Closure Thoughts Hoisted to Posts

Lack of post-quantum security is not plaintext.

HTTPS adoption in 2024 is around 95-98%, as measured by page loads in Chrome (it would be better if it was 100%!). These days, a plaintext HTTP site is a rarity, enough that many users of Chrome’s “Always Use Secure Connections” mode, which presents a full-page interstitial warning the user before accessing an HTTP page, see an average of zero warnings per week. But it didn’t always used to be this way!

Money for nothing, commits for free

In late March 2024, the open source community discovered a backdoor in XZ Utils, a suite of tools that use the xz compression algorithm. The xz backdoor was embedded inside liblzma, and took effect when liblzma was used in OpenSSH, a common remote-login tool. You can read about this extensively in many places elsewhere. Since then, many people leveraged the xz backdoor to highlight their favorite systemic issue in open source.

Stop trying to make CTO happen.

Inspired by some discussion on Hacker News about whether it was a bad career move to switch from “CTO” to “developer”, I want to talk about CTOs. Specifically, CTO is not a real job and you should likely not aspire to be one1 especially if you view yourself as primarily someone who sticks to engineering career ladders, either as a manager or as an individual contributor. TLDR: Don’t trust anyone who’s a “CTO” that’s not a technical cofounder.

Post-quantum cryptography is too damn big.

Large-scale quantum computers are capable of breaking all of the common forms of asymmetric cryptography used on the Internet today. Luckily, they don’t exist yet. The Internet-wide transition to post-quantum cryptography began in 2022 when NIST announced their final candidates for key exchange and signatures in the NIST PQC competition. There is plenty written about the various algorithms and standardization processes that are underway. The conventional wisdom is that it will take a long time to transition to post-quantum cryptography, so we need to start standardizing and deploying things now, even though quantum computers are not actually visible on the horizon.


This evening, it was announced that Jim Harbaugh was leaving his job as head coach of Michigan football to become the head coach of the Los Angeles Chargers in the NFL. Destiny is calling him, and it’s wearing a Super Bowl ring. It seems silly to cry about a head coach leaving a college football team, but I did. I cried even though I fully expected this to happen (although I had been predicting Harbaugh the Bears, who ended up mysteriously firing everyone except their head coach).

Certificates, Explained

This post is about HTTPS (X.509) certificates used on the web1. It has two parts: Certificates explained without cryptography Certificates explained with cryptography The explanation with cryptography depends on the explanation without cryptography, so you’ll want to either read both, or only read Part 1. Certificates and certification authorities, explained without cryptography Websites use certificates to prove that they’re the “real” website2, and not an imposter. The certificate is used to bootstrap a secure connection between the browser and website that cannot be read, modified, MITM’d, or intercepted by an attacker, who could then read and exfiltrate data sent between the user and the website, such as passwords, messages, and financial or health information.

Against Weak Key Checking

Certification authorities (CAs) are the entities responsible for validating domain control and issuing the certificates used for HTTPS. The Baseline Requirements (BRs) are technical and policy requirements that govern certification CA behavior, compliance with the BRs is “verified” by external auditors. Root programs are ran by certificate consumers that maintain root stores, such as Mozilla, Apple, Microsoft, and Chrome. Root programs require compliance with the BRs. The BRs are maintained by the CA/Browser Forum (CABF).

Tech Layoffs Oversimplified

It’s early 2023. All the big tech companies have done at least one round of layoffs1. Many midsize tech companies have as well. The rationale for layoffs at smaller startups that aren’t yet revenue positive is simple: cut costs and try to get to profitability faster. But why are big tech companies that make billions of dollars every quarter also laying people off? Revenue for big tech companies increased drastically during COVID Costs (dominated by headcount), grew to match, but on imperfect time delay Impact of COVID on revenue and hiring COVID roughly started in March 2020, but the tech hiring boom didn’t really start until late 2020 or early 2021, some time after revenue growth started exploding due to everyone being stuck at home coupled with the zero interest rates.

Denormalized Schema Design with X.509

Designing schemas for large-scale data analysis for OLAP (e.g. BigQuery, Snowflake, Avro, JSON Lines, etc.) is different from designing data structures in code or schemas for relational databases. This post focuses on advice for creating schemas for large-scale data analysis. I use X.509 certificates as concrete example of a dataset in need of a schema because I’ve worked with it a lot in the last 10 years or so. When describing schemas, I represent types in protobuf format, since it’s a universal type language.

Paper Napkin Math for Evaluating Startup Opportunities

The market is in a “downturn”, and this is percolating into the venture-backed startup ecosystem. The broad consensus is that the top end of startup valuations are coming back to reality. But what does this mean? What makes a valuation out of this world? And how does this affect employees1? Startup valuations are determined by the amount of money a company raises in exchange for a percentage of ownership. Usually2, this is a 20% stake, meaning that a company that raises a $15M Series A is usually valued at $15M / 0.

Tech Debt? I don't believe it exists.

Rodents of Unusual Size? I don't believe they exist. There’s endless discourse around tech debt. Kellan has some really good categorizations of different types, Will Larson has a great explainer of organization debt in his book, and I also like the idea of product debt. Throughout my career, I’ve been an engineer complaining about tech debt, a manager prioritizing (and deprioritizing) addressing tech debt, and a product manager, where I assume I primarily inspire the creation of new tech debt.

Roll your own crypto, then smoke it.

The July 31st, 2021 episode of the Security, Cryptography, Whatever podcast was the great “roll your own crypto”1 debate between Thomas Ptacek and Filippo Valsorda, moderated by Deirdre Connolly, with additional commentary provided by me. Loosely, Filippo was arguing that the mantra of “don’t roll your own crypto” has been ineffective and mostly serves as a form of gatekeeping in which the people the phrase is targeted at don’t listen to it anyway.

Trunk-Based Development with Git

This introduces people familiar with Git to trunk-based development, and vice-versa. I wrote it for work in reference to Github, but it applies to any Git web UI that supports pull requests. I’ve been told it’s a useful reference, so I’m posting a lightly-edited version publicly. tl;dr: One idea is one commit. Implement trunk-based development using the standard Github branch and PR-based development process, defaulting to squash commits. Rebase onto main to resolve merge conflicts.

Why is there no order queue for game consoles?

The preorders for the latest generation of game consoles (PS5, Xbox Series X/S) were snapped up, and the restocks are flying off the shelves in minutes. Sony and Microsoft say that they’re ramping up production, but to expect supply shortages through June of 2021. Consoles are snapped up within seconds after online restocks. Why aren’t Sony and Microsoft making this easier for consumers by introducing an order queue?

Write Simple

Paul Graham recently posted Write Simply. I respect Paul Graham as a founder and an investor. His essays on startups are insightful, but I always felt like something was a little bit off. It turns out that this is because he presents opinions as facts, then disguises this with his writing style. His more recent essays have also strayed away from his original technical and startup-focused writing, and are much less compelling.

UDP in Go

Go uses the net.Conn interface to abstract different types of network connections. A net.Conn has both Read and Write methods, and is usable as an io.Reader and an io.Writer. Some common implementations of net.Conn are net.TCPConn, which uses TCP to provide reliable streams, and tls.Conn, which wraps an existing net.Conn and uses TLS to provide secure streams. A net.Conn object is usually created with a Dialer object, or with the net.

College Football, COVID, and Institutional Failure

The Big Ten has a bit of a situation on their hands. The Big Ten cancelled the Fall 2020 college football season, and expected to be praised as leaders and legends. Instead, many coaches, players, and athletic directors were upset. Some fans were angry, yet many others had realized months ago that it simply did not make sense to try to play football during an uncontrolled pandemic, especially without access to rapid testing.

Reasons to Go to Grad School

Last December, I defended my PhD at the University of Michigan. At the time, I’d been in grad school for four and a half years, and I’d been working with my research group for another year before that. I also went to Michigan for undergrad, so I’ve been living in Ann Arbor for nearly nine years. Why did I do this? Before I go on, I want to say a few things up front.

Academic Security Conferences

In my experience, a lot of the non-academics in the security research community aren’t nearly as familiar with which academic conferences are notable, so here they are. These conferences are not structured like many “industry” conferences. Instead, these conferences consist of presentations of peer-reviewed academic papers that were submitted to and peer-reviewed by the conference’s publication committee (PC). Security Conferences This is a rundown of the “big four” top-tier academic conferences in computer security.

On Branded Vulnerabilities

An article has been going around the Internet recently, arguing that branded vulnerabilities are no longer helping application security and have instead become an instance of the “boy who cried wolf” phenomenon. The Badlock bug is a textbook example of over-hyping vulnerabilities for marketing purposes rather than for promoting good security hygiene. The disclosing team’s dubious motivations have been written about extensively over the last several weeks, and “thought leaders” are currently mocking the badlock hashtag on Twitter, including a full-blown parody bug called Sadlock.