Tom Ritter

@suzanne_young I gave a presentation in a room that sat about a thousand at a conference with over 10,000 attendees to an audience of about seven. Three by the time I was done. I like what @KariByron said.

I was holding out for Mozilla's Mastodon instance to launch, but I am now over at @tomrittervg" target="_blank" rel="nofollow noopener">mozilla.social/@tomrittervg and getting settled.

@anton_chuvakin I don't know if someone else at this, but I believe that elevators are designed so that if they fail the brakes engage.

Are there technologies that are "inevitably secure", defined as secure no matter what the user does with it? Please don't use "buried in concrete, then sunk to the ocean floor" examples, I mean the tech that is actually used... #random

Excited to see if I get banned for voting yes

@FiloSottile It's not a huge leak, but imagine you were doing the same thing for subkey expansion for symmetric keys. I don't know how an attacker would take advantage of that, but I still wouldn't want my primitives library doing those kinds of things under the hood without my knowing.

@FiloSottile Maybe a web browser was a bad illustration. Two operations that may have intended to be independent, now share a subtle resource pool and can influence each other. Imagine a server that retrieves URL submitted by a user.

New Maintainer Dispatches issue! Go 1.20 is adding an interning cache to reuse certificates across connections. How do we keep track of when to drop a certificate from the internal map? With the help of the GC itself, and a rare finalizer use case. words.filippo.io/dispatches/cer…

A bonus to this: it's generally far easier to look for one bug you understand well in a ton of software, than look for any notable bug in one piece of software.

If you're wondering how people come up with crazy bugs and present them at places like Black Hat - one way is reading stuff like danluu.com/deconstruct-fi… and then digging into the subtlest implications in a wide variety of high-profile software.

TikTok tracking specific users. archive.ph/FiMw7 Says "IP Based" location tracking, which is certainly bad (home wifi) but GPS based would be more useful and way worse. I would assume if the app has the permission, it's using it... Anyone have other sources on this?

Just a reminder all you crypto(currency) companies - the crypto.is domain name is available.

If you're going to publish a fingerprinting paper: publish when your data set was collected and the source code for your script. This is like publishing results of an opinion survey without publishing the questions. Your results could be nonsense but we can't tell.

*spits out coffee*

And secondly: your contribution - even small - has immense value even if it isn't the same as another's. Just as a person's worth is inherent and not dependent on their accomplishments or status - so too are you as a contributor.

There's the old adage "Cypherpunks write code". I *think* we've collectively recognized the duality of the encouraging sentiment of _doing something_ with the gate-keeping in that sentence. But to be explicit, being a contributor can take so many forms. blog.mozilla.org/sumo/2022/09/1…

... Does anyone I know work at Asus? You've got a problem that's going to make life very painful for your router users...

It seems that Microsoft patched many (if not all?) of the RCEs I discovered in this attack surface (ODBC SQL-related drivers) in this #PatchTuesday. You may want to patch NOW.:) msrc.microsoft.com/update-guide/a… twitter.com/HaifeiLi/statu…

Two rubber bands beat back COVID19 Sealing a common surgical mask onto the face with two rubber bands as shown 👇 upgrades it to an N-95 respirator Peer-reviewed study with the data: journals.plos.org/plosone/articl…

The WSJ has written up a nice obituary for Peter Eckersley, recognizing his great work encrypting all the things, and being "a beautiful chaos monkey." wsj.com/articles/peter…

(It was caught during review so it doesn't count as a bug!)

Has anyone ever tried writing a compiler warning that compares the levenshtein distance in the variable names and corresponding argument names in function calls to detect misordered but same-typed arguments? I swear this isn't based on a bug I recently wrote.