I've never (within otherwise normal times) been more stressed out and miserable than during periods when I've tried to interact systematically with and through Twitter.
The error is thinking that Twitter is a place for discourse.
It's a place where you go see what celebrities (of any field, programming counts) are promoting and maybe follow a few interesting people who use Twitter as a medium for their writing for some reason.
It's not a place where you can change anyone's opinion and if you think that you'll have a bad time.
I agree. And yet many people in positions of power look at twitter as a kind of real-time polling tool. They look at twitter reactions and think they know what people in general are feeling and doing. Then they make real decisions based on this false belief. And they do this because they are starved for information of this kind, and even though it's terrible, twitter is the only signal they have.
This desire to shape public discourse, and the decisions of the powerful, are the real stakes that drive twitter gladiators. You're right though, it's not discourse - it's "zealous advocacy" as interpreted by a peurile and distracted public.
Sure. That's not really my issue though. I got a few thousand followers, in batches, after random press coverage through the years, but never had much of anything I wanted to share. Trying to communicate anything, to build further following, was stressful, unfruitful and ultimately meaningless.
I’ve been meaning to translate the WebGL version embedded there, but never got that far. The downloadable versions (linked under the video) for Windows and Mac both have subtitles of the audio log, as well as the UI. And both have more correct lighting than the video clip that’s embedded on the page.
Be aware: You don't properly mourn the death of the first parent to die until the other one does as well.
My father died less than a year after my mother did, and it was far worse even though I was arguably closer to her.
I know this is not a particularly good time to be warning you about this but I wish somebody'd warned me and I probably won't get another reminder to do so. So, um, sorry, but I hope I'm right that it was worth saying.
I lost my mom when I was younger. I have started realizing the point you are making more as time has passed and try a bit harder to keep things happy for my dad. It was good to hear your advice.
You have my condolences. Losing a parent must be devastating. My grandmother passed away last weekend so I am making sure that my mother feels special today. The way my mother cared for her own mom in her final days taught me a lot about what it means to be a truly good person.
Heartfelt condolences. I lost my mother 5 years ago; my father 27 years ago. The worst pain is now with the firsts
(first Mother's Day without her, first birthday without her, first child, etc) so please hang in there.
Thank you. I'm very sorry to hear that your mother passed so early. Missing someone, even after many years, is a testimony to the strong bond you shared. The loving memory lives on.
Thank you, although I feel much more sorry for her loss, than I do for mine. Cancer stole her life at a time when everything was supposed to be getting better. A brutal reminder for everyone around her to make the most of their time. And to appreciate loved ones while they're there.
Not entirely sure what you mean by that. But I realised some time ago how lucky, and extremely privileged, I was to grow up with the unconditional support my mother gave me.
And I wasn't the only one to get her support. She was a social worker who dealt with the very heaviest of drug users. She worked tirelessly to help them get a grip on their lives, and often spent her spare time following up on their troubles.
She, and others like her, contribute actual good to this world. I, with all of my inhibitive worries and hollow ambitions, admire them infinitely for that.
What a remarkable example of the principle of charity you've given us with this comment. You could have reacted to that as a troll, but instead responded with something beautiful. I admire that very much.
My condolences. A week is nothing after so deep a loss, so I hope you're ok.
Thanks for publishing. FWIW I tried your tools, and it said my server Nginx HTTPS was vulnerable, but I couldn't get any keys out of it. I created a 180MB dump file, and then scanned it, and it finished without finding keys (and I repeated this again)
This also failed, and it actually said my server was likely not vulnerable?
I compiled my own Nginx, (but not my own SSL, that came from Debian 7.0 Wheezy)
Linux ... 3.9.3-x86_64-linode33 #1 SMP Mon May 20 10:22:57 EDT 2013 x86_64 GNU/Linux
OpenSSL 1.0.1e 11 Feb 2013
I just upgraded the Debian libssl1.0.0 package, and now your code says I am safe. I see there is the len(all_data) > 24 check.
Should compiling my own Nginx have any effect on whether the exploit works? I would think not, but 2 different exploits failed (although maybe I didn't run it long enough).
FWIW it was Nginx 1.0.12.
EDIT: FWIW, now that I read Cloudflare's results, they think the Nginx server is only vulnerable shortly after being restarted. My server was running for months, which may have explained why it wasn't vulnerable. Oh well.
No, the primes (and thus key) can be retrieved at any time, but it may be more frequently found right after reboot.
I would recommend you to gather at least a gigabyte before digging for the key - preferably more. I dumped 43 GB from CloudFlare on Sunday, and found the prime 194 times in that dump. It can be found in much less time, however. Here's a test I just did against the CloudFlare server, resulting in the full prime 34 times in 60 seconds: https://twitter.com/einaros/status/456136820913238016
The code from the second posted you noted (https://news.ycombinator.com/item?id=7577659) isn't mine. That one builds off of the original Python PoC, which fails for a lot of configurations.
The Github code is the first publication I've done. Let me know if you see a server that's vulnerable, that the Github code fails to detect.
Doing realtime prime detection is trivial in mine as well. Either pipe the outfile or add to the lib. I didn't write the dump tool with keys as primary target; they just happened to be there.
Sorry, my comment may have come across as an unnecessary criticism of your technique rather than how I intended it - as mentioning a shortcoming of my program in not saving all data received, and that you may be able to get some interesting results from your dump by searching for other key data and in different formats.
On other hand - you could try using my tool, and keep it running up until it'll find the key. It doesn't collect any dumps and does all processing in a real time.
I didn't actually write mine to collect primes :) I'm working with data dumped from other network devices, and for the most running various Yara rules during and after collection.
Could you shed some light on how this research was conducted? From reading the OpenSSL source and docs it seems pretty clear that the RSA struct will be on the heap somewhere.
While an absolute necessity, it doesn't solve the immediate issue of NSLs and widespread use of unnecessary services.
Let's say that the NSA would like to track bitcoin transactions through MtGox. I don't know how easy it would be for them to plug a backdoor into a server in Japan, and let's assume that the NSA can't break the RC4 crypto their web server is configured to use ..
Since MtGox uses Google Analytics, and possibly pull other scripts from Google's CDN, they could either eavesdrop on whatever data comes back from them by default -- or insist that changes are made to ... pick up more.
Yes, absolutely, there are more hurdles. As an extension of this pinning work, Trevor has also been working on a proposal for 3rd party includes that would allow you to specify a hashsum in the include line, as well as a proposal that would fix cookie scoping in backwards compatible way.
That would pretty much cover the use of CDNs that have proper versioning schemes.
Analytics, however, will remain something I'm not overly fond of. For many sites it's unnecessary. For others it's something they could nearly just as easily license and deploy to their own servers. Pulling scripts in from Google Analytics, Statcounter and others -- and especially into privacy concerned apps -- is downright irresponsible.
As I noted here: https://2x.io/read/would-the-nsa-infiltrate-cdns-to-circumve..., even Norway's tax returns site (which hosts info I'd rather not have in any foreign company's hands) use external analytic scripts. They and 90% of the rest of the internet.
No wonder the NSA claim they can circumvent most HTTPS encryption.
Where did you read that it's mail traffic they were after? I'm beginning to strongly believe that it's Google's other services are considered for use in specific attacks.
Imagine if some foreign service, that is outside of an NSL's reach, has communication that the NSA wants to snoop on. If they can't break the crypto, but that service happens to load jQuery off of Google's CDN, or use Google Analytics, the NSA could pull a MITM attack and manipulate the content of the requested scripts.
Those scripts could rather easily act as proxies for the NSA or others, and either hijack sessions or pull data straight out of the protected services.
