Your cryptography posts are the ones I enjoy reading most.
G McManus
· 2 months ago
I would be interested in your views on Tahoe-LAFS and the backup service built on it, Allmydata. How does it compare with Tarsnap, especially in terms of security?
gperciva
· 2 months ago
Cats. You should write about cats. All blogs are better with cat stories. Plus photos.
royce
· 2 months ago
Posts about your personal workflow methods would be educational - email handling, task management, and perhaps even motivation.
Either you have directed your analytical skills towards developing these methods ... or such posts would provide an opportunity to do so.
gperciva
· 2 months ago
I like this idea! I'm not so interested in tarsnap workflow (since it's still in the "public beta" phase, new website, etc). But I'm quite interested in the FreeBSD security workflow.
How much time do you spend on public/private email, how much time do you spend managing the security team (if at all -- and by "managing", I include both mentoring new members (if you do this at all) and assigning/discussing tasks)... and how much time do you spend actually looking at code?
I find that in LilyPond, actually working on the docs or build system is almost a relief; about 70% of my time is spent on emails and management. I'm wondering if that's something specific to documentation / website / releases (since the first two are much more "front-line" issues that are highly visible to users), or a general curse facing high-ranked members of open-source projects.
Jerome
· 2 months ago
Is Tarsnap still in Private Beta? I have never read about it until today. Nothing is said about this company at BackupReview.info
Dear writer (your name is not mentioned), please give us more details about your company.
Details about tarsnap are available on the tarsnap website -- if you want to know more, feel free to send me an email.
Francis
· 2 months ago
Whatever it was you found with pay pal ;-)
Seriously though, I find your posts about how things work amazing. From the security problems of amazon to how you implemented protection from archive libraries in tarsnap.
Alf
· 2 months ago
I really enjoy your posts on security.
Nate
· 2 months ago
Colin,
I think you misunderstand the comments I've made about not encouraging developers to implement crypto themselves. You say:
### There are some people who argue that the dangers posed by novices meddling in cryptography are so great that we should avoid anything which might lead them into such attempts -- that we should instead wrap the field in mystique and teach people only that they should use pre-existing libraries. ###
That is an example of the false dilemma fallacy. There is another alternative. Teaching people the way cryptosystems can fail gives an idea of the magnitude of difficulty in getting it right. I think your post on the AWS signature v1 flaw is an excellent example of this. I'm sure more than a few developers read it and got a sinking feeling that they have made a similar mistake.
On the other hand, I thought your post on a few simple rules to do crypto right could give people a false sense of confidence if it didn't include disclaimers.
I think we both advocate educating without misleading. Your posts are overall quite educational, and I hope the next hundred are just as good.
cperciva
· 2 months ago
Nate,
I wasn't just thinking about you when I made that remark -- compared to some other people I've encountered, you're quite moderate in the world of crypto-is-scary-don't-go-anywhere-near-it.
In the end it comes down to weighing dangers. Yes, there is a possibility that my 'cryptographic right answers' post will give someone an unwarranted sense of confidence -- but there's also a possibility that it will lead someone to realize that they shouldn't be using blowfish for encryption; that they shouldn't use MD5 as a key derivation function; that they shouldn't use SHA256(key || data) as an MAC function; et cetera. You can't teach someone to paint by showing them examples of bad painting -- at some point it's necessary to give people good examples, too.
Thanks for stopping by.
nine
· 1 month ago
Google reader (and other web based RSS readers) only fetch your feed once for multiple readers. Google reader puts the number of subscribers in its UA field (you have about 750 there), others might as well. You probably have even more RSS subscribers than you thought!
cperciva
· 1 month ago
I was counting the "(X subscribers)" UA strings when I added up my RSS feed subscribers.
joachimschipper
· 3 weeks ago
I most enjoy your technical posts - cryptography, security, design of an online backup service, that sort of thing. I'd like to see a good mix, but I'm not really interested in your work habits or somesuch.
tigerthink
· 3 weeks ago
"I made it secure because I don't want to be responsible for someone losing their data"
I haven't signed up for your service (and probably won't, because I'm a bum), but looking over your website, one thing that struck me was the bit about deleting a user's data if they run out of funds and don't deposit more within a week or whenever. What if someone's hitchhiking across South America when their funds run out? Also, recovering data "lost" this way could be a good way to make money: You ran out of funds, but we'll give your data back for the right price.
cperciva
· 3 weeks ago
If you're going to be incommunicado for more than a week, I recommend adding more money to your Tarsnap account before you leave.
I can't recover data after the 7 day timeout has expired, for two reasons: 1. I don't want to keep paying for the storage space; 2. I don't want to get into the extortion business.
yoshamano
· 3 weeks ago
I like to call myself a "tech monkey" (in the same vein as a grease monkey), and most of my work is maintaining Windows boxes for small businesses and home customers. I use FreeBSD when the need arises for a small server to handle simple tasks like Samba, email server for a "not so smart" office multi-function copier, etc etc. I also like playing with FreeBSD as a desktop.
With that in mind I'd like to see what you think would be some best security practices for configuring a FreeBSD computer (be it server or desktop).
I'm not afraid to admit that a good chunk of your posts' subject matter fly over my head, but I enjoy reading them all the same. Even if I don't totally understand the subject matter, I do manage to wrap my head around some of it. Your writing style, as you mentioned above, does feel very natural, and it is a joy to read.
Keep up the good posts.
Hussain
· 3 weeks ago
I enjoy your technical posts as well as how tarsnap is doing. Additionally as others have mentioned - your work flow - as the CSO of FreeBSD. Anyway this is one of my must read blogs.
All Comments
Either you have directed your analytical skills towards developing these methods ... or such posts would provide an opportunity to do so.
How much time do you spend on public/private email, how much time do you spend managing the security team (if at all -- and by "managing", I include both mentoring new members (if you do this at all) and assigning/discussing tasks)... and how much time do you spend actually looking at code?
I find that in LilyPond, actually working on the docs or build system is almost a relief; about 70% of my time is spent on emails and management. I'm wondering if that's something specific to documentation / website / releases (since the first two are much more "front-line" issues that are highly visible to users), or a general curse facing high-ranked members of open-source projects.
Dear writer (your name is not mentioned), please give us more details about your company.
Thanks.
Details about tarsnap are available on the tarsnap website -- if you want to know more, feel free to send me an email.
Seriously though, I find your posts about how things work amazing. From the security problems of amazon to how you implemented protection from archive libraries in tarsnap.
I think you misunderstand the comments I've made about not encouraging developers to implement crypto themselves. You say:
###
There are some people who argue that the dangers posed by novices meddling in cryptography are so great that we should avoid anything which might lead them into such attempts -- that we should instead wrap the field in mystique and teach people only that they should use pre-existing libraries.
###
That is an example of the false dilemma fallacy. There is another alternative. Teaching people the way cryptosystems can fail gives an idea of the magnitude of difficulty in getting it right. I think your post on the AWS signature v1 flaw is an excellent example of this. I'm sure more than a few developers read it and got a sinking feeling that they have made a similar mistake.
On the other hand, I thought your post on a few simple rules to do crypto right could give people a false sense of confidence if it didn't include disclaimers.
I think we both advocate educating without misleading. Your posts are overall quite educational, and I hope the next hundred are just as good.
I wasn't just thinking about you when I made that remark -- compared to some other people I've encountered, you're quite moderate in the world of crypto-is-scary-don't-go-anywhere-near-it.
In the end it comes down to weighing dangers. Yes, there is a possibility that my 'cryptographic right answers' post will give someone an unwarranted sense of confidence -- but there's also a possibility that it will lead someone to realize that they shouldn't be using blowfish for encryption; that they shouldn't use MD5 as a key derivation function; that they shouldn't use SHA256(key || data) as an MAC function; et cetera. You can't teach someone to paint by showing them examples of bad painting -- at some point it's necessary to give people good examples, too.
Thanks for stopping by.
I haven't signed up for your service (and probably won't, because I'm a bum), but looking over your website, one thing that struck me was the bit about deleting a user's data if they run out of funds and don't deposit more within a week or whenever. What if someone's hitchhiking across South America when their funds run out? Also, recovering data "lost" this way could be a good way to make money: You ran out of funds, but we'll give your data back for the right price.
I can't recover data after the 7 day timeout has expired, for two reasons: 1. I don't want to keep paying for the storage space; 2. I don't want to get into the extortion business.
With that in mind I'd like to see what you think would be some best security practices for configuring a FreeBSD computer (be it server or desktop).
I'm not afraid to admit that a good chunk of your posts' subject matter fly over my head, but I enjoy reading them all the same. Even if I don't totally understand the subject matter, I do manage to wrap my head around some of it. Your writing style, as you mentioned above, does feel very natural, and it is a joy to read.
Keep up the good posts.