Service offering
-
Service offering:
For a flat rate, I will take a quick glance at your code and tell you how fucked it is, and how much you should budget for a deeper code review from a professional team of security consultants.
I keep doing this for free, and it's starting to be exhausting.
-
Soatok Dreamseekerreplied to Soatok Dreamseeker last edited by
What can be found in a few minutes of lazily glancing at code?
https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
-
Soatok Dreamseekerreplied to Soatok Dreamseeker last edited by
(I'm shitposting, in case it wasn't obvious. If I was serious, I would've included an actual rate.)
-
Soatok Dreamseekerreplied to Soatok Dreamseeker last edited by
-
Risotto Votedreplied to Soatok Dreamseeker last edited by
@soatok if Age were vulnerable to cache timing...
heck this is a /file/ tool, not an over the wire tool,
how does timing play into it?
it isn't computing the hash of some password...
-
Soatok Dreamseekerreplied to Risotto Voted last edited by
@risottobias Imagine you build a Dropbox-like service atop ezcrypt, and I compromise your service.
All I need to do is push a new ciphertext, study how long it takes to fail, and repeat like 228 times to recover your AES key.
-
Risotto Votedreplied to Soatok Dreamseeker last edited by
@soatok damn you have high standards.
the industry's still trying to enable MFA on maintenance panels and add HTTPS to things.
-
Risotto Votedreplied to Soatok Dreamseeker last edited by
@soatok you'd think they would have used or ported a stdlib's constant time library...
-
@risottobias @soatok High standards are the correct standards to have for rolling your own crypto.
As they saying goes, "don't."
-
oh 100%.
however, working in security, I have my priorities.
RCE, SQLi, XSS, MFA, and crackability at rest,
long before I'd care about a timing attack
if it's a technically correct AES implementation, it's better than most fed contract work evidently
