Filippo Valsorda @filippo.abyssdomain.expert
@FiloSottile
Followers
46K
Following
47K
Media
1K
Statuses
15K
Cryptogopher / Go crypto maintainer / @kateconger-knower / RC F'13, F2'17 / #BlackLivesMatter / he+him https://t.co/ZE4RtJ1xqD / https://t.co/qfth7zr00W / https://t.co/j1grpEm8uR
Joined June 2009
Bluesky registrations are now open!. I have been posting primarily there for months now. It has an early Twitter vibe, a hacking friendly protocol, and cool custom feed algorithms. Join me there! → @/filippo.abyssdomain.expert 🦋.
0
0
20
Data is not the new gold, data is the new uranium. Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated. Why keep uranium you don't need?.
111
3K
9K
the SSH server that knows who you are, got some newly refreshed intel! Try it out!. $ ssh
42
1K
4K
Alright, actually unpopular opinion thread time. Might delete later. Allowing pets in the office is not an inclusive policy.
161
630
3K
I have some personal news 👀. Today is my last day at Google! 🛫🏝🌅. I am leaving to take a long break from full-time employment and explore different ways Open Source maintainers can get paid. I want to make a thing, starting with Go cryptography!
106
224
3K
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time"."always dreamed of working on open source full time"."3 sponsors are funding @rgoers's work: Michael, Glenn, Matt". People, what are we doing.
33
1K
3K
I just saw a professional electrician follow a YouTube video, and I was confused for a second. Then I remembered I have 15 StackOverflow tabs open, and it all made sense.
14
435
2K
No one is paying the log4j2 maintainers!?. There is a whole page on the responsibilities of a @TheASF "Project Management Committee". AND NO ONE IS PAYING THEM? Open Source needs to grow the hell up. Yesterday.
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
42
537
2K
Big news! ✨ ʕ◔ϖ◔ʔ .I am joining the Go team. 💥 .In New York City. 🗽 .Owning the crypto libraries. 🔐 .On the new Open Source team. 🚀
118
130
2K
I'm being downvoted on HN for mentioning that a black person saying "all white people are bad" is not the same thing as a white person saying "all black people are bad", in case you were wondering how tech is doing on understanding systemic racism.
21
123
2K
things Go developers don't have to worry about: a thread.
35
237
2K
Earlier today, I kept getting "406 Not Acceptable" errors adding an embedded tweet to my blog post. Spent 15 minutes trying to figure out what was wrong. No hits on Google. Look at my Twitter name and tell me if you can figure it out 😅.
19
136
2K
mkcert: valid HTTPS certificates for localhost — a short blog post about now that it's almost done 🔒.
29
713
2K
“We don’t negotiate salaries” is a negotiation tactic. Always. No, your company is not an exception.
22
321
2K
Heh, maybe you should not have automated this.
18
117
2K
Hiring engineering talent is hard. And yet, there is a large pool of engineering talent up for grabs by any company that can muster the courage to say:. - remote policy is yes.- SF/NY mid-market rate worldwide after taxes/benefits.- unlimited immigration budget.- four day weeks.
29
176
2K
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do.
67
475
1K
These checklists from Apple are gold. If you want to see if anyone else has access to your device or accounts: If you want to stop sharing: If you want to make sure no one else can see your location:
4
460
1K
A cosmic ray just murdered a Certificate Transparency log.
21
428
1K
Replacing loaded words in codebases might not change much, but opposing those changes speaks volumes.
14
275
1K
Sad to see all these cheap negative quips about Github & Microsoft. MS has been doing some awesome work in Open Source recently (just look at VS Code), and hired some excellent people. I see no reason to be worried.
71
292
1K
The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check ). The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?.
23
142
1K
Software engineers will build the tools to burn the world down as long as they’re in the correct programming language and ace the benchmarks. Maybe the most powerful people of our time reduced to puppets by basically “who’s a smart engineer? you’re a smart engineer, yes you are”.
23
375
1K
StackOverflow question: “the police are making people on the street install spyware, how do I protect myself?”. Top HN comment: “discussing authoritarianism is pointless, more importantly, why doesn’t the spyware use HTTPS?”. I hate this soulless industry.
14
325
995
BlueCoat now has a CA signed by Symantec Here's how to untrust it
53
1K
999
Damn. @zx2c4 has been the Linux random driver maintainer for like a hot minute, and /dev/[u]random is now 100% SHA-1 free and 370% faster. Amazing.
12
212
1K
Weird time to get this news, but after almost 7 years of fighting my way to NYC. my Green Card I-140 petition was approved this week!. 🙌🍾🗽📬🇺🇸👽🏁🥳
52
6
966
You are logged into an old server. The uptime is 788 days. There are a lot of kernels here. >.
72
185
935
Kathryn, @eiais, did not bypass code review. She didn't disrupt anyone's work. She didn't target an individual. She didn't violate any policy I'm aware of. She linked to an NLRB notice from an extension that exists to show links to policies. This only makes sense as retaliation.
7
231
902
Wow. Linus admits his behavior was hurting people and Linux, recognizes being an asshole does not scale, apologizes, and takes time off to work on himself. Hopefully others who looked up to his behavior can take the occasion for similar introspection.
7
343
921
Setting up an iPhone as a secure travel device. Notes, tips and tricks for your next trip to an hostile network.
24
445
912
This US Government is down to two nines.
9
306
873
I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext. Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.
22
116
846
Every time I touch Python packaging I encounter beautiful colorful output that tells me that something changed and nothing works anymore. It's the only time I just try random upvoted commands from GitHub issues until it works. How does anyone get any work done like this?.
42
73
850
I just killed 500 lines of crypto/tls code. 🎉💥🔥. In Go 1.14, no more SSLv3. No ifdef, no option. It's deleted.
21
121
842
This little change must be the biggest security improvement to SSH's Trust on First Use in the past 20 years.
7
134
820
I don't really care who this man-child is, but notice something. He worked at Stripe for years. This shit is everywhere in the industry. The next time you hear a story of discrimination that you find hard to believe, just remember this loser.
17
100
760
People Magazine printed my title as Cryptogopher. That is all.
@filosottile your Tweet was quoted in an article by @people
21
69
781
📣📣📣📣 It's here! 🥁🥁🥁🥁. 💥🍾🏁✨ age v1.0.0 ✨🏁🍾💥.
17
150
757
The TSA first made flying a miserable experience, then made you pay a bribe to skip most of it with Pre. Now they mismanaged the bribed line too, and you can pay a bigger bribe to Clear to skip most of that. 💯🇺🇸🦅💵. As a bonus, a private company has your biometrics now. 👁.
11
80
738
Java does what now?. I have. more concerns than fit in a tweet.
19
107
710
I am—or at least was in this picture—America's newest pilot! ✨🛩👨✈️. I passed my checkride today on this Piper. This was both a dream and a challenge like I haven't tackled in years. 48 hours, 35 days start to finish including weather days. It's been a ride 🍾
36
4
725
For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands:. $ defaults read | pbcopy.# make changes in System Preferences.app.$ diff -u -F '^ "' <(pbpaste) <(defaults read)
7
125
719
I'm a big fan of brew cask for its library of zap instructions, which remove all traces of an application, however it was installed. The Zoom one has just been updated to remove the persistent server. brew update.brew cask zap -f zoomus.
6
219
708
Folks, it works!!. I am officially a full-time independent open-source maintainer! 🧑💻💼. That means I spend most of my time on open-source maintenance, and I offer retainers to companies that benefit from my work and from access to me. Full details 👉 ✨.
19
62
728
(BTW, I also know that guide dogs and emotional support dogs are critical to inclusivity, so that's not what I'm talking about. It's normal to have to accommodate conflicting needs sometimes. I'm taking about bringing your pet to work for fun.).
27
23
661
The BUS DRIVERS are refusing to work for the police state, while software engineers, with the most leveraged profession of our time, still can't get their employers to stop working for ICE. Cowards. Disorganized and cowards. All of us. I'm ashamed.
12
185
661
Woah, did not see this one coming. OpenSSH now uses hybrid post-quantum Streamlined NTRU Prime + X25519 by default!.
13
181
692
JWT is so bad that I find myself wondering what I was doing when it was being created and if I could have done something to stop it. Also, note that this HN thread is full of developers just now learning that JWTs only does signing. Except it can also do encryption. 🤷♂️
50
131
694
@tqbf @mveytsman @matthew_d_green Another $300 from the Slack, we are at $1,550 for RAICES to see @matthew_d_green's hair dyed blue.
2
32
586
Exploitable heap overflow in libgcrypt 1.9.0 (┛ಠ_ಠ)┛彡┻━┻. It's the crypto library that gpg uses. Homebrew has 1.9.0 right now. 🚨.
5
260
634
There's some inane gatekeeping pushback on this absolutely mild take, so let me say it loud and clear:. I'm a Senior Software Engineer at Google who works on cryptography and open source, and I find email-based patch submission a meaningful barrier.
23
89
624
I'm already tired of QR discourse. Users click on links and scan QRs. It's what they are for. Mentally model the security boundary where it is, not where you want it.
10
84
573
It's ready! 💥 yubikey-agent is a seamless ssh-agent for YubiKeys. 🔒 Written in Go, it takes one command to set up, and never needs restarting. ✨
8
170
568
Here's one thing I think we'll find unacceptable in 50 years. The degree to which minors have no rights. They are basically non-people: no right to privacy (school and parent spyware), no right to freedom (go to your room!), can't even make their own medical decisions.
31
91
556
I am severely allergic to dogs and cats. Contact makes me break out in bubbles. Long indoor exposure causes me acute asthma attacks. Mild symptoms involve fatigue and respiratory problems hard to distinguish from a cold.
6
34
551
Occasional reminder of unevenly distributed knowledge. Above $200k, you mostly negotiate equity, not salary. Mid-career engineers in the US can go way beyond $200k at large tech companies and startups that compete with them.
8
54
582
YIKES. It's important to destigmatize therapy, but giving permanent therapy transcripts to a VC-backed engagement-optimized tech startup is TERRIFYING. Teletherapy should be ephemeral by law, and it should not be allowed to optimize for more therapy. YIKES. YIKES. YIKES.
Talkspace, a text therapy app made famous by Michael Phelps ads, keeps transcripts for about 7 to 10 years because they're medical records—and data-mines them, of course. But all the other stuff going on there was WILD.
6
353
530
This is my main objection to password-encrypted key files. If you get to read arbitrary files from my disk you can pull my pictures, messages, and cookies (including the AWS console ones). But at least not the SSH key? Yay? Who cares?
21
78
550
Other places are way worse. I get recruiting emails listing the "office dog" as a perk. Guess what, me and a number of other people can't work for you now due to a completely work-unrelated medical reason.
3
32
519
So. guess who just got a Green Card, with perfect timing? 🎉
37
8
531
Captive portals are the worst. So I made a tool to log into them from a dedicated Chrome w/o touching DNS settings.
8
195
552
Folks, the time to run or is now. You don't need to have an account elsewhere yet. Download the CSVs while you can, and you can import them later. go go go go.
9
236
519
But here's the thing: the issue compounds. If you are already fighting a culture of sexism, are you going to spend political capital on. not letting people bring their dog to work?. Of course not, so maybe it has to be privileged people complaining about this.
5
25
510
🎉 mkcert made it to 10.000★ 🎉. v1.1.1 can make HTTPS certificates for localhost or any name on macOS, Linux and Windows, automatically trusted in Chrome, Firefox and Java.
5
127
539
The GNU project has no time to waste on silly stuff like providing an inclusive environment, it's all about the hard technic. *taps earpiece*
TIL that the gnu coding standards specify that you must not abbreviate "windows" as "win" because that's too positive and suggest standardizing on "woe", which is puerile even by the low bar I already had in mind for gnu
10
85
502
The police is arresting, shooting, and macing journalists. They are driving tanks into cities and escalating. They're getting recorded and they don't care. Defund the police. Disarm them. Drop qualified immunity.
11
154
508
To be clear, they are absolutely correct.
12
39
509
Feature request: block all accounts created in 2020. Most of them are bots. And if someone actually joined Twitter in 2020, look, they clearly make bad life choices.
12
60
497
Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem. nope! systemd of course didn't!.
14
218
491
Here's my response to that Google manifesto. If a recruiter emailed you, it's something concrete you can do, too:
10
146
462
Easy UNIX piping! No config options! Modern crypto! No keyrings! Public keys that fit in a tweet! No more looking up how to encrypt a file on StackOverflow. 💥. age1t7r9prsqc3w3x4auqq7y8zplrfsddmf8z97hct68gmhea2l34f9q63h2kp. Try it out and send feedback 👉
6
150
495
Can we talk about the fact that @TeenVogue is systematically putting much of the news industry to shame?. This guide to filming police misconduct is grounded, useful, correct, insightful, actionable, sourced, and AFAICT flawless.
6
192
479
Journalists. When reporting about Telegram groups, I need you stop referring to it as a “secure messaging app” without context. This is not crypto nitpicking. Telegram groups ARE NOT ENCRYPTED.
13
180
476
Added a OpenSSH roaming vuln test to the whoami server.$ ssh (code:
15
414
491
OMG YES YES YES. If you are into signing git commits, here's your answer!. Also, I'm happy any time I see SSH signatures in use. Every developer has SSH keys! We have robust tooling and hardware for them! They are simple!. You can use ssh-keygen(1) to produce and verify them.
9
87
479
A lot of Go criticism seems to be “Go does {simple thing} instead of {complex thing I know about and you don’t}”. I’m very ok with that.
20
135
484
🤯 This makes sense but I would NOT have caught it.
16
51
467
Parents, please check your kids' candy this Halloween. I just found ECB mode in my son's candy bar. Be safe.
4
65
454
Others have a phobia of dogs instead of allergies, and they feel even less legitimized to speak up and "be that person", but have to cope with a work space that does not feel safe.
7
16
435
Everyone is talking about the RSA key generation bug, and there's indeed a catalog of things that went wrong, but the thing is. YOU DON'T GET TO IMPLEMENT A FALLBACK FOR RANDOMNESS. That's it. That's the tweet.
8
121
452
In summary, allergies and phobias don't get the same treatment as disabilities, but they are also issues that exclude people for no good reason, or force them to fight for a safe environment.
9
35
434
🚨 The reference implementation reached beta! 🥳. age(1) — a simple, modern, secure file encryption tool.
7
145
467
I was going to announce a newsletter, but instead I found an XSS in the service I'm using for it, so now the sign up page is a Proof of Concept and I'm not sure this story has a moral.
9
49
459
Rust at the top of /r/golang and Go at the top of /r/rust. My job here is done.
5
110
456
PSA: don't rely on GnuTLS, please. [CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially. Also, TLS 1.2–1.0 session tickets are awful.
6
285
444
I'm such a sucker for nice UNIX pipelines. $ pngpaste - | zbarimg -q --raw - | pass otp append. This extracts a QR code from a screenshot in the clipboard (⌘⌃⇧4) and saves it as a TOTP 2FA entry in password-store. $ brew install pngpaste zbar pass-otp.
6
35
452
To prove that crypto code can be understandable, I gave my best shot at writing a readable Poly1305 implementation. It tries to explain both what it’s doing and how. (It’s also 75% faster than the current one.)
7
159
464
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it. It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it.
6
99
434
Wireguard is up there with Mosh in terms of not leaking the network semantics into the user experience: I've had a Mosh session and a Wireguard tunnel open to my home server for days from home, to plane WiFi, to Italian tethering. Other software, be more like Wireguard and Mosh.
6
96
446
By the way, I like dogs! I like dogs so much that sometimes I take meds and cover every inch of my skin to play with them for half an hour (and then immediately jump in the shower and accept some mild asthma for a couple days). But no one should have to at work.
2
13
414
Holy mother of all vulnerabilities.
13
368
441
Linus is arguing against the whole secure-by-default philosophy in order to break the only correct randomness interface in Linux. (The one that works like all the BSDs.). I can't, I just can't. I'm actually giving up. Go will mitigate it if it happens, but that's it.
I disagree with Linus on this issue. It’s the situation where you’re sure you really *don’t need* secure random numbers that represents the special case. Put your API flag there.
12
145
427
Ticketbleed (CVE-2016-9244): leak of up to 31 bytes of memory via TLS Session IDs, affecting most F5 BIG-IP versions
9
541
427
Do you have a bunch of GPUs and passphrase bruteforcing experience?. Crack the NSA’s five SHA-1 hashes at the heart of NIST's elliptic curves, solve a cryptographic mystery, and earn $8k (tripled if donated to charity)!.
23
165
435