lenish

There are some nice RNG changes in the pipeline for Linux 5.18, addressing a long standing crypto quasi-vuln in the RNG, going back to Linux 1.3.35. Gory details and some fun PoC code are in this commit: git.kernel.org/pub/scm/linux/… [1/3]

Apparently parsing arbitrary HTTP in the kernel is more secure than doing it in userland. #shithnsays

The QUIC API OpenSSL will not provide daniel.haxx.se/blog/2021/10/2… - my write-up about the current situation.

Internet EDM Task Force ietf.org/mailman/listin…

Fred and Amaury just committed an amazing work on #QUIC+HTTP/3 in #HAProxy 2.5! They're far too humble to admit it in part due to many remaining limitations and bugs, but here you can already see curl-7.80 ->HAProxy-cde911231 ->Apache-2.4 at work with H3 translated to H2! Kudos!

Ever curious about HTTP Smuggling? Check out HTB's Sink video, it abuses a bug between HAPROXY and GUNICORN to trick the server into writing someone else's HTTP Headers into your POST Request. Allowing you to steal the cookies! youtube.com/watch?v=8gf5Yv…

Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. Anyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4 travis-ci.community/t/security-bul…

It's finally ready: Prodfiler, a continuous profiler that "just works" -- for C/C++/Rust/Go/JVM/Python/Perl/PHP -- no code change required, no symbols on the machine required, no service restart required. Check out: prodfiler.com or the blog post below.

I'm glad the @NSAGov "Quantum Computing and Post-Quantum Cryptography" FAQ dismisses quantum key distribution (QKD) as impractical. There are several companies out there trying to push their QKD solutions, which aren't useful for anything. media.defense.gov/2021/Aug/04/20…

I can't believe it: Intel decided to be open about the debugging capabilities of their chips. Our work definitely bears fruit: software.intel.com/content/www/us…

@ezyang valgrind usually does a good job IME, unless it's a rare leak

it still gets my goat how hard it is to debug memory leaks

TIL bash namerefs foo() { local -n array=$1 array+=( a ) } bar() { declare -a arr foo arr # note the lack of a $ echo "${arr[@]}" } Prints: a

@jjcarett2 my favorites have broken pseudocode and a note from the author on their website asking you to email them for the source. Never have received a reply.

Wow, so many CS papers from before ~2015 are amazingly non-reproducible! The systems are not available, and the details in the paper are not there at all. Super frustrating to do a lit survey and see many papers that we ought to have learned 'something' from, but can't.

Source for those curious: gist.github.com/mainframed/188…

github copilot has, by their own admission, been trained on mountains of gpl code, so i'm unclear on how it's not a form of laundering open source code into commercial works. the handwave of "it usually doesn't reproduce exact chunks" is not very satisfying

This is an amazing paper. It implies (with strong statistical evidence) that the design of a major mobile-data encryption algorithm — used in GPRS data — was deliberately backdoored by its designer. eprint.iacr.org/2021/819

Private chatrooms in Slack are engineering culture cancer. Engineering decisions should be a matter of record all engineers can review.

This is bonkers: At a large enough scale, you will have CPUs that develop silent corrupt execution errors. Manufacturing and burn-in tests miss these: sigops.org/s/conferences/…

The QUIC transport is now RFC9000 rfc-editor.org/rfc/rfc9000.ht…. Amazing work by everyone. Like recent protocols like TLS 1.3 its already deployed to a huge % of the internet traffic even before RFC which is a testament to the success of the IETF process.

Programming is fun. Engineering is work.