marksamman's comments

marksamman | 8 years ago | on: Ask HN: What are the end to end encrypted desktop messengers?

Wire (https://wire.com/) is end-to-end encrypted, based on Signal protocol. It's open-source and cross-platform with mobile apps. I've been using it instead of Skype for two years and I don't regret that decision.

marksamman | 9 years ago | on: Why I bought a 2015 Macbook Pro

I did the same and I'm also sticking with El Capitan. I have no use of Siri, Sierra broke Karabiner (Karabiner Elements mappings are not sufficient for my keyboard), and mouse scroll was also behaving weird on Sierra. f.lux is showing artifacts with fullscreen video. It feels like this will be my last Mac, which sucks because I bought my first Mac three years ago and completely stopped using Windows last year. It might be time to embrace Linux for desktop when it's time to replace the 2015 MacBook Pro.

marksamman | 9 years ago | on: How Skype fixes security vulnerabilities

I wouldn't say that they've avoided marketing, they're active on Twitter. I made the switch over a single day by sending a message to all my contacts informing them about it and then proceeded to delete all contacts from my list. The people I speak to regularly were quick to switch, others have switched over the months. I still have to use Skype from time to time for conference calls with certain people, but I avoid it as much as I can and don't consider any conversation I have on Skype as private.

Wire has also open-sourced their clients and a lot of components, so even if they were to vanish as a company, all work is not lost.

marksamman | 9 years ago | on: How Skype fixes security vulnerabilities

I just had a look at Jitsi and it seems like the Android app is in alpha stage, and that there won't be any iOS app (https://jitsi.org/Documentation/FAQ#ios). Smartphone apps are important to convince my contacts to make the switch, and to be able to communicate with them over the same channel when they're away from the computer.

marksamman | 9 years ago | on: How Skype fixes security vulnerabilities

I've been looking for a Skype alternative since the security of Skype was weakened after it was acquired by Microsoft. I've had my account stolen multiple times because their support has changed the primary e-mail address of my account, I had to use the same method the social engineers used to get my account back. Since then I've avoided sharing anything slightly sensitive over Skype, as chat history is synced with anyone who accesses your account.

Finding a replacement isn't easy, but I've used Wire (wire.com) for a year now and find it good enough feature-wise, and excellent security-wise. It has its quirks and can be a resource hog at times (the desktop app uses Electron IIRC), but it's worth switching from the security disaster that is Skype.

marksamman | 9 years ago | on: How Skype fixes security vulnerabilities

I switched to Wire a year ago and haven't looked back. It meets all your requirements, and has end-to-end encryption (based on Signal Protocol) too.

marksamman | 9 years ago | on: Debian Security Advisory: nginx security update

nginx-common (1.6.2-5+deb8u3) jessie-security; urgency=high

  In order to secure nginx against privilege escalation attacks, we are
  changing the way log file owners & permissions are handled so that www-data
  is not allowed to symlink a logfile. /var/log/nginx is now owned by root:adm
  and its permissions are changed to 0755. The package checks for such symlinks
  on existing installations and informs the admin using debconf.

  That unfortunately may come at a cost in terms of privacy. /var/log/nginx is
  now world-readable, and nginx hardcodes permissions of non-existing logs to
  0644. On systems running logrotate log files are private after the first
  logrotate run, since the new log files are created with 0640 permissions.

 -- Christos Trochalakis <[email protected]>  Tue, 04 Oct 2016 15:20:33 +0300

marksamman | 9 years ago | on: Elm 1+2: can't download X

"This is true for the very first expression. That's because it is downloading packages and building everything. After that, it has all that information, so it's faster." - https://github.com/elm-lang/elm-repl/issues/128#issuecomment...

marksamman | 9 years ago | on: JetBrains IDE Remote Code Execution and Local File Disclosure

It can be bypassed with DNS rebinding.

marksamman | 9 years ago | on: Stealing Bitcoin with Math

Video: http://livestream.com/internetsociety/hopeconf/videos/130745...

marksamman | 9 years ago | on: Ask HN: Tabs or Spaces?

Tabs for indentation, spaces for alignment.

marksamman | 11 years ago | on: 5M Gmail passwords leaked to Russian Bitcoin forum

https://news.ycombinator.com/item?id=8295102

marksamman | 11 years ago | on: Alleged leak of more than 5M Gmail accounts

If you search for the character '+' in the list of e-mails you can get an idea where the mails leaked from. It seems to me like this is a collection of databases scraped from different sources as others have suggested.

For Gmail users, it's a good practice to register to websites using [email protected] (e.g. [email protected]), that way you'll know who leaked your data when it appears in lists like this or when you get spam. Gmail ignores the plus character and anything that follows the plus. You can also add dots at arbitrary positions in the username part.

marksamman | 11 years ago | on: Facebook's std::vector optimization

emplace_back was added in C++11 which does just that: http://en.cppreference.com/w/cpp/container/vector/emplace_ba...

marksamman | 11 years ago | on: Facebook's std::vector optimization

guarantee != possibility. There's no guarantee with realloc, but there's no possibility with new[], copy and delete[].

You can't grow the size you allocated with new[] in-place, and because you need to retain the existing data it's not safe to delete[] the old buffer, call new[] and hope that it points to the previous memory address and assume that the existing data remains intact.

A realloc implementation can try to grow the buffer if there's contiguous space, and if it succeeds it doesn't need to deallocate or copy anything. I haven't had a look at realloc implementations so I don't know if that, or other optimizations are done in practice, but I assume that realloc's worst performance case is somewhere around new[], copy and delete[]'s best case.

The copy mechanism in std::vector may also have a significant overhead over realloc if it has to call the copy constructor (or ideally move constructors in C++11) of every object in the vector, although I can imagine a C++ equivalent of realloc doing so too.

marksamman | 11 years ago | on: Facebook's std::vector optimization

You probably should, but the problem is still there because std::vector implementations don't use realloc. They call new[] with the new size, copy over the data and delete[] the old chunk. This eliminates the possibility to grow the vector in-place.

marksamman | 12 years ago | on: OpenSSH sshd – memory leak

It isn't clear whether that is on a specific port or every port. The documentation[1] makes it look like it's on a specific port since it requires a target port to run. If it's on a specific port, you might want to multiply 45 minutes with 65535, if not I'm impressed. Thanks for sharing, I had not heard about ZMap before.

[1] https://zmap.io/documentation.html

EDIT: The research paper says that it's on a particular port, from page 3: "The architecture allows sending and receiving components to run asynchronously and enables a single source machine to comprehensively scan every host in the public IPv4 address space for a particular open TCP port in under 45 mins using a 1 Gbps Ethernet link."

marksamman | 12 years ago | on: OpenSSH sshd – memory leak

It helps against a masscan on the standard port. If the attacker is specifically targeting you or has the resources to masscan every port, then I agree that it's useless.