Closure Thoughts Hoisted to Posts

Roll your own crypto, then smoke it.

The July 31st, 2021 episode of the Security, Cryptography, Whatever podcast was the great “roll your own crypto”1 debate between Thomas Ptacek and Filippo Valsorda, moderated by Deirdre Connolly, with additional commentary provided by me. Loosely, Filippo was arguing that the mantra of “don’t roll your own crypto” has been ineffective and mostly serves as a form of gatekeeping in which the people the phrase is targeted at don’t listen to it anyway.

Trunk-Based Development with Git

This introduces people familiar with Git to trunk-based development, and vice-versa. I wrote it for work in reference to Github, but it applies to any Git web UI that supports pull requests. I’ve been told it’s a useful reference, so I’m posting a lightly-edited version publicly. tl;dr: One idea is one commit. Implement trunk-based development using the standard Github branch and PR-based development process, defaulting to squash commits. Rebase onto main to resolve merge conflicts.

Why is there no order queue for game consoles?

The preorders for the latest generation of game consoles (PS5, Xbox Series X/S) were snapped up, and the restocks are flying off the shelves in minutes. Sony and Microsoft say that they’re ramping up production, but to expect supply shortages through June of 2021. Consoles are snapped up within seconds after online restocks. Why aren’t Sony and Microsoft making this easier for consumers by introducing an order queue?

Write Simple

Paul Graham recently posted Write Simply. I respect Paul Graham as a founder and an investor. His essays on startups are insightful, but I always felt like something was a little bit off. It turns out that this is because he presents opinions as facts, then disguises this with his writing style. His more recent essays have also strayed away from his original technical and startup-focused writing, and are much less compelling.

UDP in Go

Go uses the net.Conn interface to abstract different types of network connections. A net.Conn has both Read and Write methods, and is usable as an io.Reader and an io.Writer. Some common implementations of net.Conn are net.TCPConn, which uses TCP to provide reliable streams, and tls.Conn, which wraps an existing net.Conn and uses TLS to provide secure streams. A net.Conn object is usually created with a Dialer object, or with the net.

College Football, COVID, and Institutional Failure

The Big Ten has a bit of a situation on their hands. The Big Ten cancelled the Fall 2020 college football season, and expected to be praised as leaders and legends. Instead, many coaches, players, and athletic directors were upset. Some fans were angry, yet many others had realized months ago that it simply did not make sense to try to play football during an uncontrolled pandemic, especially without access to rapid testing.

Reasons to Go to Grad School

Last December, I defended my PhD at the University of Michigan. At the time, I’d been in grad school for four and a half years, and I’d been working with my research group for another year before that. I also went to Michigan for undergrad, so I’ve been living in Ann Arbor for nearly nine years. Why did I do this? Before I go on, I want to say a few things up front.

Academic Security Conferences

In my experience, a lot of the non-academics in the security research community aren’t nearly as familiar with which academic conferences are notable, so here they are. These conferences are not structured like many “industry” conferences. Instead, these conferences consist of presentations of peer-reviewed academic papers that were submitted to and peer-reviewed by the conference’s publication committee (PC). Security Conferences This is a rundown of the “big four” top-tier academic conferences in computer security.

On Branded Vulnerabilities

An article has been going around the Internet recently, arguing that branded vulnerabilities are no longer helping application security and have instead become an instance of the “boy who cried wolf” phenomenon. The Badlock bug is a textbook example of over-hyping vulnerabilities for marketing purposes rather than for promoting good security hygiene. The disclosing team’s dubious motivations have been written about extensively over the last several weeks, and “thought leaders” are currently mocking the badlock hashtag on Twitter, including a full-blown parody bug called Sadlock.