diff options
Diffstat (limited to 'TODO.md')
| -rw-r--r-- | TODO.md | 83 |
1 files changed, 83 insertions, 0 deletions
@@ -297,6 +297,89 @@ - xchacha (larger nonce) - language: https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/ +- remove firefox crap: + <https://support.mozilla.org/en-US/questions/1292122> +- firefox privacy-preserving nonsense +- problems w/ tracking apis: + - orwellian name (does not preserve privacy) + - analogies for folks to understand correlation: clue, sudoku, wordle + - eff article (in lwn comment) talks about 3 pieces of info to + uniquely identify someone + - commenter on lwn: history shows tracking apis are additive (it + accretes) + - <https://arstechnica.com/gadgets/2024/07/google-will-not-disable-tracking-cookies-in-chrome-after-years-of-trying/> + - nonsense might be in good faith: upton sinclair "it's difficult to + get a man to understand something when his job depends on him not + understanding it"; both google and mozilla depend on advertising + - false premise about advertising being the sole or even optimal + method of supporting sites, that the onus is on users to support + a particular method, or that there are only two options. + - orwell, politics and the english language: + <https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/> + - carl sagan, baloney detection kit: + <https://www.themarginalian.org/2014/01/03/baloney-detection-kit-carl-sagan/> + <https://en.wikipedia.org/wiki/The_Demon-Haunted_World#Baloney_detection_kit> + - good quotes and general sentiment: "creeping dark pattern" and "we + take your privacy and security... seriously": + <https://www.jwz.org/blog/2024/07/your-personal-information-is-very-important-to-us-part-two/> +- commentary on crowdstrike + - lots of ideas floating around, all with tradeoffs. no perfect + solution (engineering problem, all have tradeoffs) + - me: homogeneous systems (panama disease for bananas) + - monoculture: overspecialize and you breed in weakness + - attempt to simplify workload for IT administrators has + created a monoculture + - IT policies should be descriptive, not prescriptive + - "needs more testing", "testing can only demonstrate the presense of + bugs, not the absense of them" + combinatorial explosion can make it impossible to test all inputs + for even seemingly simple functions. example: + `u64 f(u64 n) { return 1/(rand_val-n); }` + - "beware of this code, i have only proven it correct, not tested + it" + - "testing can only demonstrate the presense of bugs, not the + absense of them" + - needs a/b boot (what android does) + <https://www.phoronix.com/news/systemd-Auto-Boot-Assessment> + problem (in comments of phoronix article): crowdstrike deliberately + bypassing + - needs verification on signed drivers: driver is signed and verified, + reads invalid config file + - should be impossible to end up in invalid state ("halting problem", + also limits the expressive power of configuration; e.g. "accidental + interpreters") + - code should execute in a trusted environment (already done with ebpf + in linux and that still causes crashes, relies on a "sufficient + smart compiler/validator") + (bpf verifier <https://lwn.net/Articles/982077/>) + - phased deploys (e.g., like chrome. relies on sysadmins to set this + up properly) + - <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/> + (preliminary post-incident report. not doing staggered rollouts, + only doing partial testing) + - summary of problems: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014397> + - crowdstrike tos: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014524> + - NULL bytes caused by crash with unflushed write(): <https://www.crowdstrike.com/blog/tech-analysis-channel-file-may-contain-null-bytes/> +- "open source model" coopting language (also orwell, yeesh): + <https://lwn.net/Articles/982954/> + - humpty dumpty in through the looking glass "when i use a word + it means precisely what i intend it to mean. nothing more and + nothing less" + (license isn't open, source -- e.g., training material -- isn't open + it's not "AI", just co-opting language to mean the opposite of what + the words actually mean) +- ocsp: good riddance to bad rubbish: <https://lwn.net/Articles/982965/> +- secureboot broken: + <https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/> + - modern security too hard to use. + - imperial violet "have one joint and keep it well-oiled" + - comment thread on reddit about unsafe rsa/aes-cbc combo: + <https://old.reddit.com/r/programming/comments/1e4ugqm/public_key_cryptography_to_share_secrets_easily/> + - log of goochat w/ alonzo on 2024-07-26 with summary of this stuff + - busted full disk encryption implementations + - cryptopals introduction (most crypto fatally broken) + - etc + - lots of older stuff is "knives up in dishwasher" ## linkdump (2022-08-10): - css bg fade: |