Daemonic Dispatches - Latest Comments in Looking back at 100 blog posts

Re: Looking back at 100 blog posts

Julie — Tue, 04 May 2010 01:46:00 -0000

I agree completely. Really, just rename the blog "Cats and Cryptography."

Re: Looking back at 100 blog posts

Hussain — Thu, 03 Dec 2009 00:38:40 -0000

I enjoy your technical posts as well as how tarsnap is doing. Additionally as others have mentioned - your work flow - as the CSO of FreeBSD. Anyway this is one of my must read blogs.

Re: Looking back at 100 blog posts

yoshamano — Tue, 01 Dec 2009 22:08:34 -0000

I like to call myself a "tech monkey" (in the same vein as a grease monkey), and most of my work is maintaining Windows boxes for small businesses and home customers. I use FreeBSD when the need arises for a small server to handle simple tasks like Samba, email server for a "not so smart" office multi-function copier, etc etc. I also like playing with FreeBSD as a desktop.

With that in mind I'd like to see what you think would be some best security practices for configuring a FreeBSD computer (be it server or desktop).

I'm not afraid to admit that a good chunk of your posts' subject matter fly over my head, but I enjoy reading them all the same. Even if I don't totally understand the subject matter, I do manage to wrap my head around some of it. Your writing style, as you mentioned above, does feel very natural, and it is a joy to read.

Keep up the good posts.

Re: Looking back at 100 blog posts

cperciva — Mon, 30 Nov 2009 08:24:08 -0000

If you're going to be incommunicado for more than a week, I recommend adding more money to your Tarsnap account before you leave.

I can't recover data after the 7 day timeout has expired, for two reasons: 1. I don't want to keep paying for the storage space; 2. I don't want to get into the extortion business.

Re: Looking back at 100 blog posts

tigerthink — Mon, 30 Nov 2009 05:50:18 -0000

"I made it secure because I don't want to be responsible for someone losing their data"

I haven't signed up for your service (and probably won't, because I'm a bum), but looking over your website, one thing that struck me was the bit about deleting a user's data if they run out of funds and don't deposit more within a week or whenever. What if someone's hitchhiking across South America when their funds run out? Also, recovering data "lost" this way could be a good way to make money: You ran out of funds, but we'll give your data back for the right price.

Re: Looking back at 100 blog posts

joachimschipper — Sun, 29 Nov 2009 05:03:13 -0000

I most enjoy your technical posts - cryptography, security, design of an online backup service, that sort of thing. I'd like to see a good mix, but I'm not really interested in your work habits or somesuch.

Re: Looking back at 100 blog posts

cperciva — Sat, 07 Nov 2009 08:51:03 -0000

I was counting the "(X subscribers)" UA strings when I added up my RSS feed subscribers.

Re: Looking back at 100 blog posts

nine — Sat, 07 Nov 2009 03:20:35 -0000

Google reader (and other web based RSS readers) only fetch your feed once for multiple readers. Google reader puts the number of subscribers in its UA field (you have about 750 there), others might as well. You probably have even more RSS subscribers than you thought!

Re: Looking back at 100 blog posts

cperciva — Sat, 17 Oct 2009 03:37:04 -0000

Nate,

I wasn't just thinking about you when I made that remark -- compared to some other people I've encountered, you're quite moderate in the world of crypto-is-scary-don't-go-anywhere-near-it.

In the end it comes down to weighing dangers. Yes, there is a possibility that my 'cryptographic right answers' post will give someone an unwarranted sense of confidence -- but there's also a possibility that it will lead someone to realize that they shouldn't be using blowfish for encryption; that they shouldn't use MD5 as a key derivation function; that they shouldn't use SHA256(key || data) as an MAC function; et cetera. You can't teach someone to paint by showing them examples of bad painting -- at some point it's necessary to give people good examples, too.

Thanks for stopping by.

Re: Looking back at 100 blog posts

Nate — Sat, 17 Oct 2009 00:18:16 -0000

Colin,

I think you misunderstand the comments I've made about not encouraging developers to implement crypto themselves. You say:

###
There are some people who argue that the dangers posed by novices meddling in cryptography are so great that we should avoid anything which might lead them into such attempts -- that we should instead wrap the field in mystique and teach people only that they should use pre-existing libraries.
###

That is an example of the false dilemma fallacy. There is another alternative. Teaching people the way cryptosystems can fail gives an idea of the magnitude of difficulty in getting it right. I think your post on the AWS signature v1 flaw is an excellent example of this. I'm sure more than a few developers read it and got a sinking feeling that they have made a similar mistake.

On the other hand, I thought your post on a few simple rules to do crypto right could give people a false sense of confidence if it didn't include disclaimers.

I think we both advocate educating without misleading. Your posts are overall quite educational, and I hope the next hundred are just as good.

Re: Looking back at 100 blog posts

Alf — Fri, 16 Oct 2009 04:34:43 -0000

I really enjoy your posts on security.

Re: Looking back at 100 blog posts

Francis — Thu, 15 Oct 2009 22:38:10 -0000

Whatever it was you found with pay pal ;-)

Seriously though, I find your posts about how things work amazing. From the security problems of amazon to how you implemented protection from archive libraries in tarsnap.

Re: Looking back at 100 blog posts

gperciva — Thu, 15 Oct 2009 19:11:38 -0000

I like this idea! I'm not so interested in tarsnap workflow (since it's still in the "public beta" phase, new website, etc). But I'm quite interested in the FreeBSD security workflow.

How much time do you spend on public/private email, how much time do you spend managing the security team (if at all -- and by "managing", I include both mentoring new members (if you do this at all) and assigning/discussing tasks)... and how much time do you spend actually looking at code?

I find that in LilyPond, actually working on the docs or build system is almost a relief; about 70% of my time is spent on emails and management. I'm wondering if that's something specific to documentation / website / releases (since the first two are much more "front-line" issues that are highly visible to users), or a general curse facing high-ranked members of open-source projects.

Re: Looking back at 100 blog posts

cperciva — Thu, 15 Oct 2009 16:33:20 -0000

Tarsnap moved into public beta in November 2008: http://www.daemonology.net/...

Details about tarsnap are available on the tarsnap website -- if you want to know more, feel free to send me an email.

Re: Looking back at 100 blog posts

Jerome — Thu, 15 Oct 2009 16:27:30 -0000

Is Tarsnap still in Private Beta? I have never read about it until today. Nothing is said about this company at BackupReview.info

Dear writer (your name is not mentioned), please give us more details about your company.

Thanks.

Re: Looking back at 100 blog posts

Royce — Thu, 15 Oct 2009 16:00:29 -0000

Posts about your personal workflow methods would be educational - email handling, task management, and perhaps even motivation.

Either you have directed your analytical skills towards developing these methods ... or such posts would provide an opportunity to do so.

Re: Looking back at 100 blog posts

gperciva — Thu, 15 Oct 2009 12:57:00 -0000

Cats. You should write about cats. All blogs are better with cat stories. Plus photos.

Re: Looking back at 100 blog posts

G McManus — Thu, 15 Oct 2009 10:15:04 -0000

I would be interested in your views on Tahoe-LAFS and the backup service built on it, Allmydata. How does it compare with Tarsnap, especially in terms of security?

Re: Looking back at 100 blog posts

Mocky — Thu, 15 Oct 2009 08:37:11 -0000

Your cryptography posts are the ones I enjoy reading most.