• Learning before dabbling in applied cryptography (on 2023-05-15) A live document providing learning resources and pointers for those that want to experiment with applied cryptography.
• [remark] Misusing random oracles for practical purposes (on 2023-05-13) Experimenting with various real-world instantiations of cryptographic random oracles, with applicability from multi-factor encryption, to database record encryption.
• [remark] Experimenting with multi-factor encryption (on 2023-05-12) Prototyping an encryption tool that allows combining multiple encryption factors, from PIN's, passwords, to X25519 pairs, and beyond.
• [remark] My biases when choosing open-source tools (on 2023-04-07) I reflect on my preferences when it comes to choosing open-source tools I need to rely upon.
• [remark] SSH authorization keys experiments (on 2023-04-02) Experimenting with OpenSSH authorization keys resolution; from skeleton-key providing emergency access, to simple centralized key management.
• [remark] Privatizing our digital identities (on 2023-03-09) Trying to make the case for permanent irrevocable digital identities, which unfortunately today, by de-facto, are email addresses.
• Another take on the binary to text encoding (on 2023-02-05) A few words about one of my latest open-source projects, z-tokens, that among other thinks, also tries to tackle this problem but providing more added value compared to existing solutions.
• Binary to text encoding -- state of the art and missed opportunities (on 2023-02-04) Although many software engineers know about the topic, especially through their exposure to Base64, there are however many issues and missed opportunities not tackled by the broad community.
• [remark] Debating deterministic passwords (on 2023-01-25) A few words of caution about storage-free deterministic password managers.
• [RE] Containerized deployments, the Death Star of complexity (on 2023-01-24) An interesting take on containerized deployments, contrasted with other similar trajectories in the software engineering history.
• [remark] Passwords in deployment or development scripts? (on 2023-01-12) Questions (without definitive answers) about how to securely manage secrets in scripts and development environments?
• [remark] Memorable password schemes and patterns? (on 2023-01-11) Questions (without definitive answers) about memorable password schemes and patterns.
• [remark] Password strength for offline storage? (on 2023-01-10) Questions (without definitive answers) about password strength (i.e. entropy bits) for offline storage.
• [remark] Securing my static site server with seccomp (on 2022-09-11) Given a simple enough HTTP server, and by employing seccomp, one could easily achieve a quite secure(er) server, with a small enough attack surface that the potential attacker might want to look elsewhere in the stack for vulnerabilities.
• Static site hosting hurdles (on 2022-09-03) When it comes to static sites, there are a myriad of solutions for authoring and compiling, but talk about hosting these static sites, and we are still in the early 2000s. I discuss the challenges one faces when hosting, and even make a proposal to solve some of these.
• [remark] Useful Firefox addons (on 2022-08-13) A few Firefox addons I use on a daily basis.
• The many flavors of hashing (on 2022-07-29) About the many types of hash functions, their use-cases, dos and don'ts, with suggestions for currently accepted algorithms.
• [remark] On modern laptop requirements (on 2022-04-02)
• [remark] The impact of hacktivism / protestware in open-source (on 2022-03-27)
• Single binary executable packages (on 2022-01-25) In support of software packages that come in the form of a single binary executable (statically linked or portable), that one can just copy anywhere in ${PATH} and execute, without needing sudo, or downloading half the distribution's packages as dependencies.
• Good to know -- issue 2021.02 (on 2021-07-28) Articles and tools I've found interesting in the last few days.
• Security through stupidity, Banca Transilvania style (on 2021-03-23) About how the largest romanian bank tries to give its clients a "warm-fuzzy-feeling" of security, that is actually zero in real security terms.
• Good to know -- issue 2021.01 (on 2021-02-19) Articles and tools I've found interesting in the last few days.
• In Go-land you pay even for what you don't use (on 2021-02-14) About the hidden costs of forced automatic initialization of dependencies. And a plea for library developers (in any language) to think about their global state initialization requirements.
• The curious case of shell commands, or how "this bug is required by POSIX" (on 2021-01-03) About the fatal perils and traps of many modern tools that handle "shell commands" as passed through system(3) or sh -c. Or, how by the end of 2020, we still haven't given up on shell's equivalent "SQL building", or how shell's equivalent "SQL injection" still thrives in our engineering world... Plus a glibc bug, then a Linux man pages bug, then a POSIX specification bug...
• [snippet] Benchmarking "textual" file compression methods (on 2020-05-05) Trying to identify which compression tool and level yields the "best" outcome for "textual" archival purposes. (Spoiler: "it depends...")
• [snippet] Cleaning and compacting Git repositories (on 2020-05-04) How to compact and clean Git repositories of "dangling" commits and objects.
• [snippet] Properly sorting FQDNs in Bash (on 2020-05-04) How to properly sort a list of FQDNs in Bash, first by TLD, then by domain, then by sub-domain and so on.
• The before time -- microsoft.com (on 2020-03-08) A visual history of microsoft.com (thanks to the Internet Archive and its Wayback Machine).
• The before time -- google.com (on 2020-03-07) A visual history of google.com (thanks to the Internet Archive and its Wayback Machine).
• Good to know -- issue 2019.02 (on 2019-10-08) Articles and tools I've found interesting in the last few days.
• A visual comparison between HTTP/1.1 vs HTTP/2 (on 2019-08-15) A visual comparison between HTTP/1.1 and HTTP/2 in the context of many small resources and with real-world latency.
• Exfiltrating Go current goroutine ID (on 2019-08-04) About obtaining Go current goroutine ID, and why sometimes we should trust the developer to do the right thing... Else the developer is forced to embark on a journey that looks more like a mission impossible data exfiltration movie, than a day-to-day job...
• Good to know -- issue 2019.01 (on 2019-06-28) Articles and tools I've found interesting in the last few days; and about the start of a new "column".
• [RE] Containers Will Not Fix Your Broken Culture (and Other Hard Truths) (on 2019-06-27) About the "DevOps culture" plus related technologies, less about containers, but all about our professional careers as software developers or operators.
• Choosing Linux RAID5 chunk size (part 3) -- Ext4 / CDNjs raw data (on 2019-01-24) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This part provides the raw data from the CDNjs benchmark.
• Choosing Linux RAID5 chunk size (part 2) -- the internet's wisdom (on 2019-01-19) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This part summarizes previous work published by others on the internet.
• [RE] The State Of Software Security In 2019 (on 2019-01-16) About an high level overview of the application development security at the end of 2018.
• Choosing Linux RAID5 chunk size (part 1) -- block-device level benchmarks (on 2018-12-15) About choosing the "right" RAID5 chunk size on Linux systems, and related benchmarks. This first part presents a few benchmarks at the "block-device" level (i.e. without an actual file-system).
• The chronicle of getting text sizing to just work in mobile browsers (on 2018-11-27) About the "sanity" of developing sites that "just work" on mobile devices.
• Hello world! (on 2018-11-22) About this site, it's purpose and goals.