gtank's comments

Gotcha. I was wondering about both - it seems possibly useful to be able to automate my authZ and groups in ShareWith, but mostly I would like to see what a Zanzibar-aaS can do. Guess I'll stay tuned :)

Super cool. I've been waiting for someone to pick up Zanzibar since the paper came out!

What are your plans for surfacing the policy relations to developers?

This is a user-facing implementation of https://wiki.mozilla.org/Security/Binary_Transparency, built on top of Let's Encrypt (https://letsencrypt.org/) and exisiting Certificate Transparency infrastructure.

You may already know that packages are signed, and that signing prevents someone from shipping you a random evil package instead of the one that the developer intended to release.

Transparency is a new concept that fills in a missing piece of that story: how can you be sure that you got the same artifact as everyone else? It works by adding a hash of every release to an append-only public log. Now, when you're deciding if you want to install that package, you check not just the signature but also if the hash of the thing you've received is in the public log.

Because of the logging, someone can't just ship you a custom evil version even if they steal the signing keys! At minimum they'll have to submit their version to the log as well, which makes that previously undetectable attack publicly visible forever. In the world of TLS certificates, log monitors catch all kinds of mistakes and malice. I'm excited to see the idea finally making progress in other domains.

It’s enough because of the underlying PAKE technique. The passwords do not directly become the key, and an unsuccessful bruteforce attempt breaks the session.

PAKE isn’t really new, but it’s certainly underused for how much it changes the password game: https://blog.cryptographyengineering.com/2018/10/19/lets-tal...

Author here, glad you enjoyed the talk!

Looking into it more I noticed that there's a Go implementation[1] that is noted to be constant-time with a !amd64 build tag. So it isn't just the assembly one.

[1] https://golang.org/src/crypto/elliptic/p256.go

URL mistake. Direct link: https://www.nccgroup.trust/globalassets/our-research/us/whit...

You should see their (much faster!) subsequent paper. It develops an entirely new mapping to take advantage of Intel vector extensions, then invokes Valefor instead of Bael.

There's a lot more to defeating traffic analysis than random padding: http://freehaven.net/anonbib/cache/oakland2012-peekaboo.pdf

CoreOS has released one: https://github.com/coreos/go-oidc

We're currently using it in our own OAuth/OIDC identity provider.

I have a very similar set of good memories. I put more time into deobfuscation, updating, detection evasion, and (eventually) server emulation than bots per se.

My contact info is in my profile, it would be cool to see if we ran into each other back then.

I highly endorse this sort of thing! Reverse engineering online games is how I really got started with computers. It's a great teaching tool because the reward loop is short and immediately relevant - you get superpowers, in the game you already play with your friends, in almost direct proportion to how much you've learned.

Depending on the game you'll learn about binary reversing, executable formats, networking, rendering, x86 assembly, C, JVM bytecode, or more advanced topics. We dove right into hard things because it was fun and there was no one to tell us they were too hard for kids. The end result among my group of friends seems to be several careers in tech with a decided systems and security skew.

edit: I remember Runescape in particular. They applied such an escalating series of obfuscations to the client code and network protocol that we deployed things I now recognize as AST analysis and machine learning to work past them. These days, I really wonder what the view from the Jagex security team was like. Did they have fun constantly coming up with new challenges for bored teenagers?

People who object to javascript crypto usually mean that in the context of "browser javascript", which is fraught with peril [1]. The javascript language itself isn't necessarily the problem (although parts of it are dodgy by the standards of what you'd like to implement crypto with).

[1] http://matasano.com/articles/javascript-cryptography/

I've been interested in formal treatments of ledgers for a while now. Does anyone know if other work has been done in this area?

Development of mlpack has been going on for at least 7 years and my impression is that it's pretty mature. It was originally affiliated with a lab at Georgia Tech, where its current maintainer (a friend of mine) is a PhD student. The dual-tree methods are based on his research.

Speaking for northern NM: I was in Albuquerque recently and can't say enough of the hiking nearby. The city actually backs into the Sandia Mountains, which are full of good trails.

If you're into the history, brief drives north or east put you into easily-reachable ghost town territory.

I've spent tons of time in Greenville. The wholly-walkable downtown hosts lots of restaurants (recommended: The Lazy Goat), coffee shops, the Greenville Symphony Orchestra, and an extensive park along the river. Local breweries, nearby colleges - everything you'd expect from a small city renaissance, but Greenville's started 10 years early and is pretty well along now.

As a former longtime resident of the south, including a few years in Tuscaloosa (we seem to have overlapped - 2008-2010), I'd advise against judging the region by the standard of Tuscaloosa. I know it's a huge college town and that seems like it should be a positive influence, but it's not. The University of Alabama is a lingering bastion of negative southern stereotype.

I suggest Atlanta as a counterexample - a real city, full of educated and inclusive people, art, culture, a nascent modern tech scene, and several good schools which notably lack racism as a cultural touchstone.

It's the default port for running a local rack app (sort of a ruby-web-stuff middleware). For specific values of "developer" :)

This turned out to be an interesting little game. I bet you can always tell a developer. Here's mine:

a: audobox.com

b: buzzfeed.com/emofly/eggs-in-exciting-holes (bookmarked for ideas)

c: calendar.google.com

d: dashboard.heroku.com

e: en.wikipedia.org/wiki/List_of_Breaking_Bad_episodes (i _really_ can't ever remember where i am)

f: facebook.com

g: github.com/gtank

h: heroku.com

i: imgur.com

j: javagenesiscoffeeroasting.com/shop/ (delicious coffee near atlanta)

k: keithv.com (language models i used frequently)

l: localhost:9292 (yep, developer)

m: mail.google.com

n: news.ycombinator.com

o: ossl-test.herokuapp.com (buildpack test for ruby + new openssl)

p: plus.google.com

q: questionablecontent.net

r: reddit.com

s: smittenkitchen.com (i was really expecting stackoverflow here)

t: twitter.com

u: unsplash.com

v: vervecoffeeroasters.com

w: wikipedia.org

x: xda-developers.com

y: yelpingwithcormac.tumblr.com

z: zenpayroll.com

Good suggestion- that may be worth adding.

Anecdotally, though, we've been using this ourselves for a while without seeing that. People seem to get that they should speak clearly.