Why don't we release CVE numbers with pre-announcements?

It would be very convenient to name tools and write docs and open issues in advance. The point of CVEs is to get everyone talking about the vuln with the same name, and we are all talking about it already. #OpenSSL Alright, configured a pretty vanilla Fly.io VM with OpenSSL 3.0.6 to act as a lab. Should be fun. #OpenSSL

I implore you, don’t give a mundane FOIA lawsuit more attention than it deserves.

It’s 2022, we should all be inoculated against people “just asking questions” and spinning loose facts into conspiracy theories.

Ask yourself if you’re being sold a story on emotions and why. This is what I’m talking about. blog.cr.yp.to/20220805-nsa.h…

Bernstein filed a pretty routine FOIA lawsuit, which is fine, he should win, great.

You only find out in the last ten paragraphs, though. First there’s him implying scientist were bribed in “just asking questions” style.

I have some personal news 👀

Today is my last day at Google! 🛫🏝🌅

I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid.

I want to make words.filippo.io/professional-m… a thing, starting with Go cryptography! I believe Open Source will change one way or another, so I'm putting my (lack of) money where my mouth is, and doing what I think can best catalyze the change I want: becoming a professional, independent Open Source maintainer myself 👨‍💻💼

Looks like LibreSSL might have spilled what OpenSSL will announce today after 13:00 UTC (which will include a HIGH-severity vuln).

Unbounded loop in BN_mod_sqrt reachable from X.509.

"A malicious certificate can cause an infinite loop."

ftp.openbsd.org/pub/OpenBSD/pa… Ah, here's the OpenSSL advisory.

openssl.org/news/secadv/20…

Infinite loop in certificate *parsing* reachable from TLS.

https://twitter.com/taviso/status/1503771787733069826

Damn. @zx2c4 has been the Linux random driver maintainer for like a hot minute, and /dev/[u]random is now 100% SHA-1 free and 370% faster. Amazing.

lore.kernel.org/lkml/202112231…
lore.kernel.org/lkml/202112301… @zx2c4 When I say a hot minute, the MAINTAINERS patch was mailed 30 days ago. lore.kernel.org/lkml/202111301…

You might know @zx2c4 for making Wireguard (and getting it into Linux).

Watching @tqbf arguing on HN with someone who is lamenting the lack of authentication in age, and here's the thing... age does provide authentication.

I am just wary of advertising because I'm afraid that authentication in a multi-recipient scenario is hard to reason about. @tqbf Specifically, I believe it is in fact impossible to generate an age ciphertext that will successfully decrypt for an unknown identity/recipient.

(I have not put in the effort to prove this, as it's not an advertised security property of age. Consider it a freebie.)

Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻

It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨

dev.gnupg.org/T5259 It's in cipher/hash-common.c (!) and looks like it's hit when extra data is hashes after finalizing the hash.

Doing that is a partial mitigation for timing side channels on the length of a hashed message. Very partial.

dev.gnupg.org/rC512c0c752769…

This is neat, the new SoloKey sports an updateable Rust firmware.

Now, hear me out @nickraystalder @0x0ece: you already have 25519 code, give us a scalarmult op and we can make an age plugin that works with native recipients!

kickstarter.com/projects/conor… The Solo V2 supports PIV like the high-end YubiKeys, so it already works out of the box with yubikey-agent for SSH, nice.

I'm guessing it also supports Ed25519, so I should get around to landing github.com/FiloSottile/yu….

Alright folks, do you want to see this happen? Me and @tqbf discussing "don't roll your own crypto" on Twitch?

How about a fundraising drive for Partners In Health? At $1000 we drop a recording, at $2000 we livestream. Send receipts!

pih.org/?form=donate

https://twitter.com/FiloSottile/status/1342293403321692162

@tqbf Already made it to $250!

https://twitter.com/tqbf/status/1350571461468151813

Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore.

It's the only time I just try random upvoted commands from GitHub issues until it works.

How does anyone get any work done like this? I especially appreciate the beautiful colorized stack trace that shows me the boilerplate code that prints the error.

Here we go, let's see how the new M1 chips do on Go benchmarks!

(Might be a good time to mute #M1, I have a new toy and I took time off work until the end of the month.)

First step is

$ GOOS=darwin GOARCH=arm64 ./bootstrap.sh

on my corp MacBook. Well, it couldn't be too easy I suppose.

Ran bootstrap[.]sh (which is just a convenience wrapper for make + mv bin/darwin_arm64/go bin/go + tar), sent it over with webwormhole.io, cleared the quarantine xattr, and...

zsh: killed ./go-darwin-arm64-bootstrap/bin/go

#M1

YIKES.

It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING.

Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy.

YIKES. YIKES. YIKES.

https://twitter.com/kashhill/status/1291772231991926786

CLIENT RETENTION BONUSES. For therapists!

What the actual fuck. This can't be ethical.

The police is arresting, shooting, and macing journalists.
They are driving tanks into cities and escalating.
They're getting recorded and they don't care.

Defund the police. Disarm them. Drop qualified immunity. A black CNN reporter was arrested after identifying himself while filming on a highway that was blocked by police and protesters.

https://twitter.com/keithboykin/status/1266933018570219520

🚨 The age-encryption.org reference implementation reached beta! 🥳

age(1) — a simple, modern, secure file encryption tool.

https://twitter.com/agetool/status/1210698705671802881

Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥

age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp

Try it out and send feedback 👉 age-encryption.org

Go 1.13 is definitely the best Go version ever! You'll have to trust me this time, as @bradfitz was on leave 😉

Here's a thread of highlights from the release ✨💥

https://twitter.com/bradfitz/status/1168967013001244673

There were more than 1750 commits since Go 1.12, so I'm going to miss some awesomeness here. Of course, I can't claim credit for almost any of this.

All user-visible changes are in the release notes 👇

golang.org/doc/go1.13

Alright Twitter, it’s time to #killgpg. If you use gpg to encrypt files, tell me how and what features you need.

Do you care about signatures? Streaming? Do you pipe tar into it? Do you need seeking? CLI or libraries? Big or small files? Today we’re going after encryption, not signing. Signing is not a tooling problem but a trust problem, and to the extent it is, it’s mostly covered by signify.

Emails are also out of scope. Again, a trust and medium problem. (Which OpenPGP does not solve.)

Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem.

... nope! systemd of course didn't!

github.com/systemd/system… Now I'm kind of scared to go look what genuine_random_bytes does...

OK, WTF, what is pseudo randomness exactly, and why on earth would you want some "genuine" randomness with a splash of "pseudo" on top.

github.com/systemd/system…

Alright, actually unpopular opinion thread time. Might delete later.

Allowing pets in the office is not an inclusive policy. I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.

I believe the recent efforts to bring Forward Secrecy to TLS 1.3 0-RTT data are far, far into the realm of diminishing returns. Thing is, I don't think FS is that valuable in itself. Thread. When PFS cipher suites first came along they were a big leap forward in the security of TLS, for two reasons:

1) they provided Forward Secrecy (if you are compromised tomorrow, today's connection is safe) relatively to very long-lived key material—certificates that lasted years

“We don’t negotiate salaries” is a negotiation tactic.

Always. No, your company is not an exception. A tactic I don’t appreciate at all because of how unfairly it penalizes low-leverage, junior employees, and those loyal enough not to question it, but that’s negotiation for you after all. Weaponized information asymmetry.

Can't believe that two versions after introducing support for DNS-over-TLS, unbound still makes a new TLS connection (handshake and everything) *for every DNS request*. I'm convinced that while DNS-over-TLS makes more sense as a protocol than DNS-over-HTTPS (DNS requests are small and have unique IDs), the DNS software ecosystem is just unprepared to handle DoT, while there's solid software to reuse for DoH.