Hacker News: sarciszewski

Show HN: CMS Airship – Secure Content Management for the Modern Web

sarciszewski — Fri, 01 Jul 2016 05:12:40 +0000

Article URL: https://github.com/paragonie/airship

Comments URL: https://news.ycombinator.com/item?id=12014011

Points: 3

# Comments: 0

Show HN: CMS Airship – Secure Content Management for the Modern Web

sarciszewski — Tue, 21 Jun 2016 14:59:16 +0000

Article URL: https://github.com/paragonie/airship

Comments URL: https://news.ycombinator.com/item?id=11946083

Points: 1

# Comments: 0

Show HN: 13 Open Source Projects for June 13

sarciszewski — Mon, 13 Jun 2016 22:53:06 +0000

Article URL: https://paragonie.com/projects

Comments URL: https://news.ycombinator.com/item?id=11898411

Points: 4

# Comments: 0

Ask HN: How does your company handle application security?

sarciszewski — Mon, 23 May 2016 14:44:37 +0000

How does your company ensure the code you produce (or consume) is secure?

Do you have in-house security controls? Third-party penetration tests? Independent code audits? Bug bounty programs?

Do you forsake security entirely in favor of getting it shipped?

Comments URL: https://news.ycombinator.com/item?id=11754147

Points: 2

# Comments: 0

Solve All Your Cryptography Problems in 3 Easy Steps

sarciszewski — Thu, 12 May 2016 13:23:38 +0000

Article URL: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

Comments URL: https://news.ycombinator.com/item?id=11683175

Points: 1

# Comments: 0

A Primer on the Cryptography Powering Our Upcoming Open Source CMS

sarciszewski — Mon, 09 May 2016 14:20:15 +0000

Article URL: https://paragonie.com/blog/2016/05/keyggdrasil-continuum-cryptography-powering-cms-airship

Comments URL: https://news.ycombinator.com/item?id=11660015

Points: 3

# Comments: 0

New comment by sarciszewski in "On asking job candidates to code"

sarciszewski — Tue, 15 Mar 2016 15:51:20 +0000

(Switching back to my old account because rate limits.)

I wouldn't ever use something like FizzBuzz to assess a candidate. It would be more of "here's a mostly finished sample application with a corresponding SQL file, add this feature (e.g. a search bar for a blog) and fix any (intentionally introduced) security bugs you find".

They would be evaluated based on how successfully they complete the main task, and if they have an eye for finding/patching vulnerabilities, that's a bonus that can be used as a secondary selector if a lot of candidates pass. If no one does, it won't be used against them.

That's how I'd approach it, personally. Something specific to the kind of work we're doing, but abstract enough to be approachable without a lot of insider knowledge.

New comment by sarciszewski in "On asking job candidates to code"

sarciszewski — Tue, 15 Mar 2016 14:58:30 +0000

> All true but my observation is that the companies that put candidates through multi-day-out-of-town interview processes can afford to miss out on the candidates that can't do it.

All companies can afford to waste less money than they need too.

On the Design and Implementation of a Stealth Backdoor for Web Applications

sarciszewski — Sun, 06 Mar 2016 21:58:14 +0000

Article URL: https://paragonie.com/blog/2016/01/on-design-and-implementation-stealth-backdoor-for-web-applications

Comments URL: https://news.ycombinator.com/item?id=11235744

Points: 2

# Comments: 0

New comment by sarciszewski in "Million Dollar Curve"

sarciszewski — Wed, 24 Feb 2016 13:56:23 +0000

> RSA security depends mostly on how you build your private keys and ECC security depends on what parameters and what curve was chosen.

No. RSA security depends on getting your parameters right and padding.

http://www.cryptofails.com/post/70059600123/saltstack-rsa-e-...

http://framework.zend.com/security/advisory/ZF2015-10

> Russians cryptoexperts doesn't fully trust DJB they found that at the last iteration of picking parameters by DJB for Curve25519 was a bit questionable.

Tell them to publish their findings and propose a better solution.

> Changes was done for "better performance" but no one found what exactly was speeded up.

What "changes" exactly? The word "changes" implies there was an early draft with vastly different parameters.

> I don't know details, but when curve parameters was tried to be being compromised by NSA was almost always was about adding such "performance optimizations".

If you don't know the details, try doing some research. Knowledge is healthy.

New comment by sarciszewski in "Million Dollar Curve"

sarciszewski — Wed, 24 Feb 2016 02:21:04 +0000

I really appreciate the level-headed discussion in this thread so far, especially the comment I'm replying to.

It's a stark contrast to the CFRG mailing list. (At least, so far, no one has tried to derail discussion here with "hey check out my custom cipher it's soooo secure but you need to compress the data before encrypting it or else you can observe a repeated structure out of it".)

I like 25519's school of thought. If you use the smallest possible value for a given performance/security goal, there's less room for conspiracy theory (provided the person making the theory understands what's even going on).

New comment by sarciszewski in "In Colorado, a look at life after marijuana legalization"

sarciszewski — Tue, 23 Feb 2016 15:46:02 +0000

http://pastebin.com/AYW682BJ

https://archive.is/exvT2

New comment by sarciszewski in "Silicon Valley tech worker fired after blogging about starving"

sarciszewski — Mon, 22 Feb 2016 15:43:20 +0000

Person: "I'm starving and barely able to get by working for Yelp in SF."

Yelp: "You're fired." (Good luck paying rent without a job.)

Yelp CEO: "The cost of living is too high here, so we're going to instead move offices to Arizona and pay the same wage."

Does this mean that Yelp is going to...

    a. Help all of its employees move to AZ where they can enjoy
       a lower cost of living?
    b. Fire all of its employees and hire replacements in AZ?
    c. Something else?

Because if they're going with option B, wow.

The cost of living in SF is one of the reasons I refuse to ever move there for work, but it seems like a scapegoat in this case. Why not just pay your employees a livable wage to begin with?

New comment by sarciszewski in "How to Safely Store Your Users' Passwords in 2016"

sarciszewski — Sun, 21 Feb 2016 06:02:46 +0000

How would transforming it before sending it over the wire help here?

New comment by sarciszewski in "How to Safely Store Your Users' Passwords in 2016"

sarciszewski — Sun, 21 Feb 2016 05:56:49 +0000

No, it's one-way cryptography, but it's not a form of encryption.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-pass...

New comment by sarciszewski in "Dear Cryptocat Users"

sarciszewski — Fri, 19 Feb 2016 22:59:37 +0000

Cryptocat was not secure. No argument there! Decryptocat was the proof in the pudding.

If a secure product could be as user-friendly as Cryptocat was while still being secure, then most peoples' communications would be more secure.

That's all I was saying. I'm not trying at all to hand-wave the proven insecurity. I'm saying that the only thing they got right was the one thing that secure products have consistently gotten wrong. (Barring Signal.)

New comment by sarciszewski in "Dear Cryptocat Users"

sarciszewski — Fri, 19 Feb 2016 21:08:09 +0000

See: "but the execution was flawed."

> Security at the expense of usability comes at the expense of security.

It got the usability part down, it just wasn't secure. And I wasn't claiming it was.

New comment by sarciszewski in "Dear Cryptocat Users"

sarciszewski — Fri, 19 Feb 2016 19:29:32 +0000

Cryptocat was a good concept (i.e. it was USABLE!), but the execution was flawed. It grew a lot of criticism and Nadim made mistakes in handling some of his critics, creating a schism between him and the cryptographers who might have been able to help him. (Not all of this was his fault, of course.)

I hope that not only will this new product of his be developed with "A pure vision of democratized, pleasant secure messaging", but also that he has matured significantly. I hope that Cryptocat v3 will come out after it has been thoroughly audited by several reputable third parties.

Most importantly, I hope their crypto is boring.

https://security.stackexchange.com/questions/6095/xkcd-936-s...

http://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf

New comment by sarciszewski in "Secret Memo Details U.S.’s Broader Strategy to Crack Phones"

sarciszewski — Fri, 19 Feb 2016 15:07:18 +0000

Warning: Autoplay video.

New comment by sarciszewski in "How to Safely Store Your Users' Passwords in 2016"

sarciszewski — Fri, 19 Feb 2016 05:28:32 +0000

"shoulder surf protection"?