The common way to approach software portability is to establish a baseline and then program to that least common denominator. The portability layers in OpenSSL, however, go way beyond least. This is a fully realized experiment in worst common denominator programming. Some examples.

more...

The last two issues of The New Yorker had a great series of articles on aspects of human culture. Stepping back and looking at ourselves as aliens, it can be hard to comprehend all the “others”.

more...

A little while ago, Tavis Ormandy twitterated about an OpenSSL bug he reported. This didn’t sound good, so I took a look.

more...

“Snowden had a fall back question: “Can it be conclusively proven that you’re not the greatest leader in human history?“” - steven_metz

“Told Snowden Russia does NOT collect data of millions of citizens. Instead we collect the actual citizens. In camps. Long as they can work.” - ViktorInEnglish

“I think the keyword there is “uncontrolled”. It’s totally controlled. They target everyone individually. It’s not “mass”” - thegrugq

The only thing better than remembering the past is reliving it.

more...

“Instead, he seems to have seized an opportunity to poke a giant bear with a stick. The bear then ate him and his users.” - tptacek

About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its default config, OpenSSL ships with exploit mitigation countermeasures, and when I disabled the countermeasures, OpenSSL stopped working entirely. That sounds pretty bad, but at the time I was too frustrated to go on. Last night I returned to the scene of the crime.

more...

About two years ago, OpenSSL introduced a new feature that you’ve never used or even heard about until yesterday, after somebody discovered a bug that could be used to read process memory.

more...

One of the obvious ideas I (and several others had) as soon as signify was released was to extend it to do more. After all, no program is complete until it can read email. Or at least munge up your email real bad.

more...

Received an email this morning about a package containing a large amount of cash being held by DHL (yippee!). As befits important email of a security sensitive nature, they tried to sign the message, or at least I think that’s what they were trying to do.

To: tedu@cvs.openbsd.org, hmac-ripemd160-etm@openssh.com

While it’s comforting to see that they chose the more secure encrypt-then-mac construction, RIPEMD-160 is hardly cutting edge. As such, I’m not sure I can trust this message.