• cheeser
  • ernimril
  • joed
  • kinabalu
  • lunk
  • ojacobson
  • r0bby
  • ThaDon
  • ricky_clarkson
  • topriddy

« 2020-01-13


2020-01-15 »

Nick Message Date
KekSi 'morning [01:29]
puppy_za morning KekSi [01:31]
puppy_za how are you? [01:31]
KekSi better than yesterday tbh [02:07]
KekSi got an appointment with my psychologist in 3 weeks, the ophthalmologist says there's not much wrong with my eyes (i was worried because when i went to a laser clinic they said they can't do the procedure on me because my inner eye pressure is too high - on the same eye that got a full 1 dioptre worse in the last 5 years) [02:08]
KekSi got antibiotics for my weird cough that's been going for 6 weeks at my GP and she had a look at the leech bitemark and told me to come back with that next week [02:11]
Faux Sat by the entrance to the Hilton Private Beach during jogging'o'clock this morning, to experience the city the acuzio way. [02:12]
puppy_za lol [02:22]
puppy_za well [02:22]
puppy_za one step at a time [02:22]
db hilton "private beach"? in London? [02:25]
Faux I'm in Tel Aviv. [02:26]
db oh. ok. [02:26]
puppy_za KekSi: good to hear [02:30]
TomTom [TomTom!uid45892@gateway/web/] has joined #java-talk [02:33]
Matthijs [Matthijs!~quassel@unaffiliated/matthijs] has joined #java-talk [02:58]
sonOfRa morning [03:21]
puppy_za hi sonOfRa [03:22]
FabioP [FabioP!] has joined #java-talk [03:22]
Faux Just Works keeps locking the screen on the presentation machine then disassociating the clicker. Peak conference organisation. [03:35]
scav Free seating means walking for minutes, sitting in a different floor than your team. Which is awesome, when you are the latest member of said team, and should be "socializing" with the rest of the team [03:53]
Bombe It could be awesome if your team consists of idiots you don?t want to see or hear all day. [03:54]
Bombe I could totally do with one or two persons less in this room? [03:55]
scav Been here a couple of weeks, really don't have an opinion on anyone - but from experience I totally get that :D [04:16]
ron morning [04:54]
scav morning, ron [04:56]
Lengsdorfer [Lengsdorfer!~Lengsdorf@unaffiliated/lengsdorfer] has joined #java-talk [06:11]
ntonjeta [ntonjeta!] has joined #java-talk [07:10]
sonOfRa oooh, exciting! There's rumors that today's windows update is going to fix some rather critical things in a core crypto component [07:38]
kupi [kupi!uid212005@gateway/web/] has joined #java-talk [07:38]
puppy_za maybe we can ask a MS specialist about it [07:43]
Faux Today's, one day after win7? [07:59]
sonOfRa Today is win7 day, no? [08:00]
sonOfRa My guess is that win 7 will get it. I've heard rumors about software signatures, but those are extremely unconfirmed [08:00]
Faux I'd guess it was another login bypass through that damn cert UI. [08:01]
Faux Not cryptographically interesting. [08:01]
sonOfRa Krebs had rumors that it was crpytography-related [08:01]
sonOfRa Oh I guess that is kinda crypto-related, but I'm guessing it's more crypto-related than login bypass [08:01]
sonOfRa We'll see soon enough! [08:01]
KidBeta [KidBeta!~Kidbeta@hpavc/kidbeta] has joined #java-talk [08:22]
ron sonOfRa: "exciting" [08:32]
[twisti] fucking spotify [08:47]
[twisti] randomly missing the 'dislike' button [08:48]
KidBeta [KidBeta!~Kidbeta@hpavc/kidbeta] has joined #java-talk [08:52]
FabioP [FabioP!] has joined #java-talk [09:02]
scav so groovy apparently cannot have: def f(String), and be used like this f(x(y)) - like wtf? [09:05]
[twisti] still enjoying jenkins world ? [09:08]
scav i mean, its my life now [09:09]
scav im totally doing this 100% for the money [09:09]
[twisti] ouch [09:09]
[twisti] try talking them into picking up gitlab at least [09:10]
scav it's fine, i make more than everyone around me - thats my comfort [09:10]
scav i'm not going to even bother doing that :p [09:10]
sonOfRa Faux: huh, have you been following the recent stuff by JP Aumasson on drastically reducing round counts in cryptography? [09:15]
sonOfRa The argument is essentially that literally all round counts are massively overblown security margins, and for a lot of ciphers we could easily gain 100% performance without sacrificing security [09:16]
scav please, my brain is melting, sonOfRa [09:16]
sonOfRa Take for example ChaCha, everyone uses ChaCha20, but since 2008, the best attack we know on ChaCha*7* is something like 2^235 [09:17]
Faux No. [09:32]
Faux ChaCha20PolyPoly1337 is fast enough in debug mode in rust so it's already easily fast enough for the real world. [09:32]
Faux Krebbs talking about the NSA and trust. [09:33]
sonOfRa Faux: I mean, 2.5x throughput is nice. Though I guess chacha20 is probably already near memory bandwidth? [09:34]
sonOfRa aumasson is suggesting chacha8 over chacha20 in his stuff [09:35]
kamoricks [kamoricks!a7dc942d@Syncleus/dev/freeone3000] has joined #java-talk [09:43]
[twisti] why not chacha4 ? prob about 16x throughput [09:52]
sonOfRa [twisti]: because the *best known* attacks are on chacha7, and are *ever so slightly* below the promised security margins for the algorithm (2^256) [09:54]
sonOfRa And this has been the best known attacks for over a decade, and not for a lack of research [09:54]
sonOfRa There are currently *no* attacks on chacha8 that are better than 2^256 [09:54]
[twisti] i definitely agree that we should lower security to the absulte minimum and bet on hackers never ever getting better in favor of a performance difference of a measly factor of 2 [09:55]
[twisti] its why i use a 4 letter password where i can, its faster to type and shaves a second off my logins [09:55]
[twisti] bra. [09:55]
sonOfRa [twisti]: ah while you're joking, there's a point to this. [09:56]
sonOfRa Why not use chacha100? [09:56]
sonOfRa After all, we can't ever be sure [09:56]
[twisti] im not the one suggesting of changing the status quo [09:57]
[twisti] -of [09:57]
sonOfRa Ah yes, the "we've always done it this way" school of never changing things ;) [09:57]
sonOfRa These high round numbers originally started around the days of DES, where public cryptography research wasn't anywhere *near* as far as it is today [09:58]
[twisti] im just saying, a factor of 2 doesnt seem like nearly enough to justify lowering security that much [09:59]
sonOfRa Except we're not "lowering" any security. We still have a margin to the best known attack [10:00]
sonOfRa It's not like he's just suggesting this on a whim, this is based on a paper with significant analysis of the last 20 years of cryptanalysis research [10:02]
sonOfRa The paper is available here: [10:11]
tang^ apropos of yesterdays convo on ML: [10:19]
tang^ tang^'s title: "uid=65534(nobody): "" - LinuxLab" [10:19]
[twisti] lol [10:25]
kamoricks I do chacha "one second" for my password manager and it's probably fine. [10:30]
kamoricks ah. chacha20, 650000 rounds. [10:30]
tang^ per second? [10:30]
tang^ that's a fast gun [10:30]
kamoricks Xeons don't play. [10:31]
sonOfRa kamoricks: it's almost certainly fine, but very likely overkill. The round count on chacha20 itself, that is. [10:35]
sonOfRa augh [11:28]
sonOfRa [android 0b94e93] Validation without hibernate Hibernate [11:28]
sonOfRa 54 files changed, 1322 insertions(+), 340 deletions(-) [11:28]
sonOfRa all because android is fucking terrible [11:28]
sonOfRa And I put hibernate in the commit message twice :D [11:28]
kamoricks You can use JPA you just can't use annotations. [11:28]
kamoricks Which, I mean, I assume you got. But. Yeah. Android is. Not java. [11:29]
sonOfRa kamoricks: nope, hibernate validation uses a *lot* of stuff internally that doesn't work on the android version we're on (21, which is android 5) [11:29]
kamoricks ooh. yikes. [11:29]
sonOfRa I fiddled around with aggressively proguarding a lot of stuff out, but I deemed it not worth it after I still ran into countless errors after half a day, so I handrolled my own validation based on an interface, but otherwise the same API as validation (Set<ConstraintViolation<T>>, etc) [11:30]
sonOfRa Those +1322 -340 is without any tests, which is probably what I'm going to be spending the next few days on [11:31]
sonOfRa And we can't upgrade our android minsdk, because who in their right mind would expect someone who is running a cash register software on an android tablet to update that android tablet to a version of its operating system that is not full of holes and RCEs? [11:33]
db well you sold them a cash register on Android ? [11:37]
tang^ guessing that he didn't or he'd be specifying a new Android version [11:39]
db you just can't upgrade many older tablets or phones and such stuff is going to be used for a long time in shops [11:39]
kamoricks Honestly any other platform would likely be just as problematic. [11:39]
tang^ Windows POS, perhaps? [11:39]
db I buy pet stuff in this pet shop here, they run a cash register on what looks like dos / text based interface [11:40]
kamoricks That's an expense. And then, Windows POS doesn't usually run the full OS. Previous versions were based on Windows CE. The old, old version was based on DOS. [11:40]
sonOfRa Yeah, the world of cash register software, especially if they're hooked up to the internet is... scary. [11:41]
sonOfRa It's mostly a world of closing your eyes and accepting you can't do anything about how horrible it all is [11:41]
db yeah I do cash register software too, we have customers who absolutely have to run it on java 1.6 still [11:41]
tang^ I find the world hooked up to the internet is scary. full stop. [11:41]
kamoricks Current Windows POS is based on Windows 10 LTSB which is Least Bad, but that requires a Hefty Boi to run all the thin clients. [11:42]
kamoricks I know some people who use iPads simply for the longer software release cycle and longer backwards compatability. [11:42]
kamoricks But like anything in the space pretty much has to run 10+ years without any updates. [11:43]
tang^ yeah [11:43]
sonOfRa I'm glad I mostly concern myself with the server side of things, where we can mandate more things [11:43]
sonOfRa But this particular piece needs to work on both server and client, so it's terrible. [11:44]
kamoricks Sorry, we've actually just changed the name, it's Windows LTSC now. [11:44]
kamoricks To enforce the idea you still have to update the thing every six months. Which is silly. [11:44]
kamoricks IoT Core *might* work, but that literally can't run Java, only UWP apps. You're putting all your eggs in the dotnetcore/UWP basket, which is like... hosting all of your online documents on a google service. [11:45]
kamoricks sorry, I said apps. I implied it could do multitasking. nope, it runs one UWP app. [11:45]
kamoricks which *should* work for a cash register except some people's receipt printers are still serial and there's no serial-to-usb driver shipped with it so *incoherent yelling* [11:46]
sonOfRa Yeah we have just one app, the printers are usb/bluetooth or something like that [11:47]
sonOfRa But they're still fucking terrible :D [11:47]
tang^ oh yeah, I'm so glad I don't need to work with printers [11:48]
kamoricks Speaking of updates. Today's patch is important - it patches a vulnerability in SmartScreen. Patch when you can. [12:35]
ron patch what? [01:03]
kamoricks Windows 10, including Windows Server. [01:05]
ron lol windows 10 lol [01:07]
kamoricks Hey wanna guess why it's not being pushed to Windows 7? [01:07]
ron because windows 7 is dead [01:09]
sonOfRa kamoricks: 7 doesn't have ecc code signing, I guess? [01:19]
sonOfRa Or are they literally saying "hahaha get fucked update to 10, we're not giving you this one last update" [01:19]
sonOfRa Does it only affect code signing or other certificate verifications in the windows crypto library as well? [01:20]
Faux Sure am glad I'm using an unreviewed implementation of xchacha2020poly1337 on the internet. [01:27]
sonOfRa Apparently TLS is affected. Whoops. [01:30]
Faux Glad I NIH'd tls. [01:31]
kamoricks has the public details. [01:42]
[twisti] i install unsigned binaries all the time [01:47]
[twisti] doesnt seem like that big of a deal [01:48]
sonOfRa [twisti]: it's not just codesigning, it's any TLS connection that uses an ECC certificate on windows [01:50]
Faux Many enterprises have "only run signed binaries" ticked. [01:51]
sonOfRa Unless the software comes with its own TLS stack [01:51]
Faux RUSTLS [01:51]
[twisti] sonOfRa: but isnt the connection vulnerable if the client is compromised ? [01:52]
sonOfRa hm? Yes that's the point [01:52]
Faux In this case, the connection is vulnerable even if the client hasn't been compromised. [01:52]
Faux Because it's been lovingly shipped pre-compromised. [01:53]
bobek [bobek!~bobek@unaffiliated/bobek] has joined #java-talk [02:03]
sonOfRa I wonder if there's any services out there that run on IIS and use TLS client auth [02:18]
Faux Oldoldoldwork had some. [02:18]
Faux Not on the public internet though I don't think. [02:19]
sonOfRa Because I guess those are affected, too [02:19]
kamoricks Windows also uses TLS for internal Windows stuff. You could, potentially, fake being a DC with this. [02:32]
sonOfRa kamoricks: is the reason for no patch for win7 that win7 simply didn't have ECC or that they just want people to upgrade already? [02:36]
sonOfRa <3 seeing crypto twitter take wild guesses at what this is [02:44]
sonOfRa Most likely so far: Apparently, windows accepts any *curve parameters* you tell it to inside a cert [02:44]
sonOfRa So you can just make up your own weak curve where you can know the private keys to arbitrary public keys (like the public key of some CA) [02:46]
sonOfRa And then it looks at the CA's public key, and the curve parameters you tell it to, and then it verifies the public and private key against those parameters and voila, validation success [02:46]
sonOfRa This is hilariously like the bug where people fucked up JWT by accepting any key! [02:47]
[twisti] whats the cards you put in cell phones ? micro sd ? [02:48]
sonOfRa SIM [02:48]
sonOfRa P [02:48]
sonOfRa but yeah. Micro SD [02:48]
[twisti] thanks [02:49]
Faux sonOfRa: I guess you missed [02:55]
Faux I guess it's not super crypto specific about the problem. [02:56]
sonOfRa Ah! Yeah that definitely looks like a silly untrusted curves bug [02:58]
Faux My tcpdump on this kubes box sometimes sees the same request two or three different times, then the matching response*s*. On the same tuple. I guess some routing shenanigans but argh. [03:03]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [03:03]
aaronbond [aaronbond!~shrewdy@2a03:2880:11ff:18::face:b00c] has joined #java-talk [03:16]
kamoricks sonOfRa: Windows supports TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 since Windows 7. [03:21]
sonOfRa jesus [03:22]
Faux Ruh roh. [03:22]
Faux Is it off by default or something? I swear I've seen those suites crippled. [03:23]
kamoricks For things like DCs, it's off by default, you have to go into Security Certification, set it to Off, then set the value to 4. [03:23]
Faux Apparently not. Slabs thinks even IE7 on Vista will TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to facebook. [03:23]
Faux (Yes, cbc.) [03:24]
Faux (No, those attacks are not real.) [03:24]
kamoricks But this is a crypt32.dll vuln to it's up to the individual application. [03:24]
kamoricks If openssl would theoretically have a similar problem, it would be in openssl_verify() [03:24]
Faux A function no user application would ever call, because it's libcurl's problem. [03:25]
Faux (haahahahah) [03:25]
sonOfRa God I remember when I added openssl_verify support to ruby_net_ldap [03:27]
sonOfRa And I didn't realize that hostname verification is entirely separate [03:27]
sonOfRa D [03:28]
Faux I only ported like 50% of debian from openssl 1 to 1.1, I don't actually know anything about it. >.> [03:35]
sonOfRa That was quite embarrassing when I saw like *2 years* after I implemented basic TLS validation [03:38]
sonOfRa sonOfRa's title: "SSL hostname verification support by tarcieri Pull Request #262 ruby-ldap/ruby-net-ldap GitHub" [03:38]
yottabyte [yottabyte!uid195082@gateway/web/] has joined #java-talk [03:46]
KidBeta [KidBeta!~Kidbeta@hpavc/kidbeta] has joined #java-talk [04:07]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [05:35]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [05:49]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [06:38]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [06:52]
db [db!uid18678@gateway/web/] has joined #java-talk [07:06]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [07:28]
waz [waz!~waz@pdpc/supporter/active/waz] has joined #java-talk [07:47]
db morning [08:09]
YottaByte [YottaByte!~YottaByte@unaffiliated/yottabyte] has joined #java-talk [08:16]
db sighs [09:53]
db how do you deal with congestion? like when three different people want me to do three different things until "tomorrow", what's the best way to ... make them feel good? ;-) [09:55]
db because that's what we do as prostitutes, isn't it? [09:55]
dreamreal why not just say no [10:04]
dreamreal establish boundaries, respect your own time and self [10:05]
db well I do, the question is if there's a way to not induce the idea that they're "always waiting for db to finally do stuff" [10:40]
db I should hire a bunch of clever chinese programmers [10:41]
db then delegate and bill my full rate :D [10:41]
dodobrain [dodobrain!~dodobrain@unaffiliated/freakabcd] has joined #java-talk [11:25]
ensamvarg [ensamvarg!~ensamvarg@] has joined #java-talk [11:40]