Hacker News: timmclean

New comment by timmclean in "Ferrocene – Rust for Critical Systems"

timmclean — Sun, 08 Oct 2023 19:08:42 +0000

For supply chain security, you might be interested in cargo-vet[0], a tool for coordinating and requiring manual reviews of open source dependencies. Both Mozilla and Google[1] have started publishing their audits.toml files, which are machine-readable files describing what source code reviews they have performed.

[0] https://github.com/mozilla/cargo-vet

[1] https://opensource.googleblog.com/2023/05/open-sourcing-our-...

New comment by timmclean in "Results of technical investigations for Storm-0558 key acquisition"

timmclean — Thu, 07 Sep 2023 00:01:20 +0000

Is there a reason why they couldn't split the load across multiple HSM? For something so sensitive I would've expected a design where one or more root/master keys (held in HSM) are periodically used to sign certificates for temporary keys (which are also held in HSM). The HSMs with the temporary keys would handle the production traffic. As long as the verification process can validate a certificate chain, then this design should allow them to scale to as many HSMs as are needed to handle the load...

New comment by timmclean in "InternLM – new open source 7B LLM"

timmclean — Thu, 06 Jul 2023 19:18:57 +0000

Saving you a click: despite what the repo title might suggest, while the code is open source, the model weights cannot be used commercially without permission.

> The code in this repository is open-source under the Apache-2.0 license. The InternLM weights are fully open for academic research and also allow commercial use with written permission from the official team. For inquiries about commercial licenses and collaborations, please contact internlm@pjlab.org.cn.

https://github.com/InternLM/InternLM#open-source-license

New comment by timmclean in "AWS doesn't make sense for scientific computing"

timmclean — Fri, 07 Oct 2022 23:01:34 +0000

FWIW, spot prices for c5a.24xlarge in us-east-2b and us-east-2c seem to have been under $0.92/hr for most of the last 3 months. So, assuming some flexibility on the choice of region, that would adjust your estimate to $0.92 / $1.69 * $1233.70/mo = $671.60/mo, which looks a lot more reasonable. Hopefully I did that math right. Data egress prices are definitely still ridiculous, I agree.

ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrough

timmclean — Fri, 19 Nov 2021 21:53:31 +0000

Article URL: https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough

Comments URL: https://news.ycombinator.com/item?id=29283057

Points: 116

# Comments: 34

ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrough

timmclean — Fri, 12 Nov 2021 20:48:16 +0000

Article URL: https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough

Comments URL: https://news.ycombinator.com/item?id=29204338

Points: 10

# Comments: 2

New comment by timmclean in "Class Action Lawsuit Filed Against Robinhood"

timmclean — Fri, 29 Jan 2021 00:03:52 +0000

Thank you for your comments on this thread and others today. They have been very helpful in understanding what is actually going on.

New comment by timmclean in "Micro-op fusion in x86"

timmclean — Mon, 05 Feb 2018 03:34:14 +0000

I believe you're thinking about `add`. According to Agner Fog's instruction tables, the load and ALU uops are fused for `add`s, but not in the case of `inc`

http://www.agner.org/optimize/instruction_tables.pdf

New comment by timmclean in "Micro-op fusion in x86"

timmclean — Sun, 04 Feb 2018 22:20:11 +0000

That all makes sense, but it doesn't seem to apply to the example code in the article, right? `inc` doesn't decode to a single fused uop on Ivy Bridge. AFAIK, the example code in both cases decodes to the same number of uops in the fused domain...

New comment by timmclean in "MD6 Message-Digest Algorithm"

timmclean — Sun, 29 May 2016 19:55:41 +0000

The important thing to take away from this article is that MD6 really shouldn't be used in any production software, unfortunately. MD6 didn't even make it past the first round of the SHA-3 competition, so it hasn't received much attention from cryptanalysts.

Cryptohipsters (can I coin this term?) should take a look at Skein (a third-round SHA-3 candidate), BLAKE2 (the successor of a third-round SHA-3 candidate), and Keccak (the SHA-3 winner). These hash functions have undergone much more analysis. Notably, BLAKE2 is faster than MD5 in many cases, but without the security problems of MD5.

New comment by timmclean in "A list of command line tools for manipulating structured text data"

timmclean — Sat, 07 May 2016 21:41:03 +0000

I've been meaning to learn jq, so I decided to give it a try.

    FRUITS=$(cat input.json | jq '.models | map(select(.title == "fruits")) | .[0]')
    FRUIT_NAME_KEY=$(echo "$FRUITS" | jq '.fields | map(select(.name == "Name")) | .[0].key')
    
    FARMERS=$(cat input.json | jq '.models | map(select(.title == "farmers")) | .[0]')
    FARMER_NAME_KEY=$(echo "$FARMERS" | jq '.fields | map(select(.name == "Full name")) | .[0].key')
    FARMER_FRUITS_KEY=$(echo "$FARMERS" | jq '.fields | map(select(.name == "Fruits")) | .[0].key')
    
    BOB=$(echo "$FARMERS" | jq '.entities | map(select(.['$FARMER_NAME_KEY'] == "Bob, the farmer")) | .[0]')
    BOB_FRUIT_IDS=$(echo "$BOB" | jq '.['$FARMER_FRUITS_KEY'] | .[]' -r)
    
    for BOB_FRUIT_ID in "$BOB_FRUIT_IDS"; do
        echo "$FRUITS" | jq '.entities | map(select(._id == "'$BOB_FRUIT_ID'")) | .[0] | .['$FRUIT_NAME_KEY']'
    done

There's a bit of bash boilerplate, but honestly it was about what I would expect, given a structure with so many layers of indirection.

Pain points:

* Switching between bash and jq's filtering language led me to use string interpolation with bash variables. Malicious inputs can probably exploit this (and it was just awkward anyway).

* A "select one" filter would be nice, instead of select + get first element.

Why losing a home means losing everything

timmclean — Wed, 09 Mar 2016 03:01:44 +0000

Article URL: https://www.washingtonpost.com/news/wonk/wp/2016/02/29/how-the-housing-market-exploits-the-poor-and-keeps-them-in-poverty/

Comments URL: https://news.ycombinator.com/item?id=11250598

Points: 3

# Comments: 0

New comment by timmclean in "OweFS – One-way encrypted file system"

timmclean — Sat, 16 Jan 2016 00:22:21 +0000

The author should use a library that provides a simple "encryptWithPublicKey" method, so that any choices about RSA key size, AES mode of operation, etc are all taken care of. NaCl[1] would probably be best, since it's written and audited by prominent cryptographers.

[1] http://nacl.cr.yp.to/

New comment by timmclean in "OweFS – One-way encrypted file system"

timmclean — Fri, 15 Jan 2016 23:33:19 +0000

Heads up to anyone considering using this: the author wrote their own crypto code[1]. I would recommend against using this until that is fixed... I've already spotted a few vulnerabilities.

[1] https://github.com/FedericoCeratto/owefs/blob/master/pycrypt...

Million Dollar Curve

timmclean — Fri, 01 Jan 2016 20:48:52 +0000

Article URL: https://cryptoexperts.github.io/million-dollar-curve/

Comments URL: https://news.ycombinator.com/item?id=10823350

Points: 4

# Comments: 0

The design flaw in PBKDF2

timmclean — Thu, 08 Oct 2015 20:55:08 +0000

Article URL: https://www.chosenplaintext.ca/2015/10/08/pbkdf2-design-flaw.html

Comments URL: https://news.ycombinator.com/item?id=10356146

Points: 3

# Comments: 0

Researchers make quantum computing breakthrough, paving way for world-first chip

timmclean — Tue, 06 Oct 2015 22:11:32 +0000

Article URL: http://www.smh.com.au/technology/sci-tech/australian-researchers-make-quantum-computing-breakthrough-paving-way-for-worldfirst-chip-20151005-gk1bov.html

Comments URL: https://news.ycombinator.com/item?id=10342769

Points: 2

# Comments: 0

New comment by timmclean in "Enough with the Salts: Updates on Secure Password Schemes"

timmclean — Mon, 21 Sep 2015 18:09:36 +0000

Modern password hashes are designed to use a large amount of RAM in addition to CPU time in order to make password cracking using ASICs and GPUs more difficult. The paper on Argon2[1], the winner of the recent password hashing competition, would be a good read if you're interested in learning more about how password hashes are designed.

[1] https://www.cryptolux.org/images/0/0d/Argon2.pdf

New comment by timmclean in "Enough with the Salts: Updates on Secure Password Schemes"

timmclean — Mon, 21 Sep 2015 17:58:24 +0000

Mainly because it adds complexity, and complexity in crypto can hide subtle bugs. Example: http://blog.ircmaxell.com/2015/03/security-issue-combining-b...

Escaping callback hell

timmclean — Thu, 10 Sep 2015 01:16:34 +0000

Article URL: https://www.chosenplaintext.ca/2015/09/09/callback-hell.html

Comments URL: https://news.ycombinator.com/item?id=10195655

Points: 3

# Comments: 1