Reflections on a few security vulnerabilities; some recent, some less so.

more...

For the past few years, I’d been opting out of the new airport scanners. Initially I had several reasons for this decision, but over time things changed, and after some reflection I realized the most compelling rationale I now had each time I opted out was “I opted out last time.”

more...

“Startup culture starting to resemble a pyramid that has folded in on itself, exploring funding topologies Ponzi never dreamed of” - Pinboard

Funding topology is definitely a subject worthy of further research.

Copying another idea from Old New Thing and porting to unix. This time it’s Piping to notepad. Instead of starting a new notepad process, let’s feed stdin to any existing window.

more...

At the g2k14 hackathon in July, I thought about a new interface for SSL connections. One of the most frequent complaints from OpenSSL users was that it was too much work to do anything, and one of the most frequent complaints from advanced users was that it was too much work to do anything correctly. Notably, failure to check the hostname in the cert against the hostname of the network connection is an unfortunately common mistake. And so was born the ressl (reimagined SSL) interface. Joel Sing (jsing) ended up implementing it first, putting the libressl in LibreSSL.

more...

OpenBSD has lots of version numbers, each incremented at their own pace and for their own reasons. Here’s a rundown.

more...

They’re potato chips. Why would they have gluten? “Gluten free” is the new “won’t turn pink in the can”.

Matthew Green asked for a password generator that’s easy to enter on a phone.

more...

At the core of the bcrypt pbkdf is the magic string c"OxychromaticBlowfishSwatDynamite". The particular value of the string doesn’t change the algorithm, but the hash works by encrypting this string. All generated outputs are really just ciphertext versions of the magic string. What does it mean?

Let’s arrange the words on a 4x8 grid.

Oxychrom
aticBlow
fishSwat
Dynamite

An interesting pattern emerges with the capital letters. They form a triangle. Let’s take the letters inside.

 xy
atic
fish
 yn

Atic fish? Y/N? hmmm. Two lines of two letters with a y and two lines of four with an i. y? i? They’re the only letters repeated, and perhaps have some other relationship (“change the y to an i...“). We’ll have to think about this some more. For now, let’s combine lines of equal lengths.

xyyn aticfish

yy is very unusual in English. Maybe it doesn’t belong. Or maybe it’s a hint about the i as well? There seems to be some relationship between i and y, certainly. What if we delete the ys and the is and also the letters between the is? As so:

xn atsh

And suddenly the hidden message is revealed. It’s an anagram for thx nsa.

Since the dawn of time, the OpenBSD buffer cache replacement algorithm has been LRU. It’s not always ideal, but it often comes close enough and it’s simple enough to implement that it’s remained the tried and true classic for a long time. I just changed the algorithm to one modelled somewhat after the 2Q algorithm by Johnson and Shasha. (PDF)

more...