- Learning before dabbling in applied cryptography (on 2023-05-15) A live document providing learning resources and pointers for those that want to experiment with applied cryptography.
- [remark] Misusing random oracles for practical purposes (on 2023-05-13) Experimenting with various real-world instantiations of cryptographic random oracles, with applicability from multi-factor encryption, to database record encryption.
- [remark] Experimenting with multi-factor encryption (on 2023-05-12) Prototyping an encryption tool that allows combining multiple encryption factors, from PIN's, passwords, to X25519 pairs, and beyond.
- [remark] My biases when choosing open-source tools (on 2023-04-07) I reflect on my preferences when it comes to choosing open-source tools I need to rely upon.
- [remark] SSH authorization keys experiments (on 2023-04-02) Experimenting with OpenSSH authorization keys resolution; from skeleton-key providing emergency access, to simple centralized key management.
- [remark] Privatizing our digital identities (on 2023-03-09) Trying to make the case for permanent irrevocable digital identities, which unfortunately today, by de-facto, are email addresses.
- Another take on the binary to text encoding
(on 2023-02-05)
A few words about one of my latest open-source projects,
z-tokens
, that among other thinks, also tries to tackle this problem but providing more added value compared to existing solutions. - Binary to text encoding -- state of the art and missed opportunities (on 2023-02-04) Although many software engineers know about the topic, especially through their exposure to Base64, there are however many issues and missed opportunities not tackled by the broad community.
- [remark] Debating deterministic passwords (on 2023-01-25) A few words of caution about storage-free deterministic password managers.
- [RE] Containerized deployments, the Death Star of complexity (on 2023-01-24) An interesting take on containerized deployments, contrasted with other similar trajectories in the software engineering history.
- [remark] Passwords in deployment or development scripts? (on 2023-01-12) Questions (without definitive answers) about how to securely manage secrets in scripts and development environments?
- [remark] Memorable password schemes and patterns? (on 2023-01-11) Questions (without definitive answers) about memorable password schemes and patterns.
- [remark] Password strength for offline storage? (on 2023-01-10) Questions (without definitive answers) about password strength (i.e. entropy bits) for offline storage.
- [remark] Securing my static site server with seccomp (on 2022-09-11) Given a simple enough HTTP server, and by employing seccomp, one could easily achieve a quite secure(er) server, with a small enough attack surface that the potential attacker might want to look elsewhere in the stack for vulnerabilities.
- Static site hosting hurdles (on 2022-09-03) When it comes to static sites, there are a myriad of solutions for authoring and compiling, but talk about hosting these static sites, and we are still in the early 2000s. I discuss the challenges one faces when hosting, and even make a proposal to solve some of these.
- [remark] Useful Firefox addons (on 2022-08-13) A few Firefox addons I use on a daily basis.
- The many flavors of hashing (on 2022-07-29) About the many types of hash functions, their use-cases, dos and don'ts, with suggestions for currently accepted algorithms.
- [remark] On modern laptop requirements (on 2022-04-02)
- [remark] The impact of hacktivism / protestware in open-source (on 2022-03-27)
- Single binary executable packages
(on 2022-01-25)
In support of software packages that come in the form of a single binary executable (statically linked or portable), that one can just copy anywhere in
${PATH}
and execute, without needingsudo
, or downloading half the distribution's packages as dependencies. - Good to know -- issue 2021.02 (on 2021-07-28) Articles and tools I've found interesting in the last few days.
- Security through stupidity, Banca Transilvania style (on 2021-03-23) About how the largest romanian bank tries to give its clients a "warm-fuzzy-feeling" of security, that is actually zero in real security terms.
- Good to know -- issue 2021.01 (on 2021-02-19) Articles and tools I've found interesting in the last few days.
- In Go-land you pay even for what you don't use (on 2021-02-14) About the hidden costs of forced automatic initialization of dependencies. And a plea for library developers (in any language) to think about their global state initialization requirements.
- The curious case of shell commands, or how "this bug is required by POSIX"
(on 2021-01-03)
About the fatal perils and traps of many modern tools that handle "shell commands" as passed through
system(3)
orsh -c
. Or, how by the end of 2020, we still haven't given up on shell's equivalent "SQL building", or how shell's equivalent "SQL injection" still thrives in our engineering world... Plus aglibc
bug, then a Linux man pages bug, then a POSIX specification bug... - [snippet] Benchmarking "textual" file compression methods (on 2020-05-05) Trying to identify which compression tool and level yields the "best" outcome for "textual" archival purposes. (Spoiler: "it depends...")
- [snippet] Cleaning and compacting Git repositories (on 2020-05-04) How to compact and clean Git repositories of "dangling" commits and objects.
- [snippet] Properly sorting FQDNs in Bash (on 2020-05-04) How to properly sort a list of FQDNs in Bash, first by TLD, then by domain, then by sub-domain and so on.
- The before time -- microsoft.com
(on 2020-03-08)
A visual history of
microsoft.com
(thanks to the Internet Archive and its Wayback Machine). - The before time -- google.com
(on 2020-03-07)
A visual history of
google.com
(thanks to the Internet Archive and its Wayback Machine). - Good to know -- issue 2019.02 (on 2019-10-08) Articles and tools I've found interesting in the last few days.
- A visual comparison between HTTP/1.1 vs HTTP/2 (on 2019-08-15) A visual comparison between HTTP/1.1 and HTTP/2 in the context of many small resources and with real-world latency.
- Exfiltrating Go current goroutine ID (on 2019-08-04) About obtaining Go current goroutine ID, and why sometimes we should trust the developer to do the right thing... Else the developer is forced to embark on a journey that looks more like a mission impossible data exfiltration movie, than a day-to-day job...
- Good to know -- issue 2019.01 (on 2019-06-28) Articles and tools I've found interesting in the last few days; and about the start of a new "column".
- [RE] Containers Will Not Fix Your Broken Culture (and Other Hard Truths) (on 2019-06-27) About the "DevOps culture" plus related technologies, less about containers, but all about our professional careers as software developers or operators.
- Choosing Linux RAID5 chunk size (part 3) -- Ext4 / CDNjs raw data (on 2019-01-24) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This part provides the raw data from the CDNjs benchmark.
- Choosing Linux RAID5 chunk size (part 2) -- the internet's wisdom (on 2019-01-19) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This part summarizes previous work published by others on the internet.
- [RE] The State Of Software Security In 2019 (on 2019-01-16) About an high level overview of the application development security at the end of 2018.
- Choosing Linux RAID5 chunk size (part 1) -- block-device level benchmarks (on 2018-12-15) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This first part presents a few benchmarks at the "block-device" level (i.e. without an actual file-system).
- The chronicle of getting text sizing to just work in mobile browsers (on 2018-11-27) About the "sanity" of developing sites that "just work" on mobile devices.
- Hello world! (on 2018-11-22) About this site, it's purpose and goals.