Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Uncategorized
15
Posts
11
Posters
0
Views
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok
OMG. These two paragraphs are one after the other in their documentation (https://monocypher.org/manual/#CAVEATS ). Do they not see how tightly linked they are??> CAVEATS
> Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in undefined behaviour. Make sure your inputs are correct.
>
> SECURITY CONSIDERATIONS
> Using cryptography securely is difficult. Flaws that never manifest under normal use might be exploited by a clever adversary -
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok making input validation (with many preconditions and requiring specific knowledge) a user's responsibility sounds like a recipe for disaster
-
@soatok making input validation (with many preconditions and requiring specific knowledge) a user's responsibility sounds like a recipe for disaster
@inex @soatok "Look, I only gave the user a foot-gun. Most users know how to not use the foot-gun. I mean yes, it is a gun; and yes, it is pointed automatically at their foot; and yes, it is loaded and has a hair trigger; but users should know better. I mean they are programmers, for heaven's sake, they should know about trigger discipline."
-
@inex @soatok "Look, I only gave the user a foot-gun. Most users know how to not use the foot-gun. I mean yes, it is a gun; and yes, it is pointed automatically at their foot; and yes, it is loaded and has a hair trigger; but users should know better. I mean they are programmers, for heaven's sake, they should know about trigger discipline."
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
-
@rusty__shackleford @soatok Trying to determine if this is bad snark on their part or the output of an AI agent
-
@rusty__shackleford @soatok Trying to determine if this is bad snark on their part or the output of an AI agent
@cwebber @rusty__shackleford The "spell out the acronyms used in the filenames" part does gesture suggestively towards "AI"
The heel-turn on me allegedly not contacting them without an "You're absolutely right!" tells me that, even if it is AI, they at least edited the sycophancy out of it.
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok Wait, so the entire input validation scheme is "don't call it wrong?"
That's... well, that's a choice you can make, I guess.
-
@cwebber @rusty__shackleford The "spell out the acronyms used in the filenames" part does gesture suggestively towards "AI"
The heel-turn on me allegedly not contacting them without an "You're absolutely right!" tells me that, even if it is AI, they at least edited the sycophancy out of it.
@soatok @rusty__shackleford you're absolutely right
-
@soatok Wait, so the entire input validation scheme is "don't call it wrong?"
That's... well, that's a choice you can make, I guess.
@wordshaper Our Threat Model is "You must only accept secure inputs if you want secure outputs".
-
@wordshaper Our Threat Model is "You must only accept secure inputs if you want secure outputs".
@soatok good thing this code doesn’t have to operate in an adversarial environment. Something unfortunate could happen.
-
-
undefined oblomov@sociale.network shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@riley @lesley well, you can't share a type with inheritance (multiple or not) with C, so it's Plain Old Data (although you CAN design an aliasing C type for that if you need it)
-
@oblomov @ALFA @GustavinoBevilacqua per questo mi trovo bene 😊
-
-
@andrea_ferrero @ALFA @GustavinoBevilacqua qui sei in ottima compagnia 8-D
-
@oblomov @ALFA @GustavinoBevilacqua Sì, io sono espertissimo nell'arte di lavorare tanto senza guadagnare niente 😉
-
@ALFA @GustavinoBevilacqua @andrea_ferrero eh si vede che non siete uomini d'affari. Se 960€ ti costa solo la materia prima dove caspita è il profitto? No, gli affari si fanno vendendo a 960€ gli occhiali di plastica
-
@ananas Well, if I have to autogenerate, I could do this instead:
template <class T>
void work_on_paydirt (T *ambi_object) {
struct bar *object = ambi_object->gimme_bar();
printf("Teh paydirt is %i\n", object->paydirt);
}Slightly less bulky, but it looks ugly.
-
sure: https://godbolt.org/z/YvYa9b7jb
You do lose the POD property on foo though. Depending on your needs this may or may not be important.
