SpikeGronim's comments

SpikeGronim | 9 years ago | on: Salsa20 design [pdf]

ChaCha20 is implemented in hardware on many mobile platforms. It's often a preferred TLS cipher on Android. AES is common in hardware as well.

SpikeGronim | 9 years ago | on: The U.S. Navy Almost Fought the Soviets Over Bangladesh

This is the subject of an excellent book on Archer Blood:

https://www.amazon.com/Blood-Telegram-Gary-J-Bass/dp/0307744...

SpikeGronim | 10 years ago | on: Air gaps never exist (2011)

You can pressurize the gas and put a barometer in the tube in order to detect any breach of the tube. This was used during the cold war and the NSA tapped the communications cable anyway by filling the space around the tube with gas as well. Source: James Bamford's books on the NSA.

SpikeGronim | 10 years ago | on: AWS CodePipeline

I love Brazil and Apollo. As an ex-Amazonian I miss them on a weekly basis.

SpikeGronim | 11 years ago | on: The Dining Cryptographers Problem (1988) [pdf]

I don't think your attack violates the security model of this protocol. One of the proofs in the paper is that if you have a network of good and bad nodes the bad nodes can use tricks like you posted to discover whether a good or bad node sent the message. I think that's all they can discover: did an attacker send this or not? But then again they already knew that, didn't they? So I think your attack is only interesting for 3 nodes.

SpikeGronim | 11 years ago | on: How we’ve made Raptor fast

You generally use Unicorn etc. behind something like nginx. The last time I did that I used nginx to handle thousands of concurrent connections that were forwarded to nCPUs Unicorn instances. Nginx is very good at handling lots of connections, Unicorn is good at handling a Rack app.

SpikeGronim | 12 years ago | on: Space Monkey dumps Python for Go

Several things make it easier to maintain:

- super fast compile times for fast developer iterations

- you can create an interface (set of methods) that your module owns, and apply it to objects created by other modules without recompiling. If you only need one method you can take that one. It encourages decoupling you from your dependencies.

- the code has one correct formatting convention and a tool that will auto-format your code

- many complex rules for numeric conversions that are implicit in C and cause no end of trouble are explicit and much simpler in Go.

- treating concurrency as a series of sequential process connected with channels makes it MUCH easier to reason about.

SpikeGronim | 12 years ago | on: Results of the GitHub Investigation

They say no evidence of illegality, but there is evidence of poor judgement. Without commenting on the specifics of this incident that's a valid reason to fire a CEO/co-founder/exec. I have no particular knowledge of what happened but if GitHub thinks he showed poor judgement then it is reasonable to ask him to resign.

SpikeGronim | 12 years ago | on: Google Announces Massive Price Drops for Cloud Computing Services, Storage

I am an ex-AWS employee. I can verify that AWS was founded as a new line of business using new servers purchased for AWS. The idea that AWS was started using Amazon's spare capacity is widely repeated but false. Amazon is definitely leveraging their expertise and not their physical machines. Source: I've seen the original pitch deck for Amazon S3.

SpikeGronim | 12 years ago | on: Amazon.com Help: Amazon Prime and Amazon Student Prime Membership Fee Changes

Yeah, the reason AMZN doesn't pay UK tax is NOT because they are not profitable. It is because they legally avoid taxes by basing all their EU operations out of Luxemburg. Tax codes need reform world-wide to avoid this kind of bad behavior.

SpikeGronim | 12 years ago | on: Amazon.com Help: Amazon Prime and Amazon Student Prime Membership Fee Changes

Prime is considered a marketing expense. Amazon absorbs hundreds of millions or even a billion dollars in shipping charges through prime. It's a huge reason they have a thin profit margin.

SpikeGronim | 12 years ago | on: Feinstein: CIA searched Intelligence Committee computers

"W/ the NSA program, you're just a row in a database, if you're not a terrorist* or associate with terrorists nobody gives rat's ass about what you're doing unless one can relate you to another suspicious character. That's national security stuff, sorry if ya don't like it, but tough."

This "if you are not a terrorist don't worry" reasoning is flawed. GCHQ was capturing all Yahoo! webcams. That's not anti-terrorism, that's fodder for blackmail. You also don't surveil WoW to find terrorists. The Snowden leaks have shown many projects that have nothing to do with "national security", but if you say those magic words nobody can oversee what you're doing.

The CIA, NSA should be disbanded and replaced with new institutions. Those institutions should have limited scope and much tighter oversight.

SpikeGronim | 12 years ago | on: Rails – The Missing Parts

I can confirm that Etsy.com is primarily PHP. We have no externally facing Rails projects. We have some internal tools on Rails.

-- [email protected]

SpikeGronim | 12 years ago | on: Amazon WorkSpaces

Legally, due to the EU Data Protection Directive. It's a legal obligation.

SpikeGronim | 12 years ago | on: Ask HN: Where can I find a software job that helps society?

Etsy.com! We're hiring, and we're turning a great many creative people into small business owners.https://www.etsy.com/careers

SpikeGronim | 12 years ago | on: An introduction to libuv

Redis doesn't use libuv, and in fact rejected a patch from MS to add libuv support. The reason is dependency management, not performance. Redis takes very very few dependencies - basically just a C compiler and POSIX. This makes it easier to deploy Redis, and Redis doesn't have to worry about failures in its non-existent dependencies.

SpikeGronim | 12 years ago | on: 5 Coding Hacks to Reduce GC Overhead

Absolutely. Step 0 of this article should have been "profile your GC and establish that it is a problem."

SpikeGronim | 12 years ago | on: The NSA slide you haven’t seen

I've read all of those books. They cover the NSA chronologically, so there isn't much overlap. I would recommend all of them. (edited: typo)

SpikeGronim | 12 years ago | on: AWS: We’ll go to court to fight government requests for data

AFAIK there is no curent, practical "encrypted VM" that can protect itself from the hypervisor. Homomorphic encryption can theoretically do that, but is very slow and unproven right now.

SpikeGronim | 12 years ago | on: YouTube And a Distributed Denial-of-Service Attack

TCP cannot tell what the application wants. If the client application never closes the connection then TCP will keep that connection alive indefinitely (assuming you configured it with keep alives). Each connection consumes some resources on the server (primarily send and receive buffers in memory). So if your application never tells TCP to close the connection then it hogs server resources. There are many malicious DoS tactics that go for the same effect.