WingNews logo WingNews GitHub [2]

zhuzhuor's comments

zhuzhuor | 9 years ago | on: Vancouver house prices are falling

Perhaps, as some other persons commented on the thread, the housing price at Vancouver was pushed high by oversea money? The other cities were not like this?

zhuzhuor | 9 years ago | on: China, Not Silicon Valley, Is Cutting Edge in Mobile Tech

It basically means the lacking of credit systems and mature fraud detections. If you lose your (credit) card or leak your credit card number, the bank won't probably reimburse your financial losses. Compared to credit cards, mobile payments may be more secure.

zhuzhuor | 12 years ago | on: Lawsuit: Waze owes 'open-source' programmers $150 million

Maybe more background to add to the story:

Originally, the source code of Waze clients was released under GPL, which AFAIR it was as branded as a part of the community-based map app.

But the company chose to not release the source code after v3.0. This is quoted from one of my emails.

    In reply to your inquiry "Hi, where can we get the latest waze code?":
    
    Thank you for your feedback.
    
    You can find source code for the old versions (up to 2.4) on our wiki - waze.com/wiki
    
    Version 3.0 and higher are no longer under GPL, and at the moment we are still considering if and how we will share the code for these versions.
    
    Best regards,
I guess Waze either 1) has obtained the agreements of all open-source contributors, or 2) has completely rewritten all related source code.

zhuzhuor | 12 years ago | on: Introducing Open Salaries at Buffer

I found one thing interesting is that only 4 out of 17 people choose equity over $10k salary. Even CTO chooses salary.

I am curious if this is common in startup companies, since I have never worked in startups.

zhuzhuor | 12 years ago | on: A Roster of TLS Cipher Suites Weaknesses

Do you know why is TLS doing that?

But even without the 4 bytes, 64-bit nonce seems enough for me, as long as it's not chosen at random.

For comparison, if the nonce is chosen randomly, the security level is only 2^32 (supposing the 4 bytes based on the key materials remain unchanged).

zhuzhuor | 12 years ago | on: A Roster of TLS Cipher Suites Weaknesses

The second nit with AES-GCM is that, as integrated in TLS, implementations are free to use a random nonce value. However, the size of this nonce (8 bytes) is too small to safely support using this mode. Implementations that do so are at risk of a catastrophic nonce reuse after sending on the order of a terabyte of data on a single connection. This issue can be resolved by using a counter for the nonce but using random nonces is the most common practice at this time.

I don't know how do you integrate AES-GCM with TLS, but I have to say

1. The secure AES-GCM supports 96-bit nonces. It's 12 bytes, not 8 bytes mentioned in the article.

2. Nonce is nonce. It shouldn't be chosen at random (as random IVs). As long as nonces are not reused, GCM should be secure.

3. I don't believe implementing a secure random number generator is more efficient than maintaining an incremental counter.

Edited for typos

zhuzhuor | 12 years ago | on: Usersnap – Visual Bug Tracking

What concerns me more than the pricing is their monthly limits. $99/m can only allow 300 feedback forms collected in each month. That is only 10 per day

zhuzhuor | 12 years ago | on: Adi Shamir Prevented from Attending Crypto and Cryptology Conferences

AFAIK, USA has been a second choice for crypto-related conferences for many years. If you ever attended one such conference, you will notice there will always some speakers/presenters couldn't attend due to visa issues. I guess many US people aren't even aware of this, but visa problem has been a huge pain for non US citizens. You can ask about this if you have any friends who are international students or H1B workers.
page 1
more