ragona (u/ragona) - Readit News

ragona commented on Signal Protocol and Post-Quantum Ratchets signal.org/blog/spqr/... · Posted by u/pluto_modadic

tptacek · 3 months ago

Part of the premise of FS/PCS is that "shit happens" to compromise keys even if the underlying cryptography is strong, so if you want a coherent end-to-end FS/PCS story, the claim would be that you need to be ratcheting everywhere.

ragona · 3 months ago

Definitely, but when we're running around sprinkling PQ algorithms all over the place, it's on top of the asymmetric bits, not replacing the "boring" stuff like your symmetrically encrypted backups. Shit certainly does happen, especially where key management is involved, but I'm not sure I agree that offering an encrypted backup feature is necessarily undoing the FS/PCS story.

edit: Well, let me argue with myself for a moment. I don't think offering an encrypted backup feature undoes the PQ story. But FS/PCS is weakened, sure, since we're talking about all types of shit happening, not just currently known (or strongly theorized) attacks.

ragona commented on Signal Protocol and Post-Quantum Ratchets signal.org/blog/spqr/... · Posted by u/pluto_modadic

elvisloops · 3 months ago

If the app takes your disappearing message, encrypts it with a static key that never changes and is never deleted, and uploads it to the cloud, then the message is never truly "disappearing." A "post compromise" event will allow the attacker to decrypt that ciphertext at any point in the future. All of this ratcheting is undone by backups.

ragona · 3 months ago

> encrypts it with a static key

What type of static key? If it's just a big symmetric key that isn't derived from an asymmetric handshake of some type then no, that's not our current understanding of the PQ threat model.

ragona commented on Signal Protocol and Post-Quantum Ratchets signal.org/blog/spqr/... · Posted by u/pluto_modadic

elvisloops · 3 months ago

I think this used to be true. Now one problem is that a Signal message goes through this whole forward secrecy protocol, but the receiving device has some probability of uploading it to the cloud with a static key that never changes.

You don't have to enable the Signal backups feature, but you have no way of knowing whether the recipient of your messages has. One person in a group chat with that enabled will undo all of the forward secrecy you're describing.

ragona · 3 months ago

I don't think that's quite right. PQ attacks focus on the "trapdoor" functions in asymmetric cryptography, _not_ the symmetric encryption that happens after key negotiation. The current concern is that a future attacker could unwrap the symmetric key, not directly attack the symmetric encryption that is used for something like backups.

(Note: I didn't actually dig into the backup implementation, but my guess is that it's more of a KDF -> symmetric design, rather than the sorts of asymmetric negotiation you'd find in multi-party messaging.)

ragona commented on OpenAI – vulnerability responsible disclosure requilence.any.org/open-a... · Posted by u/requilence

diggan · 5 months ago

> If you have found a security vulnerability, we encourage you to report it via our bug bounty program

It seems like reporting bugs/issues via that program forces you to sign a permanent NDA preventing disclosures after the reported issue been fixed. I'm guessing the author of this disclosure isn't the only one that avoided it because of the NDA. Is that potentially something you can reconsider? Otherwise you'll probably continue to see people disclosing these things publicly and as a OpenAI user it sounds like a troublesome approach.

ragona · 5 months ago

(Note; I also work for OpenAI Security — though I’ve not worked on our bounty program for some time. These just my thoughts and experiences.)

I believe the author was referring to the standard BugCrowd terms, which as far as I know are themselves fairly common across the various platforms. In my experience we are happy for researchers to publish their work within the normal guidelines you’d expect from a bounty program — it’s something I’ve worked with researchers on without incident.

ragona commented on Global biggest industries by revenue in 2024 ibisworld.com/global/indu... · Posted by u/kaycebasques

adverbly · 2 years ago

This is clearly wrong. 1 quadrillion for wireless? That's 125k per year per person... That's over 10 times more than global gdp.

ragona · 2 years ago

Yeah if you click into the report per industry it shows a totally different number -- $1.7T, which is obviously smaller than the ~$5T that the same site lists for oil and gas.

ragona commented on Show HN: Faster LLM evaluation with Bayesian optimization github.com/rentruewang/bo... · Posted by u/renchuw

skyde · 2 years ago

what do they mean by "evaluating the model on corpus." and "Evalutes the corpus on the model".

I know what a LLM is and I know very well what is Bayesian Optimization. But I don't understand what this library is trying to do.

I am guessing it's tryng to test the model's ability to generate correct and relevant responses to a given input.

But who is the judge ?

ragona · 2 years ago

The "eval" phase is done after a model is trained to assess its performance on whatever tasks you wanted it to do. I think this is basically saying, "don't evaluate on the entire corpus, find a smart subset."

ragona commented on Open-interpreter: OpenAI's Code Interpreter in your terminal, running locally github.com/KillianLucas/o... · Posted by u/transpute

haolez · 2 years ago

What's so useful about Code Interpreter? I'm getting a lot of value from normal Chat questions and DALL-E. I'm also using the chat interface to generate code sometimes. But I don't see much point in the chat bot itself running the code for me without my environment, credentials, data, etc.

Am I missing an interesting use case here?

ragona · 2 years ago

It’s handy for uploading a dataset and having it play with it.

ragona commented on When your coworker does great work, tell their manager (2020) jvns.ca/blog/2020/07/14/w... · Posted by u/vikrum

tines · 2 years ago

It's not about phrasing, it's about being genuine and also choosing to have a certain perspective which builds the other person up. There's nothing to see through.

ragona · 2 years ago

> it's about being genuine

I think this is an incredibly important lesson. Don't lie, _actually_ find something good to say. It's a goddamned super power, and it's also very good for your own mental health.

ragona commented on Code Is Not Literature (2014) gigamonkeys.com/code-read... · Posted by u/fanf2

anononaut · 2 years ago

Complexity and quality can be completely orthogonal. When they aren't, complexity and quality of code are proportional, which is a smell. Readability is often cited in lists of what makes good code, and rightfully so, but it isn't the most important thing. The most important thing is the ETC principle; that the code is easy to change.

You bring up a good point about something that needs to be added NOW, which is a project management/business/cultural concern and something that needs to be addressed. Compromising code quality for speed is a classical trade of and is probably the reason most professional developers on HN hate their projects.

Funny you bring up that example! I do work at a FinTech org and my 2020 was spent working on a trading platform frontend. (Hell of a year...)

ragona · 2 years ago

I agree that complexity and quality can be unrelated. I think that quality is often misinterpreted as beauty, or brevity, or cleverness — and those are not the same as quality, in my opinion. Often a long function with a bunch of error and edge case handling is seen as ugly, and thus low quality, and what I’m getting at is that an ugly function can also be quite high quality.

And heh yeah it was on my mind because I just spent a few years at a FinTech too — and a lot of that code is incredibly sensitive, and must contain all kinds of “ugly” condition handling that I don’t think is really low quality, it’s just a complicated problem space that requires a ton of attention to detail. And details can be less fun to read, I think we all can get seduced by code golfing and making things prettier, which is again not the same thing as better.

(Which is I think the point of the article — readability and prose is perhaps key in literature, but not always in software.)