Subscribe: Comments for root labs rdist
http://rdist.root.org/comments/feed/
Preview: Comments for root labs rdist

Comments for rdist



Embedded security, crypto, software protection



Last Build Date: Wed, 12 Nov 2014 00:43:48 +0000

 



Comment on Thought experiment on protocols and noise by Anonymouse

Wed, 12 Nov 2014 00:43:48 +0000

You say curmudgeon, I say mature, responsible professional engineer :)



Comment on Thought experiment on protocols and noise by Nate Lawson

Wed, 05 Nov 2014 01:39:40 +0000

I don't ask it as a pass/fail question, it's more of "here's something fun to explore together". It's not really an interview question in the traditional sense as I don't usually ask it of interviewees. I don't like the the "solve this puzzle for points" method of interviewing and our interviews are quite different. What happens more often is we find things like this during audits. It's usually not as clever/interesting, though the developer usually thinks it is. "Hey, I found a safe way to reuse an IV" or "check out my 15 options to provide algorithm agility" are more like what we find. Nobody in their company found it because there are lots of these kinds of issues, lurking in nearly every piece of code there. What's even more difficult is trying to convince them to change it. Once you think something is clever, it's many times harder to reverse your opinion. But removing "clever" deviations and replacing them with boring, less functional substitutes is what it takes to secure a design. And that's why I sometimes sound like a curmudgeon to said developers.



Comment on Thought experiment on protocols and noise by Tony

Tue, 04 Nov 2014 20:14:52 +0000

I would fail this question. If it was asked on Hacker News or Twitter I would have raised objections. As an already hired employee I would put the requester through a two hour meeting and make him or her come up with good reasons before I even thought about coding something like this. In an interview situation, if the interviewer asked a question like this I would assume it was because they wanted an answer about how to solve it. It would be a bad assumption on my part in this case, but arguing with the interviewer about the validity of the question will in the majority of the interviews not get you the job.



Comment on In Defense of JavaScript Crypto by Nate Lawson

Tue, 28 Oct 2014 21:49:09 +0000

That's not browser crypto, but you can also talk to native extensions from HTML5 apps so still no need to replicate it in JS.



Comment on In Defense of JavaScript Crypto by B

Tue, 09 Sep 2014 22:32:09 +0000

I'm confused by your dislike of the PCI avoidance scenario. Even forgetting about PCI, doesn't RSA encrypting in the browser (which seems pretty safe, since there's nothing secret to be exposed, even if there's a bug in the encryption code), and decrypting somewhere in the backend avoid having the CC number in the memory of the web server? Which would prevent the recent Target/Home Depot attacks? Is it just that the idea that, "oh, we have malware reading our memory, but it's encrypted so we're ok", is crazy?



Comment on Catching up on recent crypto developments by caf

Fri, 27 Jun 2014 13:30:15 +0000

Can you describe your variant cipher mode?