response to Tornado sanctions will see users new instances of the Tornado contract, or other similar forks. Treasury will then have to sanction those new addresses whack-a-mole style.
Read 10 tweets
Matthew Green Profile picture
Aug 5
Any system that allows application code to *see* a hashed password has been mis-architected from the beginning. (And yes I realize that includes nearly all systems.)
It’s bizarre that modern apps just stuff password hashes into a database along with a bunch of other data that app code can access. It’s like storing plutonium in the refrigerator next to your mayonnaise.
The correct answer (from a developer) to “did you accidentally copy a password hash into a URL” should be: “how the heck would I ever access the user’s password hash even if I wanted to?” And yes I realize this is wishful thinking.
Read 5 tweets
Matthew Green Profile picture
Aug 2
I don’t want to crap on the PQC competition as others have: they’re stimulating some really impressive research, and this isn’t my area to crap on. But sometimes the standardization process does feel a little premature.
In particular I’m a little worried about the lack of standardization around hybrid PQC/non-PQC constructions. Naively I didn’t initially think this was a big deal (hey, those will be easy for practitioners to throw together) but this is a *standards* process, so it really won’t.
In particular the constructions for CCA security are “baked into” most of the PQC encryption standards, and you can’t just tack on ECC without potentially breaking things pretty badly.
Read 5 tweets
Matthew Green Profile picture
Jul 27
After reading that Nest shares footage with police without a warrant, I was wondering which cloud cameras don’t. And it seems that Apple HomeKit cameras use end-to-end encryption.
Oh gosh there’s a lot going on here. Image
Apple really likes SRP.
Read 4 tweets
Matthew Green Profile picture
Jul 9
I’ve been researching my house in Baltimore and so far I’ve learned that in 1916 it belonged to Carl C. Thomas, the first professor of Mechanical Engineering at Hopkins.
Even found a copy of his book for sale on Amazon.
I assume that when I die I will also be called to gently haunt this home, given the nature of the decor.
Read 5 tweets
Matthew Green Profile picture
Jun 24
Another $100m gone, just like that.
It’s increasingly obvious that there are attackers (including state-sponsored attackers) making lists of vulnerable “web3” services, ordered by target value and system vulnerability. And they are working systematically down those lists.

Who is doing the same on defense?
I don’t mean “who is defending those systems individually.” I mean: who is systematically defending this area to keep North Korea from collecting $100s of millions to use in its missile program?
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(