Thomas H. Ptacek
@tqbf
Followers
31K
Following
5K
Media
2K
Statuses
92K
Fear not the obstacles in your path, for fate has vouchsafed your reward. @[email protected]
✶ ✶ ✶ ✶
Joined October 2007
DOWNVOTES.IMPRISONING ME.ALL THAT I SEE.ABSOLUTE HORROR.I CANNOT LIVE.I CANNOT DIE.TRAPPED IN THIS THREAD.COMMENTS MY HOLDING CELL.
13
50
502
I’m sorry, I simply cannot be cynical about a technology that can accomplish this.
741
10K
70K
The all-new Mac Pro, in its maxed-out configuration, will run as many as 12 concurrent Slack sessions. This workflow has never been possible before.
21
857
4K
Welp. It’s the crypto bug of the year. Mark it down for April. Java 15-18 ECDSA doesn’t sanity check that the random x coordinate and signature proof are nonzero; a (0,0) signature validates any message. Breaks JWT, SAML, &c.
26
916
2K
I know I’m a huge dork for saying this but this Wikipedia deletionist is now one of my heroes.
18
413
1K
This is an important fact about Telegram that not a lot of people seem to understand:
31
853
1K
Come for the bible verses, stay for the Internet policy positions!
12
51
780
Every time I write a bash script, I celebrate by killing 19 Stack Overflow tabs in Chrome.
12
52
713
Moxie’s analysis of web3 is really, really good. I had no idea about a lot of this stuff.
7
188
701
AWS does not “hold the keys to the Internet”. It is perfectly possible to run services on your own hardware, and plenty of companies do exactly that.
29
119
613
The cheapest and (probably) most popular TLS Certificate Authority is also the best and most trustworthy. Not the outcome I’d have expected 10 years ago. Congratulations, LetsEncrypt.
9
100
651
The boy just asked if he should learn C++. It’s long past due for THAT conversation, and bad parenting that I waited for him to ask. I’m glad we caught him before he started experimenting on his own.
25
68
649
Talk all you want about Bolton or Pompeo or Mueller or Guccifer but the end result is the same:. The 2018 midterms are probably the most important election in our lifetimes.
15
154
514
TIL: OpenSSH’s default key encryption is so bad you might as well not set a password on your SSH keys.
11
357
586
Reminder that it’s 2017 and there’s still no reliable built-in way to encrypt a file to send to a peer on any mainstream OS.
63
240
580
The guy who maintains Helm, the most important package in Emacs, is a 57-year old alpine mountain guide who learned to program when he was 42, as a hobby.
11
121
566
Or, “I kept 70 people late at the office 6 days a week for a year, then laid them off with 2 days notice 10 days before Christmas, and then bragged about it.”
25
201
543
Look, I am just not having this. Vulnerabilities you discover internally — rather than in a security incident where they were discovered, or reported unbidden by a third party — ARE NOT BREACHES. Words mean things.
9
117
528
If you’re telling people to stop using WhatsApp because it’s insecure, you’re a crypto antivaxxer. Please stop. Call people out on this.
21
373
517
I love that it’s a $700 doorknob that only works if a company that sells $700 doorknobs can stay in business.
12
80
492
Matrix is not the first group chat system to have this basic flaw, which is apparently non-obvious: if you can’t securely control group membership, the cryptography doesn’t much matter.
4
137
502
People who never, ever report vulnerabilities have the most interesting opinions about how people should report vulnerabilities.
11
110
485
Mudge is the new head of security at Twitter, which got me talking about cDc, hacking groups, cliques, and the distinctions between them. I mentioned 8lgm and TESO as examples of hacking groups best understood as hacking groups, unlike cDc. Someone said: “never heard of them”.
14
102
448
Hey, look. Reddit got owned up. STOP USING SMS 2FA. It doesn’t work.
23
306
434
Hats off to the SEO genius at “ who knew that people would be searching for “crontab every 7 minutes” (and every other number of minutes) and has a page ready for each of them.
8
58
424
This is so excellent. Several Japanese Unicode characters are meaningless, transcribed by mistake, and we’re stuck with them forever. 妛挧暃椦槞蟐袮閠駲墸壥彁
9
237
421
Your periodic reminder that CS stands ALMOST ALONE among STEM fields for gender disparity. Mathematics, astronomy, biochem: ALL FAR BETTER.
16
181
403
OH: “if an attacker can figure out how to use Cloudwatch Logs's search, they deserve my password”.
4
109
420
Reminder to techs: work is political whether you like it or not. Apolitical nerds simply accept the default settings of their employers.
6
225
372
Use Signal for messages. Use Tarsnap for backups. Use Magic Wormhole for file transfers. Use age for file encryption (but make sure file encryption is actually what you need).
@tqbf The real question is what to use instead of GPG (maybe something based on sodium?).
11
68
383
If I have to pick just one, the dumbest thing Hacker News believes about security is that phishing is a simplistic attack that only unsophisticated users fall for.
16
52
360
This is the sickest burn of Internet message board culture I have ever read and it is from 1941.
8
136
335
:eyeballs-falling-out-of-head-emoji:. Try harder, Vice News. This is embarrassing.
19
33
351
Fuck it. I give up. I believe in formal methods now. Show me proofs for everything. I was wrong, the proof nerds were right.
6
58
357
Wow. This is the most succinct explanation of the entire Bitcoin phenomenon I’ve ever read.
6
139
323
If you’re a Congressional campaign within 5 hours driving distance of Chicagoland (lookin’ at you, Londrigan and Dady) in any direction: Erin and I will give your staff hardware security tokens and train them how to secure their email with it. 2018. Don’t screw around.
8
96
322
Tailscale wrote an excellent blog post about using Litestream/SQLite as their internal database. So we bought Litestream. Your move, Tailscale!
10
35
338
By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER.
42
521
323
This is such a smart idea and I’m kicking myself for not thinking of it myself.
7
75
335
This paper is basically Github Copilot in reverse: researchers scraped open source code to build an NN model that can look at decompiled code and somewhat reliably recover the original types and variable names(!). Works with Hex-Rays now, but could be made to work with Ghidra.
This paper is awesome (h/t @tqbf): Turns out that machine learning can reconstruct reasonable variable names from decompiled source! I'd love to see this integrated with Ghidra.
1
75
336
We have decided that January 1, 2020 will be the day we sunset C. You can’t run any C code after that.
18
43
303
I’ve written like 1500 lines of bash in the last two weeks and my entire experience of bash is just Googling how to do anything and never retaining anything. I wonder if this is what Java felt like in the 2000s.
25
4
326
I don’t know how this isn’t the biggest story on the Internet right now. The key ceremony for the WHOLE INTERNET has been POSTPONED. THIS IS NOT NORMAL.
18
60
315
Honestly? At this point? I don’t think Apple can do a public event that mentions the Macbook without STARTING WITH AN APOLOGY FOR THIS FUCKING KEYBOARD.
23
58
288
Everyone please take a moment to consider what a big deal it would be if this had been Google accounts rather than Facebook accounts.
9
89
300
Here’s a whole essay she wrote after talking to historians about scrubbing “Clean Wehrmacht” mythology from WP WW2 content, over the strenuous objections of war nerds who treated Wehrmacht personnel like Pokemon cards.
1
26
279
Bring me the head who whoever decided JSON can’t have trailing commas.
17
70
289
Hi, I’m your CPU fan, installed as a friendly reminder that you may still have Flash enabled somewhere.
7
357
275
Tailscale has built one of the most valuable and widely-loved connectivity services of the last decade and the top comment on the orange site thinks that THEY’RE the joke because they did it by ignoring a lot of the conventional wisdom about n-tier app design.
10
14
289
Reminder that if you’ve any opinions about VPNs, you should know about WireGuard, which is like the Signal of VPNs.
4
81
275
Here Assange pretends that he didn’t help sign the death warrants for his two most prominent supporters.
President Obama has a political moment to pardon Manning & Snowden. If not, he hands a Trump presidency the freedom to take his prize.
5
187
253
The fuck? We’ve never taken a dollar of funding, here or at Matasano, and we pay interns. Everyone we talk to pays interns. What dipshit founders is he talking about?.
Congratulations to @AOC on fighting the hard fight to kill internship programs!. almost every founder I talk to has canceled their internship programs (or won’t start them) because they see no reason to pay for the right to slow down their A players to train young people.
23
17
277
Congrats to David Wells on a really excellent vulnerability. Update your Zoom client, or throw it into a dumpster and light it on fire.
4
158
276
More job stuff: I’m putting together a team dedicated to private networking — WireGuard, eBPF. Go, Rust, and BPF-C. I haven’t put a JD together, but feel free to reach out if you’re interested (thomas at fly io works, too).
7
50
275
Steal or write your dotfiles when you’re 17. Accrete lines over time; remove or edit rarely. The entries in your gradually expanding PATH like rings in a tree trunk. One day you may need your .profile to work on a SunOS 4.1.3 machine again, just wait.
What are people's dot files pro-tips? I keep my dot-files super small and boring ( but I couldn't live without "set bg=dark" in a .vimrc, or server keepalives in .ssh/config.
10
24
265
I am so confused by the constant question of “well if not PGP then what?”. Huh? Nobody uses PGP. It’s like asking “if not Betamax then what?” It’s not even wrong. Use Signal and Wire like everyone else.
34
40
270
“Things were just starting to get boring in the field of computer security when somebody said, ‘Hey, let’s reinvent desktop applications in a way that transforms the most common web app vulnerability into native remote code execution!’.”.
2
73
269
Nicholas Carlini is one of the sharper people I have ever met and I pay attention to anything he writes; this, on day-to-day utility of LLMs, rings pretty true to me.
7
62
285
To get better IPR rights. To not work in loud open offices. To improve broken recruiting processes. To fix broken performance tracking systems and end stack ranking. To stop working nights and weekends to hit insane deadlines. To allocate time to pay down tech debt, fix security.
4
47
238
Fuck algebra. You can just set the base point to the public key of the cert you want to spoof. This is the best day.
5
65
244
It is uncomfortable realizing how much higher a moral plane GWB probably occupies than the current POTUS. Deeply so.
7
126
234
I didn’t highlight any part of this paragraph because all of it is crazy talk.
14
129
220
Here’s a huge fight she picked about whether every recipient of a particular Nazi medal was automatically notable (a team of editors believed so, and systematically created pages for all of them). Note how everyone who deals with her assumes she’s a dude.
2
15
217
This is the coolest thing I’ve seen in months: Bleichenbacher and Thai Duong!.
1
154
229
This is the biggest, most impactful cryptographic result in years, and nobody is talking about it. You can have a whole successful career and not discover something half as important as this.
Tomorrow (Wednesday 6th) at @BlackHatEvents, we are presenting with @martinralbrecht, @DowlingBJ and @djwj_ our work on finding practically exploitable vulnerabilities in Matrix. Join us!! (and check our paper: .
7
46
230
It is absolutely off-the-charts crazy that antivirus programs proxy all your TLS connections. THIS IS NOT NORMAL.
11
172
218
I suggest that’s because 95% of “computer science” isn’t science at all, and most of the nerds ranting about this have never done science.
3
40
205
Keep telling me it’s OK to ship software in memory-unsafe languages.
6
58
222
thread for embarrassing debug log messages you’ve accidentally merged into main
20
15
216
The single most important cryptographic feature of Signal is Signal’s willingness to say “no” to feature requests, even for what seem like table stakes basic messaging features. No secure group messaging feature is ever simple.
3
43
214
I _absolutely do not believe_ that the culture across all of big tech is “security first” the way it’s “safety first” among major airlines. That is just not true.
9
47
212
“The CSO of Equifax has a music degree” is the very dumbest Equifax complaint; immediately suggests cluelessness about security field.
26
45
206
FOR FUCK’S FUCKING SAKE. alg: none filtered; alg: nOnE not filtered.
10
73
218
Reminder: recommended Google 2FA config: . 1. U2F Security Key.2. iPhone Code Generator.3. Physically secure backup codes.4. NO SMS.
14
105
208
I have never used `git stash` for anything other than placating `git pull`.
24
7
208
HN seriously on the verge of organizing a candle-light vigil over this firing.
5
34
198
This is fucked up. We’ve been looking and can’t find a SINGLE expert that agrees with this. The lie is outrunning us.
14
193
207
I wrote a thing about why encrypted email is bad and should feel bad.
16
79
202
I recorded a long podcast about token formats and then wrote a blog post about it.
9
54
206
If you’re freaked out that your browser turned something called “DNS over HTTPS” on, you’re being bamboozled. DoH is a good thing.
15
35
201
Someone on our team discovered an nginx bug identical to Heartbleed a year or so before Heartbleed. Went to file a bug; someone else filed it ONE HOUR EARLIER.
2
45
195