nipunn1313's comments

Hey @haberman! One of the authors here. We actually do have an arena-esque implementation built on top of pb-jelly internally, as it was needed for Magic Pocket.

It's built on top of the Blob traits exposed by pb-jelly. It's not yet open-source, but it would be a good candidate to do next! It also definitely has unsafe code to your point. We open sourced the safe implementations that uses more standard types (Bytes/Buffer/Vec) first.

There's a decent amount of cleanup needed before we can opensource that as well, as much of it was built years ago, when rust ecosystem was less mature (eg Bytes/Buffer weren't around yet).

I like where you're thinking!

Hi! One of the authors here. This was an oversight in the documentation. The codegen is py2 and py3 compatible. Fixed!

See issues https://github.com/dropbox/pb-jelly/issues/37 and https://github.com/dropbox/pb-jelly/issues/40 for context.

The oauth tokens are stored on the client.

In order to exploit the suggested privilege escalation, you would need to exploit the client to feed you the oauth code. If you are exploiting the 1password client, you can do ANYTHING (including grabbing passwords after you unencrypt, reading filesystem, popping up a PWNED dialog). I don't think this effort should be urgent for 1password.

This recommendation doesn't make me feel meaningfully safer

(unless 1password has some clever process jailing inside their code to isolate the decryption component from the cloud component)

This is not an all or nothing issue. For example, if you store sensitive videos, but rely on Dropbox's ability to transcode and preview the video in a web browser, then something like Cryptomater would not make sense. Encrypting on wire/at rest is the best you can do unless you run the transcoding yourself.

Dropbox could support both modes, but the company has obviously made a decision to prioritize one over the other (at least for now).

This is anecdotal for sure, but I've noticed in travels that poorer countries tend to value repairs and older appliances more. Presumably, this is because labor is cheaper. Perhaps a more streamlined way to sell (or even donate) old stuff to poorer countries could combat the wastefulness in a productive way.

head -3 data* | cat has the same result as head -3 data*

Pipe sends stdout to stdin of the next process. cat sends stdin back to stdout. Piping to cat is rarely eventful (unless you use a flag like cat -n).

In multiple places on github, as a vim user, I occasionally instinctively hit escape. Github sometimes closes a comment box and I lose all the stuff I had been typing. It's an unfortunate UI issue for me (and probably others).

I know people who work at SpaceX. They recruit pretty heavily from CMU (where I am now). From what I have heard, this is why they get things done so quickly: 1) Elon Musk knows about every detail of the rocket's design. 2) They make almost all the parts in house (literally in the same factory). 3) The work ethic/culture at SpaceX is very high. If something needs to get done, Elon will make sure it gets done fast. They somehow maintain a high rate of progress despite how huge the undertaking is.