Hacker News: smarx

New comment by smarx in "People Don't Understand OOP"

smarx — Thu, 01 Feb 2024 00:20:30 +0000

I think it's Kernighan, actually: https://www.laws-of-software.com/laws/kernighan/.

Post mortem on Linear incident from Jan 24th, 2024

smarx — Wed, 31 Jan 2024 08:05:21 +0000

Article URL: https://linear.app/blog/linear-incident-on-jan-24th-2024

Comments URL: https://news.ycombinator.com/item?id=39201287

Points: 3

# Comments: 0

Dynamic Programming Is Easy

smarx — Sun, 14 Jan 2024 21:39:17 +0000

Article URL: https://smarx.com/posts/2020/09/dynamic-programming-is-easy/

Comments URL: https://news.ycombinator.com/item?id=38994685

Points: 2

# Comments: 0

Hi, My Name Is Keyboard

smarx — Wed, 13 Dec 2023 16:32:23 +0000

Article URL: https://github.com/skysafe/reblog/tree/main/cve-2023-45866

Comments URL: https://news.ycombinator.com/item?id=38629770

Points: 3

# Comments: 0

New comment by smarx in "4th edition of Physically Based Rendering is now freely available online"

smarx — Thu, 02 Nov 2023 16:11:28 +0000

The ship has sailed on this term of art, but as a native English speaker, I agree with you that it's ungrammatical. I would use a hyphen, though: "physics-based." This answer agrees with you (and me): https://english.stackexchange.com/a/428679.

Here's one way to think about _why_ it sounds wrong. "Physically based" would mean that "physically" is the answer to the question "How is it based?" To a native English speaker, that question sounds odd. A more natural question is "What is it based on?" To answer that question, you need a noun: "It's based on physics." Hence the construct "physics-based," like "evidence-based medicine" or "merit-based scholarships."

ASCII protocol buffers as config files

smarx — Fri, 06 Oct 2023 03:23:59 +0000

Article URL: https://rachelbythebay.com/w/2023/10/05/config/

Comments URL: https://news.ycombinator.com/item?id=37786838

Points: 2

# Comments: 2

DALL-E 2 has a secret language

smarx — Tue, 31 May 2022 18:46:46 +0000

Article URL: https://twitter.com/giannis_daras/status/1531693093040230402

Comments URL: https://news.ycombinator.com/item?id=31573282

Points: 619

# Comments: 112

New comment by smarx in "Tell HN: Airbnb just stole me 5 minutes of my time adding dices"

smarx — Mon, 21 Feb 2022 12:41:42 +0000

I believe you failed the CAPTCHA. I assume the bottom right is the only correct answer.

New comment by smarx in "Messaging and chat control"

smarx — Mon, 09 Aug 2021 21:48:02 +0000

> Truly secure entity just wouldn't have private keys on a server at all.

They don't. They have your encrypted private key, but there's no need to keep that secret. (The decryption key is derived from your password, so the password needs to be strong and secret.)

> Such agency can force PM to modify login process to derive password from submitted form, or to just switch private keys for non-encrypred ones, because the user won't even notice it.

Yes, definitely. It's hard to trust self-updating software (like JavaScript in the browser), particularly if you're concerned about targeted attacks. But creating your own private keys and then entering them in the browser wouldn't help you at all against that sort of attack. You would instead need a different type of client that could be trusted somehow not to leak your private key.

It's not uncommon for services like this to offer a downloadable version of the web client so you can pin a version and audit the code as needed. I think maybe https://github.com/ProtonMail/WebClient is that for ProtonMail? If so, you should be able to verify that code and then use that. The fact that an encrypted copy of your private key will live on ProtonMail's servers shouldn't bother you.

New comment by smarx in "Messaging and chat control"

smarx — Mon, 09 Aug 2021 16:06:09 +0000

That experiment shows that whatever is stored on ProtonMail's servers plus your password is sufficient to decrypt your emails. This could be explained by the private key being derived from or encrypted with your password. ProtonMail's documentation says it's the latter (https://protonmail.com/support/knowledge-base/how-is-the-pri...):

> Your ProtonMail private key is generated in your browser. Before sending the private key to the server for storage, we encrypt it with your password (or mailbox password if you use two-password mode). This ensures that you and only you can use your private key.

So the only remaining question is whether ProtonMail has access to your password. If they do, they can decrypt your private key and then decrypt your emails. Often, passwords are sent in plaintext to a server for authentication. But ProtonMail uses the Secure Remote Password (SRP) protocol so they never see your password: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco.... (source: https://protonmail.com/blog/encrypted_email_authentication/)

Of course, there are other threats to worry about, such as ProtonMail changing their client-side JavaScript to exfiltrate your password. But the system as they've documented it does not appear to have any way to decrypt your email server-side short of guessing your password.

A Word on NFTs

smarx — Sun, 07 Mar 2021 18:14:18 +0000

Article URL: https://continuations.com/post/645017712412786688/a-word-on-nfts

Comments URL: https://news.ycombinator.com/item?id=26378142

Points: 1

# Comments: 0

We fired our top talent. Best decision we ever made

smarx — Thu, 10 Jan 2019 04:56:15 +0000

Article URL: https://medium.freecodecamp.org/we-fired-our-top-talent-best-decision-we-ever-made-4c0a99728fde

Comments URL: https://news.ycombinator.com/item?id=18871636

Points: 2

# Comments: 1

New comment by smarx in "Show HN: Etherbots.io – Collectible fighting robots on the blockchain"

smarx — Sat, 27 Jan 2018 20:36:20 +0000

It's worse than that. They could just throw away all the sales from this contract, since it's not connected to anything.

They also failed to verify source code for the contract: https://etherscan.io/address/0x3c7767011C443EfeF2187cf1F2a4c..., and the source code on GitHub is missing a file ("Ownable.sol"), making it difficult for anyone else to verify what source code is actually running.

I suppose the lack of verified source code doesn't matter, given my first point. People who are buying are placing a lot of trust in the "Fuel Bros Innovation Team."

New comment by smarx in "Cryptographic filesystem for the cloud"

smarx — Wed, 01 Nov 2017 10:35:06 +0000

As far as I can tell, the IV is randomly chosen, as you would expect: https://github.com/cryfs/cryfs/blob/master/src/cpp-utils/cry.... Did you see something different?

Assuming the 128-bit IV is indeed randomly chosen, after encrypting a trillion blocks, you would have roughly a 1.5E-15 (on the order of a quadrillionth) chance of hitting a collision.

Unless I'm mistaken, even if you hit that one-in-a-quadrillion lottery, the result is that the two blocks encrypted with the same IV are more crackable (because you can XOR them together), not that the key itself is easier to obtain, right? (My understanding is that AES is resistant to known-plaintext attacks.)

New comment by smarx in "React is the new Dojo"

smarx — Sat, 21 Oct 2017 16:37:58 +0000

I think this is what you're asking for:

New comment by smarx in "Zero-knowledge proofs, Zcash, and Ethereum"

smarx — Sun, 24 Sep 2017 02:53:31 +0000

You've given a clear, easy to understand example of something, and you've told people that this something is a zero-knowledge proof.

Anyone who doesn't know what a zero-knowledge proof is will give you positive feedback, because they had an easy time understanding the example you presented.

People who do know what a zero-knowledge proof is will correctly point out that the thing you described is not a zero-knowledge proof.

I think this explains the gap you're seeing between the feedback here and the feedback in "less technical forums." It's difficult to come up with real-world examples of zero-knowledge proofs, but there are two good examples on Wikipedia and one here (the "Where's Waldo?" example).

New comment by smarx in "Dropbox New Plans: Pay If You Want 2FA"

smarx — Wed, 01 Feb 2017 05:01:38 +0000

Just to close the loop here, we’ve updated the page to include a checkmark for 2FA in the Pro column too. Again, all account types can use 2FA (and we recommend that they do!), and teams can additionally require 2FA for all their members.

See the updated page here: https://www.dropbox.com/plans?trigger=nr.

New comment by smarx in "Dropbox New Plans: Pay If You Want 2FA"

smarx — Wed, 01 Feb 2017 00:59:18 +0000

I'm not 100% sure what that is about, but I'm pretty sure it relates to new functionality for migrating data from existing file servers.

The API at https://www.dropbox.com/developers works for all account types. (Note that there are endpoints specific to team accounts when the functionality only makes sense there, like methods to add or remove members from a team, etc.)

New comment by smarx in "Dropbox New Plans: Pay If You Want 2FA"

smarx — Wed, 01 Feb 2017 00:48:36 +0000

Engineering Manager at Dropbox here. Sorry for the confusion! This is an error on that page, presumably some miscommunication between groups at Dropbox. 2FA continues to be an available feature for all Dropbox users. The only difference between plans is that team plans allow administrators to require 2FA for all members of the team. That page will get updated soon to explain that feature properly.

See https://www.dropbox.com/help/363 for more information.

New comment by smarx in "Ask HN: Easy hosting for kids?"

smarx — Tue, 31 Jan 2017 01:09:33 +0000

https://www.site44.com (I'm a founder.)