2017-08-08

Dr. Daniel Julius Bernstein

7.25: web.cs/sec/Dr. Daniel Julius Bernstein:
. Dr. Daniel Julius Bernstein
is an authority on computer security;
he's a big fan of extreme sandboxing
(where the app is cooperative)
and safe programming languages.
djb's main pagehis papers
(and who they are cited by).

2017-03-01

git uses SHA-1 deprecated by NIST in 2011

2.25: news.cyb/dev/sec/git uses SHA-1 deprecated by NIST in 2011:
3.1: summary:
. git allows teams to concurrently work on software;
it uses SHA-1 hashing of versions,
to tell when files of a version have been modified
to help it merge versions of the software.
. SHA-1 has been cracked so you can modify a file
and yet have it result in the same SHA-1 hash,
thereby hiding the fact that it has been modified.
. the leader of git would like to replace SHA-1
with a more secure hash using more bits,
but would like to use a truncated version of that hash
so that git would only have to store and compare
the same number of bits as SHA-1.
. git is assumed by the leader of git, Linus Torvalds,
to be less vulnerable to the SHA-1 attack
because it includes not just the hash of a file
but also its size;
he gives no proof other than appeal to intuition:
can you imagine a way to add working malware to a file
while also keeping both the hash and the size the same?

2017-02-28

#webassembly is starting beta

2.28: news.cyb/dev.net/webassembly.org is starting beta:
Mozilla, Microsoft, Google, and Apple have teamed up
to make the web more efficient.