Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) / X

Data is not the new gold, data is the new uranium. Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated. Why keep uranium you don't need?

Alright, actually unpopular opinion thread time. Might delete later. Allowing pets in the office is not an inclusive policy.

I have some personal news 👀 Today is my last day at Google! 🛫🏝🌅 I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid. I want to make words.filippo.io/professional-m a thing, starting with Go cryptography!

Replying to

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding

's work: Michael, Glenn, Matt" People, what are we doing.

I just saw a professional electrician follow a YouTube video, and I was confused for a second. Then I remembered I have 15 StackOverflow tabs open, and it all made sense.

I'm being downvoted on HN for mentioning that a black person saying "all white people are bad" is not the same thing as a white person saying "all black people are bad", in case you were wondering how tech is doing on understanding systemic racism.

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a

"Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Quote

Big news! ✨ ʕ◔ϖ◔ʔ I am joining the Go team. 💥 In New York City. 🗽 Owning the crypto libraries. 🔐 On the new Open Source team. 🚀

things Go developers don't have to worry about: a thread

Earlier today, I kept getting "406 Not Acceptable" errors adding an embedded tweet to my blog post. Spent 15 minutes trying to figure out what was wrong. No hits on Google. Look at my Twitter name and tell me if you can figure it out 😅

“We don’t negotiate salaries” is a negotiation tactic. Always. No, your company is not an exception.

Heh, maybe you should not have automated this.

Hiring engineering talent is hard. And yet, there is a large pool of engineering talent up for grabs by any company that can muster the courage to say: - remote policy is yes - SF/NY mid-market rate worldwide after taxes/benefits - unlimited immigration budget - four day weeks

Replying to

I will donate $300 to RAICES to see this happen.

4

562

1,514

We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do.

Replying to

Software engineers will build the tools to burn the world down as long as they’re in the correct programming language and ace the benchmarks. Maybe the most powerful people of our time reduced to puppets by basically “who’s a smart engineer? you’re a smart engineer, yes you are”

Sad to see all these cheap negative quips about Github & Microsoft. MS has been doing some awesome work in Open Source recently (just look at VS Code), and hired some excellent people. I see no reason to be worried.

28

572

1,410

Replacing loaded words in codebases might not change much, but opposing those changes speaks volumes.

Replying to

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

StackOverflow question: “the police are making people on the street install spyware, how do I protect myself?” Top HN comment: “discussing authoritarianism is pointless, more importantly, why doesn’t the spyware use HTTPS?” I hate this soulless industry.

13

282

1,131

You are logged into an old server. The uptime is 788 days. There are a lot of kernels here. >

Kathryn,

, did not bypass code review. She didn't disrupt anyone's work. She didn't target an individual. She didn't violate any policy I'm aware of. She linked to an NLRB notice from an extension that exists to show links to policies. This only makes sense as retaliation. twitter.com/eiais/status/1

Wow. Linus admits his behavior was hurting people and Linux, recognizes being an asshole does not scale, apologizes, and takes time off to work on himself. Hopefully others who looked up to his behavior can take the occasion for similar introspection. lore.kernel.org/lkml/CA+55aFy+

Weird time to get this news, but after almost 7 years of fighting my way to NYC... my Green Card I-140 petition was approved this week! 🙌🍾🗽📬🇺🇸👽🏁🥳

Setting up an iPhone as a secure travel device. Notes, tips and tricks for your next trip to an hostile network.

This US Government is down to two nines.

I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext. Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.

Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore. It's the only time I just try random upvoted commands from GitHub issues until it works. How does anyone get any work done like this?

I just killed 500 lines of crypto/tls code. 🎉💥🔥 In Go 1.14, no more SSLv3. No ifdef, no option. It's deleted. golang.org/cl/191976

I don't really care who this man-child is, but notice something... He worked at Stripe for years. This shit is everywhere in the industry. The next time you hear a story of discrimination that you find hard to believe, just remember this loser.

This little change must be the biggest security improvement to SSH's Trust on First Use in the past 20 years.

People Magazine printed my title as Cryptogopher. That is all.

Replying to

📣📣📣📣 It's here! 🥁🥁🥁🥁 💥🍾🏁✨ age v1.0.0 ✨🏁🍾💥

The TSA first made flying a miserable experience, then made you pay a bribe to skip most of it with Pre. Now they mismanaged the bribed line too, and you can pay a bigger bribe to Clear to skip most of that. 💯🇺🇸🦅💵 As a bonus, a private company has your biometrics now. 👁

The BUS DRIVERS are refusing to work for the police state, while software engineers, with the most leveraged profession of our time, still can't get their employers to stop working for ICE. Cowards. Disorganized and cowards. All of us. I'm ashamed.

I'm a big fan of brew cask for its library of zap instructions, which remove all traces of an application, however it was installed. The Zoom one has just been updated to remove the persistent server. brew update brew cask zap -f zoomus github.com/Homebrew/homeb

For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands: $ defaults read | pbcopy # make changes in System Preferences.‍app $ diff -u -F '^ "' <(pbpaste) <(defaults read)

Replying to

(BTW, I also know that guide dogs and emotional support dogs are critical to inclusivity, so that's not what I'm talking about. It's normal to have to accommodate conflicting needs sometimes. I'm taking about bringing your pet to work for fun.)

I am—or at least was in this picture—America's newest pilot! ✨🛩👨‍✈️ I passed my checkride today on this Piper. This was both a dream and a challenge like I haven't tackled in years. 48 hours, 35 days start to finish including weather days. It's been a ride 🍾

Another $300 from the Slack, we are at $1,550 for RAICES to see

's hair dyed blue.

Woah, did not see this one coming. OpenSSH now uses hybrid post-quantum Streamlined NTRU Prime + X25519 by default! openssh.com/txt/release-9.0

Folks, it works!! I am officially a full-time independent open-source maintainer! 🧑‍💻💼 That means I spend most of my time on open-source maintenance, and I offer retainers to companies that benefit from my work and from access to me. Full details 👉 words.filippo.io/full-time-main ✨

JWT is so bad that I find myself wondering what I was doing when it was being created and if I could have done something to stop it. Also, note that this HN thread is full of developers just now learning that JWTs only does signing. Except it can also do encryption. 🤷‍♂️

There's some inane gatekeeping pushback on this absolutely mild take, so let me say it loud and clear: I'm a Senior Software Engineer at Google who works on cryptography and open source, and I find email-based patch submission a meaningful barrier.

Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻ It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨 dev.gnupg.org/T5259

Replying to

I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.

Here's one thing I think we'll find unacceptable in 50 years. The degree to which minors have no rights. They are basically non-people: no right to privacy (school and parent spyware), no right to freedom (go to your room!), can't even make their own medical decisions.

I'm already tired of QR discourse. Users click on links and scan QRs. It's what they are for. Mentally model the security boundary where it is, not where you want it.

Replying to

It's ready! 💥 github.com/FiloSottile/yu yubikey-agent is a seamless ssh-agent for YubiKeys. 🔒 Written in Go, it takes one command to set up, and never needs restarting. ✨

Occasional reminder of unevenly distributed knowledge. Above $200k, you mostly negotiate equity, not salary. Mid-career engineers in the US can go way beyond $200k at large tech companies and startups that compete with them.

YIKES. It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING. Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy. YIKES. YIKES. YIKES.

Replying to

Other places are way worse. I get recruiting emails listing the "office dog" as a perk. Guess what, me and a number of other people can't work for you now due to a completely work-unrelated medical reason.

Replying to

I know what I am biologically allergic to, tyvm stranger on the Internet.

So... guess who just got a Green Card, with perfect timing? 🎉

This is my main objection to password-encrypted key files. If you get to read arbitrary files from my disk you can pull my pictures, messages, and cookies (including the AWS console ones). But at least not the SSH key? Yay? Who cares?

Replying to

But here's the thing: the issue compounds. If you are already fighting a culture of sexism, are you going to spend political capital on... not letting people bring their dog to work? Of course not, so maybe it has to be privileged people complaining about this.

The police is arresting, shooting, and macing journalists. They are driving tanks into cities and escalating. They're getting recorded and they don't care. Defund the police. Disarm them. Drop qualified immunity.

The GNU project has no time to waste on silly stuff like providing an inclusive environment, it's all about the hard technic... *taps earpiece*

Feature request: block all accounts created in 2020. Most of them are bots. And if someone actually joined Twitter in 2020, look, they clearly make bad life choices.

Journalists. When reporting about Telegram groups, I need you stop referring to it as a “secure messaging app” without context. This is not crypto nitpicking. Telegram groups ARE NOT ENCRYPTED.

Can we talk about the fact that

is systematically putting much of the news industry to shame? This guide to filming police misconduct is grounded, useful, correct, insightful, actionable, sourced, and AFAICT flawless.

Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem. ... nope! systemd of course didn't!

🎉 mkcert made it to 10.000★ 🎉 v1.1.1 can make HTTPS certificates for localhost or any name on macOS, Linux and Windows, automatically trusted in Chrome, Firefox and Java. github.com/FiloSottile/mk

Replying to

To be clear, they are absolutely correct.

A lot of Go criticism seems to be “Go does {simple thing} instead of {complex thing I know about and you don’t}”. I’m very ok with that.

10

339

598

Replying to

Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥 age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp Try it out and send feedback 👉 age-encryption.org

Replying to

Others have a phobia of dogs instead of allergies, and they feel even less legitimized to speak up and "be that person", but have to cope with a work space that does not feel safe.

Replying to

In summary, allergies and phobias don't get the same treatment as disabilities, but they are also issues that exclude people for no good reason, or force them to fight for a safe environment.

OMG YES YES YES If you are into signing git commits, here's your answer! Also, I'm happy any time I see SSH signatures in use. Every developer has SSH keys! We have robust tooling and hardware for them! They are simple! You can use ssh-keygen(1) to produce and verify them. twitter.com/damienmiller/s

Replying to

To prove that crypto code can be understandable, I gave my best shot at writing a readable Poly1305 implementation. It tries to explain both what it’s doing and how. (It’s also 75% faster than the current one.) blog.filippo.io/a-literate-go-

PSA: don't rely on GnuTLS, please. [CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially. Also, TLS 1.2–1.0 session tickets are awful. blog.filippo.io/we-need-to-tal

Quote

Everyone is talking about the RSA key generation bug, and there's indeed a catalog of things that went wrong, but the thing is... YOU DON'T GET TO IMPLEMENT A FALLBACK FOR RANDOMNESS That's it. That's the tweet. github.com/juliangruber/k

🚨 The age-encryption.org reference implementation reached beta! 🥳 age(1) — a simple, modern, secure file encryption tool.

Quote

Rust at the top of /r/golang and Go at the top of /r/rust. My job here is done.

Replying to

By the way, I like dogs! I like dogs so much that sometimes I take meds and cover every inch of my skin to play with them for half an hour (and then immediately jump in the shower and accept some mild asthma for a couple days). But no one should have to at work.

I was going to announce a newsletter, but instead I found an XSS in the service I'm using for it, so now the sign up page is a Proof of Concept and I'm not sure this story has a moral.

Parents, please check your kids' candy this Halloween. I just found ECB mode in my son's candy bar. Be safe.

I'm such a sucker for nice UNIX pipelines. $ pngpaste - | zbarimg -q --raw - | pass otp append This extracts a QR code from a screenshot in the clipboard (⌘⌃⇧4) and saves it as a TOTP 2FA entry in password-store. $ brew install pngpaste zbar pass-otp

Linus is arguing against the whole secure-by-default philosophy in order to break the only correct randomness interface in Linux. (The one that works like all the BSDs.) I can't, I just can't. I'm actually giving up. Go will mitigate it if it happens, but that's it.

Quote

Wireguard is up there with Mosh in terms of not leaking the network semantics into the user experience: I've had a Mosh session and a Wireguard tunnel open to my home server for days from home, to plane WiFi, to Italian tethering. Other software, be more like Wireguard and Mosh.

Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it. It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it.

Quote

Holy mother of all vulnerabilities.

PSA: the git:// protocol is unencrypted like http:// GOOD: git clone https​://example.com GOOD: git clone git@example.com # uses ssh BAD: git clone git​://example.com BAD: git clone http​://example.com

Quote

Ticketbleed (CVE-2016-9244): leak of up to 31 bytes of memory via TLS Session IDs, affecting most F5 BIG-IP versions ticketbleed.com