Posts by varx@infosec.exchange
(DIR) Post #AV2jAdLct6Mm2YVDvM by varx@infosec.exchange
2023-04-26T02:28:55Z
0 likes, 0 repeats
@lopta I reset my password using the "compromised account" feature, since it just took a moment. Little to lose. However... I'm not convinced yet that there's a legitimate threat, so I haven't done anything beyond that.(I don't use 2FA with Amazon because their 2FA support kind of sucks, and I don't have any "devices".)It's easy for people to think they've found something serious and be dead wrong about it. I know this from the perspective both of someone who has raised a false alarm, and of someone who has to field security disclosures. So I'm holding this with some uncertainty, and I figure we'll know soon enough.
(DIR) Post #AValhQ1Ike7a6sgR7I by varx@infosec.exchange
2023-05-12T18:00:58Z
5 likes, 12 repeats
Good news! .zip and .mov are now TLDs, not just file extensions! So mentioning archive.zip in chat may now link to a phishing site or something.Wait no, that's *bad* news...
(DIR) Post #AWxHusXK7N8sua3tUu by varx@infosec.exchange
2023-06-22T00:26:32Z
0 likes, 0 repeats
Today I have experienced the horror that is #Helm.Helm chart templates make #Kubernetes manifests by string-templating #YAML.YAML has one of the most unfriendly syntaxes of any textual data structure language I've ever seen. There's a whole website just dedicated to the nine different ways you can write a multiline string.And Helm just... string-interpolates values into it. The most fragile syntax in the world, and you're just going to inject raw bytes straight into it. The only tool provided to alleviate this is the `quote` function, which... doesn't actually do what you want.Currently at work I'm trying to figure out how to insert an arbitrary string value into another string, which is a pretty normal thing to do. And four attempts later, nothing works. The most common "solution" on the web appears to be to use `{{ ... | indent 12 }}` where 12 has to match the template's current indentation level. Good luck if you ever want to reindent anything!
(DIR) Post #AWxHuwxLgYKwcSGjcO by varx@infosec.exchange
2023-06-22T16:33:13Z
0 likes, 0 repeats
OK, here we go: A way to inject a string value inside a #YAML string in #Helm chart templates!You won't like this."... {{ $someValue | quote | substr 1 (int (sub ($someValue | quote | len) 1)) }} ..."I promise you that this is one of *less* terrible ways of performing this extremely fundamental operation.
(DIR) Post #AWxI5DfIPvOHKvioPw by varx@infosec.exchange
2023-06-22T16:40:03Z
1 likes, 0 repeats
@feld Yeah, but the templating language also doesn't give you a way to interpolate into a JSON string. :-/
(DIR) Post #AX5RgI63qEPAhxLXWK by varx@infosec.exchange
2023-06-26T14:01:39Z
4 likes, 6 repeats
#YAML is endless fun.
(DIR) Post #AXN7BdtIGENj5OlHAe by varx@infosec.exchange
2023-07-03T23:40:25Z
0 likes, 0 repeats
@cuchaz Cavern has a problem that's very similar; my solution is for the friends to have to brute-force the list until they find something they can decrypt, but not have to do this *often*.Not sure if this is appropriate in your use-case, but consider whether there's a way to "stabilize" the numbers you're sending your friends; if they can act optimistically on the presumption of the number not having changed since last time (if that's even a meaningful concept) then they get to skip the expensive step whenever they're right.Barring that, it feels like this might require some fancy math involving combining multiple people's public keys. :-/
(DIR) Post #AXN7BgDDd7VaHm6DVQ by varx@infosec.exchange
2023-07-04T13:03:39Z
0 likes, 0 repeats
@cuchaz It's also pretty fast. The marginal cost on my 10+ year old laptop of performing an encryption or decryption is less than 80 µs. "Brute forcing" a list of 1000 small items until I find the one that's for me would take under 100 ms, which seems fine.40k items would take about 3 seconds to process. At that scale I'd want to start using k-anonymity for sure; including just an 8-bit public key prefix would bring that down to 12 ms.
(DIR) Post #AXN7BgvWyMxCVCpbZg by varx@infosec.exchange
2023-07-04T13:10:20Z
0 likes, 0 repeats
@cuchaz Another benefit is that keys are small and unstructured. Any 32 byte string can be converted to a key via some bit-masking—you create them from random data (or a hash output). So the keys are fast and simple to generate, they're small, and they can be readily derived deterministically from a passphrase if you're into that sort of thing. (And if you have both X25519 and Ed25519 keys, they can both come from the same shared seed, with a bit of context separation for safety.)
(DIR) Post #AXN7BiJJpPZmnGy7I8 by varx@infosec.exchange
2023-07-04T16:13:34Z
0 likes, 0 repeats
@cuchaz There's some truth to that. For instance, the top post-quantum schemes seem to have pretty large keys, which might violate some protocol assumptions.But they also might just work really differently in ways that don't match either RSA *or* ECC. Think of how ECC relies on key exchange rather than RSA's traditional asymmetric encryption, and doesn't have a notion of unifying encryption and signing. It seems to me there's a not-inconsiderable chance of further fundamental changes in the available primitives. Without being a serious cryptographer (let alone one who is up-to-date and has an eye for trends) it's impossible for me to make that kind of prognostication, though! I think keeping an eye on later versions of the protocol being able to swap out cryptosystems at a lower level makes sense, but I feel like it would be easy to unduly constrain the overall protocol.(That said, all of the round-4 NIST PQ submissions appear to describe KEMs, making them more similar in shape to public-key ECC than to RSA, if I'm not totally misunderstanding things.)
(DIR) Post #AmL7fHHkW0IPpg16tU by varx@infosec.exchange
2024-09-24T20:38:25Z
0 likes, 0 repeats
@piks3l "this is not funny, artists only do this when they’re in extreme distress."
(DIR) Post #ApaTOPinwVN0XiHR8C by varx@infosec.exchange
2024-12-30T23:47:17Z
1 likes, 0 repeats
@drwho When I search for posts relating to IEC 62056 (which is probably the protocol you're talking about) I find this post about the "PiggyMeter": https://mastodon.social/@danie10/111431205222606388
(DIR) Post #AuJaQJNVwbW89p9lxo by varx@infosec.exchange
2025-05-21T03:47:45Z
1 likes, 3 repeats
I very much get a "we just discovered radium and want to put it in everything" vibe from this whole generative AI bubble.(Including the thing where companies used to slap the word "radium" on existing products even though they thankfully did not actually have any radioactive materials. Like "radium butter".)
(DIR) Post #AyATyC65yZmPVIJTuK by varx@infosec.exchange
2025-09-13T15:51:41Z
0 likes, 0 repeats
@musicmatze Necessary but annoying part of a lot of apps.Static typing really helps ensure you don't mess it up, at least.
(DIR) Post #AyAaW6SE3wg9ZaDVJo by varx@infosec.exchange
2025-09-13T15:59:21Z
0 likes, 0 repeats
@musicmatze When there are a large number of fields with the same name, semantics, and visibility level in both structs, you can use destructuring to clean up a good deal of the repetition:let DbUser { foo, bar } = user;NetUser { foo, bar }
(DIR) Post #B0syWZaVu25qusMkTI by varx@infosec.exchange
2025-12-03T15:31:25Z
0 likes, 0 repeats
@ErikvanStraten You seem to be confused about Mastodon link previews vs. images.
(DIR) Post #B0syWasz4qSiwS10ts by varx@infosec.exchange
2025-12-03T21:14:46Z
0 likes, 0 repeats
@ErikvanStraten Take a deep breath, stop doubling down, and take a closer look at the post you replied to.
(DIR) Post #B3OSRY6jTdNDZsucl6 by varx@infosec.exchange
2026-02-16T22:02:19Z
1 likes, 0 repeats
I made a tool that converts open source code into LLM poison: https://codeberg.org/timmc/scraggleIt mutates Rust source code in ways that *preserve* the ability to compile the code. (That is, you can't detect the changes by looking for compiler errors.) For example, it switches `+` and `*`, or `==` and `!=`.If you fork a Rust repo, run this tool on it, and push it somewhere, then crawlers will end up ingesting all sorts of incorrect code.#scraggle #RustLang #LLMPoisoning
(DIR) Post #B3OSReE2jMmoYINXzE by varx@infosec.exchange
2026-02-16T22:06:58Z
0 likes, 0 repeats
What's really fun is that this tool mutates locally identical code in identical ways. `if rect.x > rect.y` will *always* turn into `if rect.x != rect.y`, in any program. (But different variables will have different results.)That means that LLMs are more likely to learn this poison rather than the mutations averaging out as noise.Feel free to fork some big open source repos and push some new commits...#scraggle #RustLang #LLMPoisoning
(DIR) Post #B3OSRkPxhxsxl009Oi by varx@infosec.exchange
2026-02-16T22:09:11Z
0 likes, 0 repeats
If this sounds familiar, it's likely because these kinds of mutations are a great way of testing your unit tests. There are some neat libraries out there for doing that! See cargo-mutants for instance.But this one doesn't just modify the AST—it performs surgery on the raw text, preserving comments and whitespace structure.It was really fun to write!