Filippo Valsorda @filippo.abyssdomain.expert
@FiloSottile
Followers
48,791
Following
504
Media
1,066
Statuses
15,218
Cryptogopher / Go crypto maintainer / @kateconger -knower / RC F'13, F2'17 / #BlackLivesMatter / he+him / /
Joined June 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Maggie Smith
• 785844 Tweets
Netanyahu
• 622037 Tweets
Beirut
• 486962 Tweets
القادسية
• 423643 Tweets
Nasrallah
• 306100 Tweets
Zelensky
• 262196 Tweets
Harry Potter
• 211815 Tweets
Lali
• 201017 Tweets
بيروت
• 163760 Tweets
الزمالك
• 120127 Tweets
Acapulco
• 95699 Tweets
#الضاحيه_الجنوبيه
• 79155 Tweets
I-40
• 73039 Tweets
マクゴナガル先生
• 54231 Tweets
حامد
• 35722 Tweets
Van Gogh
• 29508 Tweets
Willie
• 27821 Tweets
Asheville
• 26536 Tweets
FONDEN
• 25808 Tweets
#حسن_نصر_الشيطان
• 18311 Tweets
Dortmund
• 15527 Tweets
Barcola
• 15406 Tweets
#السوبر_الافريقي
• 13565 Tweets
Bane
• 12104 Tweets
Pinned Tweet
Bluesky registrations are now open!
I have been posting primarily there for months now. It has an early Twitter vibe, a hacking friendly protocol, and cool custom feed algorithms.
Join me there! → @/filippo.abyssdomain.expert 🦋
0
0
17
Data is not the new gold, data is the new uranium.
Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated.
Why keep uranium you don't need?
118
4K
10K
, the SSH server that knows who you are, got some newly refreshed intel! Try it out!
$ ssh
47
1K
4K
Alright, actually unpopular opinion thread time. Might delete later.
Allowing pets in the office is not an inclusive policy.
183
732
4K
I have some personal news 👀
Today is my last day at Google! 🛫🏝🌅
I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid.
I want to make a thing, starting with Go cryptography!
119
241
4K
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.
"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding
@rgoers
's work: Michael, Glenn, Matt"
People, what are we doing.
38
1K
3K
I just saw a professional electrician follow a YouTube video, and I was confused for a second.
Then I remembered I have 15 StackOverflow tabs open, and it all made sense.
17
480
3K
No one is paying the log4j2 maintainers!?
There is a whole page on the responsibilities of a
@TheASF
"Project Management Committee"... AND NO ONE IS PAYING THEM?
Open Source needs to grow the hell up. Yesterday.
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
176
2K
10K
50
620
2K
Big news! ✨ ʕ◔ϖ◔ʔ
I am joining the Go team. 💥
In New York City. 🗽
Owning the crypto libraries. 🔐
On the new Open Source team. 🚀
122
139
2K
I'm being downvoted on HN for mentioning that a black person saying "all white people are bad" is not the same thing as a white person saying "all black people are bad", in case you were wondering how tech is doing on understanding systemic racism.
21
137
2K
things Go developers don't have to worry about: a thread
38
266
2K
Earlier today, I kept getting "406 Not Acceptable" errors adding an embedded tweet to my blog post.
Spent 15 minutes trying to figure out what was wrong. No hits on Google.
Look at my Twitter name and tell me if you can figure it out 😅
20
154
2K
mkcert: valid HTTPS certificates for localhost — a short blog post about now that it's almost done 🔒
29
748
2K
“We don’t negotiate salaries” is a negotiation tactic.
Always. No, your company is not an exception.
24
353
2K
Heh, maybe you should not have automated this.
18
133
2K
Hiring engineering talent is hard.
And yet, there is a large pool of engineering talent up for grabs by any company that can muster the courage to say:
- remote policy is yes
- SF/NY mid-market rate worldwide after taxes/benefits
- unlimited immigration budget
- four day weeks
31
200
2K
We all agree the status quo is unsustainable.
Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.
The thing is, companies need it as much as maintainers do.
72
520
2K
These checklists from Apple are gold.
If you want to see if anyone else has access to your device or accounts:
If you want to stop sharing:
If you want to make sure no one else can see your location:
4
521
1K
A cosmic ray just murdered a Certificate Transparency log.
26
467
1K
Replacing loaded words in codebases might not change much, but opposing those changes speaks volumes.
15
331
1K
Sad to see all these cheap negative quips about Github & Microsoft. MS has been doing some awesome work in Open Source recently (just look at VS Code), and hired some excellent people. I see no reason to be worried.
73
310
1K
The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check .)
The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month.
You see the problem?
25
167
1K
Software engineers will build the tools to burn the world down as long as they’re in the correct programming language and ace the benchmarks.
Maybe the most powerful people of our time reduced to puppets by basically “who’s a smart engineer? you’re a smart engineer, yes you are”
23
433
1K
StackOverflow question: “the police are making people on the street install spyware, how do I protect myself?”
Top HN comment: “discussing authoritarianism is pointless, more importantly, why doesn’t the spyware use HTTPS?”
I hate this soulless industry.
14
378
1K
BlueCoat now has a CA signed by Symantec
Here's how to untrust it
56
1K
1K
Damn.
@zx2c4
has been the Linux random driver maintainer for like a hot minute, and /dev/[u]random is now 100% SHA-1 free and 370% faster. Amazing.
13
229
1K
Weird time to get this news, but after almost 7 years of fighting my way to NYC...
my Green Card I-140 petition was approved this week!
🙌🍾🗽📬🇺🇸👽🏁🥳
55
7
1K
You are logged into an old server. The uptime is 788 days.
There are a lot of kernels here.
>
75
209
1K
Kathryn,
@eiais
, did not bypass code review.
She didn't disrupt anyone's work.
She didn't target an individual.
She didn't violate any policy I'm aware of.
She linked to an NLRB notice from an extension that exists to show links to policies.
This only makes sense as retaliation.
8
281
991
Wow. Linus admits his behavior was hurting people and Linux, recognizes being an asshole does not scale, apologizes, and takes time off to work on himself.
Hopefully others who looked up to his behavior can take the occasion for similar introspection.
7
386
990
Setting up an iPhone as a secure travel device. Notes, tips and tricks for your next trip to an hostile network.
28
481
969
This US Government is down to two nines.
9
335
949
I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext.
Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.
24
136
946
Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore.
It's the only time I just try random upvoted commands from GitHub issues until it works.
How does anyone get any work done like this?
46
83
925
I just killed 500 lines of crypto/tls code. 🎉💥🔥
In Go 1.14, no more SSLv3. No ifdef, no option. It's deleted.
22
128
903
This little change must be the biggest security improvement to SSH's Trust on First Use in the past 20 years.
9
144
887
I don't really care who this man-child is, but notice something...
He worked at Stripe for years.
This shit is everywhere in the industry. The next time you hear a story of discrimination that you find hard to believe, just remember this loser.
17
121
869
People Magazine printed my title as Cryptogopher. That is all.
25
77
853
📣📣📣📣 It's here! 🥁🥁🥁🥁
💥🍾🏁✨ age v1.0.0 ✨🏁🍾💥
20
169
815
The TSA first made flying a miserable experience, then made you pay a bribe to skip most of it with Pre. Now they mismanaged the bribed line too, and you can pay a bigger bribe to Clear to skip most of that. 💯🇺🇸🦅💵
As a bonus, a private company has your biometrics now. 👁
14
91
805
Java does what now?
I have... more concerns than fit in a tweet.
19
122
794
I am—or at least was in this picture—America's newest pilot! ✨🛩👨✈️
I passed my checkride today on this Piper. This was both a dream and a challenge like I haven't tackled in years.
48 hours, 35 days start to finish including weather days. It's been a ride 🍾
39
5
786
For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands:
$ defaults read | pbcopy
# make changes in System Preferences.app
$ diff -u -F '^ "' <(pbpaste) <(defaults read)
8
142
777
I'm a big fan of brew cask for its library of zap instructions, which remove all traces of an application, however it was installed.
The Zoom one has just been updated to remove the persistent server.
brew update
brew cask zap -f zoomus
6
249
775
Folks, it works!!
I am officially a full-time independent open-source maintainer! 🧑💻💼
That means I spend most of my time on open-source maintenance, and I offer retainers to companies that benefit from my work and from access to me.
Full details 👉 ✨
21
63
774
(BTW, I also know that guide dogs and emotional support dogs are critical to inclusivity, so that's not what I'm talking about. It's normal to have to accommodate conflicting needs sometimes. I'm taking about bringing your pet to work for fun.)
30
29
753
The BUS DRIVERS are refusing to work for the police state, while software engineers, with the most leveraged profession of our time, still can't get their employers to stop working for ICE.
Cowards. Disorganized and cowards. All of us. I'm ashamed.
14
217
741
Woah, did not see this one coming. OpenSSH now uses hybrid post-quantum Streamlined NTRU Prime + X25519 by default!
13
199
746
JWT is so bad that I find myself wondering what I was doing when it was being created and if I could have done something to stop it.
Also, note that this HN thread is full of developers just now learning that JWTs only does signing. Except it can also do encryption. 🤷♂️
54
142
734
@tqbf
@mveytsman
@matthew_d_green
Another $300 from the Slack, we are at $1,550 for RAICES to see
@matthew_d_green
's hair dyed blue.
2
35
662
Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻
It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨
5
283
680
There's some inane gatekeeping pushback on this absolutely mild take, so let me say it loud and clear:
I'm a Senior Software Engineer at Google who works on cryptography and open source, and I find email-based patch submission a meaningful barrier.
27
101
695
I'm already tired of QR discourse.
Users click on links and scan QRs. It's what they are for.
Mentally model the security boundary where it is, not where you want it.
10
95
636
It's ready! 💥
yubikey-agent is a seamless ssh-agent for YubiKeys. 🔒 Written in Go, it takes one command to set up, and never needs restarting. ✨
10
199
631
Here's one thing I think we'll find unacceptable in 50 years.
The degree to which minors have no rights.
They are basically non-people: no right to privacy (school and parent spyware), no right to freedom (go to your room!), can't even make their own medical decisions.
32
100
613
I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.
7
40
619
Occasional reminder of unevenly distributed knowledge.
Above $200k, you mostly negotiate equity, not salary.
Mid-career engineers in the US can go way beyond $200k at large tech companies and startups that compete with them.
10
62
614
YIKES.
It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING.
Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy.
YIKES. YIKES. YIKES.
Talkspace, a text therapy app made famous by Michael Phelps ads, keeps transcripts for about 7 to 10 years because they're medical records—and data-mines them, of course. But all the other stuff going on there was WILD.
6
360
573
7
403
600
This is my main objection to password-encrypted key files.
If you get to read arbitrary files from my disk you can pull my pictures, messages, and cookies (including the AWS console ones).
But at least not the SSH key? Yay? Who cares?
23
85
593
Other places are way worse. I get recruiting emails listing the "office dog" as a perk.
Guess what, me and a number of other people can't work for you now due to a completely work-unrelated medical reason.
3
39
587
So... guess who just got a Green Card, with perfect timing? 🎉
40
9
589
Captive portals are the worst. So I made a tool to log into them from a dedicated Chrome w/o touching DNS settings.
8
212
586
Folks, the time to run or is now.
You don't need to have an account elsewhere yet. Download the CSVs while you can, and you can import them later.
go go go go
10
292
570
But here's the thing: the issue compounds. If you are already fighting a culture of sexism, are you going to spend political capital on... not letting people bring their dog to work?
Of course not, so maybe it has to be privileged people complaining about this.
5
27
571
🎉 mkcert made it to 10.000★ 🎉
v1.1.1 can make HTTPS certificates for localhost or any name on macOS, Linux and Windows, automatically trusted in Chrome, Firefox and Java.
5
136
570
The GNU project has no time to waste on silly stuff like providing an inclusive environment, it's all about the hard technic... *taps earpiece*
TIL that the gnu coding standards specify that you must not abbreviate "windows" as "win" because that's too positive and suggest standardizing on "woe", which is puerile even by the low bar I already had in mind for gnu
23
144
904
12
105
564
The police is arresting, shooting, and macing journalists.
They are driving tanks into cities and escalating.
They're getting recorded and they don't care.
Defund the police. Disarm them. Drop qualified immunity.
12
167
564
To be clear, they are absolutely correct.
15
44
543
Feature request: block all accounts created in 2020.
Most of them are bots. And if someone actually joined Twitter in 2020, look, they clearly make bad life choices.
13
72
554
Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem.
... nope! systemd of course didn't!
14
248
531
Here's my response to that Google manifesto. If a recruiter emailed you, it's something concrete you can do, too:
12
165
524
Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥
age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp
Try it out and send feedback 👉
6
171
546
Can we talk about the fact that
@TeenVogue
is systematically putting much of the news industry to shame?
This guide to filming police misconduct is grounded, useful, correct, insightful, actionable, sourced, and AFAICT flawless.
7
221
534
Journalists. When reporting about Telegram groups, I need you stop referring to it as a “secure messaging app” without context.
This is not crypto nitpicking. Telegram groups ARE NOT ENCRYPTED.
13
200
521
Added a OpenSSH roaming vuln test to the whoami server
$ ssh
(code: )
17
460
520
OMG YES YES YES
If you are into signing git commits, here's your answer!
Also, I'm happy any time I see SSH signatures in use. Every developer has SSH keys! We have robust tooling and hardware for them! They are simple!
You can use ssh-keygen(1) to produce and verify them.
9
93
519
A lot of Go criticism seems to be “Go does {simple thing} instead of {complex thing I know about and you don’t}”. I’m very ok with that.
22
139
521
🤯 This makes sense but I would NOT have caught it.
19
56
506
Parents, please check your kids' candy this Halloween. I just found ECB mode in my son's candy bar. Be safe.
4
76
505
Others have a phobia of dogs instead of allergies, and they feel even less legitimized to speak up and "be that person", but have to cope with a work space that does not feel safe.
8
17
498
Everyone is talking about the RSA key generation bug, and there's indeed a catalog of things that went wrong, but the thing is...
YOU DON'T GET TO IMPLEMENT A FALLBACK FOR RANDOMNESS
That's it. That's the tweet.
10
134
498
In summary, allergies and phobias don't get the same treatment as disabilities, but they are also issues that exclude people for no good reason, or force them to fight for a safe environment.
11
45
490
🚨 The reference implementation reached beta! 🥳
age(1) — a simple, modern, secure file encryption tool.
7
166
498
I was going to announce a newsletter, but instead I found an XSS in the service I'm using for it, so now the sign up page is a Proof of Concept and I'm not sure this story has a moral.
10
54
485
Rust at the top of /r/golang and Go at the top of /r/rust. My job here is done.
6
118
488
PSA: don't rely on GnuTLS, please.
[CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially.
Also, TLS 1.2–1.0 session tickets are awful.
GnuTLS was using an all-zero key for encrypting TLS session tickets. Whoops.
11
474
725
6
317
486
I'm such a sucker for nice UNIX pipelines.
$ pngpaste - | zbarimg -q --raw - | pass otp append
This extracts a QR code from a screenshot in the clipboard (⌘⌃⇧4) and saves it as a TOTP 2FA entry in password-store.
$ brew install pngpaste zbar pass-otp
6
43
484
To prove that crypto code can be understandable, I gave my best shot at writing a readable Poly1305 implementation. It tries to explain both what it’s doing and how. (It’s also 75% faster than the current one.)
7
170
484
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it.
It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it.
7
115
469
Wireguard is up there with Mosh in terms of not leaking the network semantics into the user experience: I've had a Mosh session and a Wireguard tunnel open to my home server for days from home, to plane WiFi, to Italian tethering.
Other software, be more like Wireguard and Mosh.
6
107
473
By the way, I like dogs! I like dogs so much that sometimes I take meds and cover every inch of my skin to play with them for half an hour (and then immediately jump in the shower and accept some mild asthma for a couple days). But no one should have to at work.
3
14
471
Holy mother of all vulnerabilities.
13
399
465
Linus is arguing against the whole secure-by-default philosophy in order to break the only correct randomness interface in Linux. (The one that works like all the BSDs.)
I can't, I just can't. I'm actually giving up.
Go will mitigate it if it happens, but that's it.
I disagree with Linus on this issue. It’s the situation where you’re sure you really *don’t need* secure random numbers that represents the special case. Put your API flag there.
38
109
447
14
159
470
Ticketbleed (CVE-2016-9244): leak of up to 31 bytes of memory via TLS Session IDs, affecting most F5 BIG-IP versions
10
578
450
Do you have a bunch of GPUs and passphrase bruteforcing experience?
Crack the NSA’s five SHA-1 hashes at the heart of NIST's elliptic curves, solve a cryptographic mystery, and earn $8k (tripled if donated to charity)!
25
175
456