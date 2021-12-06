Security Leftovers Security Self-Sufficiency – Purism Many people take Carnegie’s advice to heart when it comes to security. They anchor almost all of their security with a single vendor, and the vendor is more than happy to oblige. Most infosec vendors seem incapable of designing security architectures that don’t put their products at the root of all trust. “Just give us your keys,” they say, “and we’ll take care of the rest.” It’s not just that this is the easiest architecture to design, it’s also to the vendor’s benefit if their customers are fully dependent on them. When you outsource all security decisions and trust, both the individual consumer and the enterprise are incapable of protecting themselves in the face of threats. When inevitably there’s a hole in the vendor’s basket and eggs start to break, the customer discovers just how powerless they are to do anything about it. Often they even find it challenging to get information about the size of the hole and whether their eggs are affected. We live in an increasingly interconnected and interdependent society. Many people have realized over the past few years just how dependent they have been on outsourced infrastructure and supplies, and how unnerving it can be when those things are disrupted. In response, a number of people have changed their focus toward more self-sufficiency.

Implementing a toy version of TLS 1.3 Recently I’ve been thinking about how I find it fun to learn computer networking by implementing working versions of real network protocols. And it made me wonder – I’ve implemented toy versions of traceroute, TCP and DNS. What about TLS? Could I implement a toy version of that to learn more about how it works? I asked on Twitter if this would be hard, got some encouragement and pointers for where to start, so I decided to go for it. This was really fun and I learned a little more about how involved real cryptography is – thanks to cryptopals, I already 100% believed that I should not invent my own crypto implementations, and seeing how the crypto in TLS 1.3 works gave me even more of an appreciation for why I shouldn’t :) As a warning: I am really not a cryptography person, I will probably say some incorrect things about cryptography in this post and I absolutely do not know the history of past TLS vulnerabilities that informed TLS 1.3’s design. All of that said, let’s go implement some cryptography! All of my hacky code is on github. I decided to use Go because I heard that Go has good crypto libraries.

Some developers are fouling up open-source software [Ed: This is a malware issue, it's shipped by Microsoft, but SJVN carries on misattributing the issue] For example, JavaScript's package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless. Miller then inserted malicious code into the package to overwrite users' filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased.