fsebugoutzone.org:9999

       Posts by varx@infosec.exchange
 (DIR) Post #AV0fb4adR8QtvUxGCm by varx@infosec.exchange
       2023-04-25T11:45:34Z
       
       0 likes, 0 repeats
       
       @Cloudguy @topher It&#39;s at least a little bit vague. :-) I used to have the same login for the ecommerce and AWS sites, but I don&#39;t any more; I don&#39;t recall what happened, but I think they&#39;ve separated them, or encouraged people to separate them.For people with *AWS-only* accounts, does anything need to be done? Because that&#39;s the bigger lift.
       
 (DIR) Post #AV0fb6RqWmahgorGme by varx@infosec.exchange
       2023-04-25T11:52:21Z
       
       0 likes, 0 repeats
       
       @Cloudguy Or to put it more pointedly: How about those of us at work, with AWS-only accounts that have never connected to the shopping site or to IoT thingies? Or is this really just specific to the shopping site/IoT?
       
 (DIR) Post #AV2hdN4OHvL02p146K by varx@infosec.exchange
       2023-04-26T11:32:02Z
       
       0 likes, 0 repeats
       
       @Cloudguy @feld This is quite a rude response to a reasonable inquiry.You&#39;re making some grand claims, and leveraging limited social capital to do so. (I&#39;ve never heard of you, and you haven&#39;t made it easy to verify you.) Posting insults is not making it any easier to take your word on faith.
       
 (DIR) Post #AV2jAdLct6Mm2YVDvM by varx@infosec.exchange
       2023-04-26T02:28:55Z
       
       0 likes, 0 repeats
       
       @lopta I reset my password using the &quot;compromised account&quot; feature, since it just took a moment. Little to lose. However... I&#39;m not convinced yet that there&#39;s a legitimate threat, so I haven&#39;t done anything beyond that.(I don&#39;t use 2FA with Amazon because their 2FA support kind of sucks, and I don&#39;t have any &quot;devices&quot;.)It&#39;s easy for people to think they&#39;ve found something serious and be dead wrong about it. I know this from the perspective both of someone who has raised a false alarm, and of someone who has to field security disclosures. So I&#39;m holding this with some uncertainty, and I figure we&#39;ll know soon enough.
       
 (DIR) Post #AValhQ1Ike7a6sgR7I by varx@infosec.exchange
       2023-05-12T18:00:58Z
       
       5 likes, 12 repeats
       
       Good news! .zip and .mov are now TLDs, not just file extensions! So mentioning archive.zip in chat may now link to a phishing site or something.Wait no, that&#39;s *bad* news...
       
 (DIR) Post #AWxHusXK7N8sua3tUu by varx@infosec.exchange
       2023-06-22T00:26:32Z
       
       0 likes, 0 repeats
       
       Today I have experienced the horror that is #Helm.Helm chart templates make #Kubernetes manifests by string-templating #YAML.YAML has one of the most unfriendly syntaxes of any textual data structure language I&#39;ve ever seen. There&#39;s a whole website just dedicated to the nine different ways you can write a multiline string.And Helm just... string-interpolates values into it. The most fragile syntax in the world, and you&#39;re just going to inject raw bytes straight into it. The only tool provided to alleviate this is the `quote` function, which... doesn&#39;t actually do what you want.Currently at work I&#39;m trying to figure out how to insert an arbitrary string value into another string, which is a pretty normal thing to do. And four attempts later, nothing works. The most common &quot;solution&quot; on the web appears to be to use `{{ ... | indent 12 }}` where 12 has to match the template&#39;s current indentation level. Good luck if you ever want to reindent anything!
       
 (DIR) Post #AWxHuwxLgYKwcSGjcO by varx@infosec.exchange
       2023-06-22T16:33:13Z
       
       0 likes, 0 repeats
       
       OK, here we go: A way to inject a string value inside a #YAML string in #Helm chart templates!You won&#39;t like this.&quot;... {{ $someValue | quote | substr 1 (int (sub ($someValue | quote | len) 1)) }} ...&quot;I promise you that this is one of *less* terrible ways of performing this extremely fundamental operation.
       
 (DIR) Post #AWxI5DfIPvOHKvioPw by varx@infosec.exchange
       2023-06-22T16:40:03Z
       
       1 likes, 0 repeats
       
       @feld Yeah, but the templating language also doesn&#39;t give you a way to interpolate into a JSON string. :-/
       
 (DIR) Post #AX5RgI63qEPAhxLXWK by varx@infosec.exchange
       2023-06-26T14:01:39Z
       
       4 likes, 6 repeats
       
       #YAML is endless fun.
       
 (DIR) Post #AXN7BdtIGENj5OlHAe by varx@infosec.exchange
       2023-07-03T23:40:25Z
       
       0 likes, 0 repeats
       
       @cuchaz Cavern has a problem that&#39;s very similar; my solution is for the friends to have to brute-force the list until they find something they can decrypt, but not have to do this *often*.Not sure if this is appropriate in your use-case, but consider whether there&#39;s a way to &quot;stabilize&quot; the numbers you&#39;re sending your friends; if they can act optimistically on the presumption of the number not having changed since last time (if that&#39;s even a meaningful concept) then they get to skip the expensive step whenever they&#39;re right.Barring that, it feels like this might require some fancy math involving combining multiple people&#39;s public keys. :-/
       
 (DIR) Post #AXN7BgDDd7VaHm6DVQ by varx@infosec.exchange
       2023-07-04T13:03:39Z
       
       0 likes, 0 repeats
       
       @cuchaz It&#39;s also pretty fast. The marginal cost on my 10+ year old laptop of performing an encryption or decryption is less than 80 µs. &quot;Brute forcing&quot; a list of 1000 small items until I find the one that&#39;s for me would take under 100 ms, which seems fine.40k items would take about 3 seconds to process. At that scale I&#39;d want to start using k-anonymity for sure; including just an 8-bit public key prefix would bring that down to 12 ms.
       
 (DIR) Post #AXN7BgvWyMxCVCpbZg by varx@infosec.exchange
       2023-07-04T13:10:20Z
       
       0 likes, 0 repeats
       
       @cuchaz Another benefit is that keys are small and unstructured. Any 32 byte string can be converted to a key via some bit-masking—you create them from random data (or a hash output). So the keys are fast and simple to generate, they&#39;re small, and they can be readily derived deterministically from a passphrase if you&#39;re into that sort of thing. (And if you have both X25519 and Ed25519 keys, they can both come from the same shared seed, with a bit of context separation for safety.)
       
 (DIR) Post #AXN7BiJJpPZmnGy7I8 by varx@infosec.exchange
       2023-07-04T16:13:34Z
       
       0 likes, 0 repeats
       
       @cuchaz There&#39;s some truth to that. For instance, the top post-quantum schemes seem to have pretty large keys, which might violate some protocol assumptions.But they also might just work really differently in ways that don&#39;t match either RSA *or* ECC. Think of how ECC relies on key exchange rather than RSA&#39;s traditional asymmetric encryption, and doesn&#39;t have a notion of unifying encryption and signing. It seems to me there&#39;s a not-inconsiderable chance of further fundamental changes in the available primitives. Without being a serious cryptographer (let alone one who is up-to-date and has an eye for trends) it&#39;s impossible for me to make that kind of prognostication, though! I think keeping an eye on later versions of the protocol being able to swap out cryptosystems at a lower level makes sense, but I feel like it would be easy to unduly constrain the overall protocol.(That said, all of the round-4 NIST PQ submissions appear to describe KEMs, making them more similar in shape to public-key ECC than to RSA, if I&#39;m not totally misunderstanding things.)
       
 (DIR) Post #AmL7fHHkW0IPpg16tU by varx@infosec.exchange
       2024-09-24T20:38:25Z
       
       0 likes, 0 repeats
       
       @piks3l &quot;this is not funny, artists only do this when they’re in extreme distress.&quot;
       
 (DIR) Post #ApaTOPinwVN0XiHR8C by varx@infosec.exchange
       2024-12-30T23:47:17Z
       
       1 likes, 0 repeats
       
       @drwho When I search for posts relating to IEC 62056 (which is probably the protocol you&#39;re talking about) I find this post about the &quot;PiggyMeter&quot;: https://mastodon.social/@danie10/111431205222606388
       
 (DIR) Post #AuJaQJNVwbW89p9lxo by varx@infosec.exchange
       2025-05-21T03:47:45Z
       
       1 likes, 3 repeats
       
       I very much get a &quot;we just discovered radium and want to put it in everything&quot; vibe from this whole generative AI bubble.(Including the thing where companies used to slap the word &quot;radium&quot; on existing products even though they thankfully did not actually have any radioactive materials. Like &quot;radium butter&quot;.)
       
 (DIR) Post #AyATyC65yZmPVIJTuK by varx@infosec.exchange
       2025-09-13T15:51:41Z
       
       0 likes, 0 repeats
       
       @musicmatze Necessary but annoying part of a lot of apps.Static typing really helps ensure you don&#39;t mess it up, at least.
       
 (DIR) Post #AyAaW6SE3wg9ZaDVJo by varx@infosec.exchange
       2025-09-13T15:59:21Z
       
       0 likes, 0 repeats
       
       @musicmatze When there are a large number of fields with the same name, semantics, and visibility level in both structs, you can use destructuring to clean up a good deal of the repetition:let DbUser { foo, bar } = user;NetUser { foo, bar }
       
 (DIR) Post #B0syWZaVu25qusMkTI by varx@infosec.exchange
       2025-12-03T15:31:25Z
       
       0 likes, 0 repeats
       
       @ErikvanStraten You seem to be confused about Mastodon link previews vs. images.
       
 (DIR) Post #B0syWasz4qSiwS10ts by varx@infosec.exchange
       2025-12-03T21:14:46Z
       
       0 likes, 0 repeats
       
       @ErikvanStraten Take a deep breath, stop doubling down, and take a closer look at the post you replied to.