Hacker News: nmadden

New comment by nmadden in "A Post-Quantum Future for Let's Encrypt"

nmadden — Wed, 03 Jun 2026 19:14:51 +0000

> The pads are split into three pieces that are XORed to create the actual pad to reduce risk of compromise.

Thus creating a two-time pad, which is completely insecure…

New comment by nmadden in "ML promises to be profoundly weird"

nmadden — Thu, 09 Apr 2026 07:50:59 +0000

Re: cheap - Anthropic’s write-up said it cost $20,000 of runs to find that bug (and a few others). So not that cheap compared to other tools - more similar in cost to human review/pentest, but probably more exhaustive.

> This was the most critical vulnerability we discovered in OpenBSD with Mythos Preview after a thousand runs through our scaffold. Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.

They don’t talk about the other findings, so I’m guessing they are minor.

New comment by nmadden in "Cloudflare outage on November 18, 2025 post mortem"

nmadden — Wed, 19 Nov 2025 15:51:03 +0000

> Crashing is not an outage.

Are you in the right thread?

New comment by nmadden in "Report: Tim Cook could step down as Apple CEO 'as soon as next year'"

nmadden — Sun, 16 Nov 2025 10:54:02 +0000

MBP = Macbook Pro AW = Apple Watch? What is APP?

New comment by nmadden in "A Brutal Look at Balanced Parentheses, Computing Machines, and Pushdown Automata"

nmadden — Fri, 14 Nov 2025 12:12:13 +0000

Not sure why you're being downvoted for recommending a classic textbook!

New comment by nmadden in "A Brutal Look at Balanced Parentheses, Computing Machines, and Pushdown Automata"

nmadden — Fri, 14 Nov 2025 07:52:08 +0000

> Because in practice, everything is finite.

Indeed! https://neilmadden.blog/2019/02/24/why-you-really-can-parse-...

Cryptography 101 with Alfred Menezes

nmadden — Mon, 03 Nov 2025 14:12:06 +0000

Article URL: https://cryptography101.ca

Comments URL: https://news.ycombinator.com/item?id=45799109

Points: 120

# Comments: 19

New comment by nmadden in "Claude Code can debug low-level cryptography"

nmadden — Sun, 02 Nov 2025 07:45:17 +0000

100% reproducible deterministic bugs are absolutely the easiest class of bugs.

New comment by nmadden in "D2: Diagram Scripting Language"

nmadden — Sun, 26 Oct 2025 20:53:59 +0000

The proprietary/commercial TALA engine is really excellent too. I’ve been using it to do complex dataflow diagrams, and the results are so incredibly well laid out.

New comment by nmadden in "A modern approach to preventing CSRF in Go"

nmadden — Wed, 15 Oct 2025 18:33:37 +0000

I guess. But it would only impact you if you’re using cookies with curl (I assume the middleware is only applied to requests with cookies?) — and it seems pretty easy to add a -H ‘sec-fetch-site: none’ in that case.

New comment by nmadden in "A modern approach to preventing CSRF in Go"

nmadden — Wed, 15 Oct 2025 10:08:08 +0000

The article has a whole section about requiring those headers by forcing the use of TLS 1.3 — the theory being that browsers modern enough to support 1.3 are also modern enough to support the headers. But why not just enforce the headers?

New comment by nmadden in "A modern approach to preventing CSRF in Go"

nmadden — Wed, 15 Oct 2025 06:41:00 +0000

Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?

New comment by nmadden in "Rating 26 years of Java changes"

nmadden — Sun, 12 Oct 2025 15:51:32 +0000

Yes, of course it’s (largely) subjective. But I have actually read much of the source code of Spring. I know it _very_ well.

New comment by nmadden in "Rating 26 years of Java changes"

nmadden — Sun, 12 Oct 2025 15:48:06 +0000

Java is sprawling now. It wasn’t 26 years ago.

New comment by nmadden in "Rating 26 years of Java changes"

nmadden — Sun, 12 Oct 2025 08:01:23 +0000

Yes, in theory they are good. In practice they cause enormous amounts of pain and work for library maintainers with little benefit to them (often only downsides). So, many libraries don’t support them and they are very hard to adopt incrementally. I tried to convert a library I maintain to be a module and it was weeks of work which I then gave up and reverted. As one library author said to me “JPMS is for the JDK itself, ignore it in user code”.

Given how much of a coach and horses modules drove through backwards compatibility it also kind of gives the lie to the idea that that explains why so many other language features are so poorly designed.

New comment by nmadden in "Rating 26 years of Java changes"

nmadden — Sun, 12 Oct 2025 07:49:34 +0000

Do you really think that in 26 years of professional Java programming I’d have never touched Spring? I’ve been using Spring since it was first released. I’ve found CVEs in Spring (https://spring.io/security/cve-2020-5408). Trust me when I say that my dislike for Spring (and annotations) is not based on ignorance.

New comment by nmadden in "Anthropic tightens usage limits for Claude Code without telling users"

nmadden — Fri, 18 Jul 2025 06:11:07 +0000

> The first day I used it, Claude got stuck in a loop trying to fix a problem using the same 2 incorrect solutions again and again and burnt through $30 of API credits before I realized things were very wrong and I stopped it.

The worse it performs, the more you pay. That’s a hell of a business model. Will users tolerate that for long?

New comment by nmadden in "Generative AI's failure to induce robust models of the world"

nmadden — Sun, 29 Jun 2025 06:07:52 +0000

The improvements in programming are largely due to the adoption of “agentic” architectures. This is really a hybrid neural-symbolic approach: the symbolic part being the interpreter/compiler. Effectively the LLM still produces an almost-correct-but-wrong program and then the compiler “fact-checks” it and then the LLM basically local-searches its way from there to something that passes the compiler. (If you want to be disabused of the idea that LLMs on their own are good at programming, just review the “reasoning” log of one trying to fix a simple string | undefined error in Typescript).

It seems clear to me therefore that further improvements in programming ability will not come from better LLM models (which have not really improved much), but from better integration of more advanced compilers. That is, the more types of errors that can be caught by the compiler, the better chance of the AI fuzzing its way to a good overall solution. Interestingly, I hear anecdotally that current LLMs are not great at writing Rust, which does have an advanced type system able to capture more types of errors. That’s where I’d focus if I was working on this. But we should be clear that the improvements are already largely coming via symbolic means, not better LLMs.

I wrote some notes about a year ago about the irony of LLMs being considered a refutation of GOFAI when they are actually now firmly recapitulating that paradigm: https://neilmadden.blog/2024/06/30/machine-learning-and-the-...

New comment by nmadden in "A look at Cloudflare's AI-coded OAuth library"

nmadden — Sun, 08 Jun 2025 12:26:55 +0000

This was before LLMs. It was a combination of unit and end-to-end tests and tests written to comprehensively test every combination of parameters (eg test this security property holds for every single JWT algorithm we support etc). Also bear in mind that the product did a lot more than just OAuth.

New comment by nmadden in "Ending TLS Client Authentication Certificate Support in 2026"

nmadden — Sun, 18 May 2025 06:18:50 +0000

Adding some OAuth helps a bit: https://neilmadden.blog/2022/01/20/why-the-oauth-mtls-spec-i...

(I quite like the combo of app-level OAuth plus mTLS service mesh for backend comms).