Discussions around memory safety often focus on choice of language, and how the language can provide memory safety guarantees. Unfortunately, choosing a language is a decision made at the start of a project. Migrating an existing C or C++ project to a safer language is much harder than starting a new project in a safe language1. I’m not going to say this is impossible, or that you can’t or shouldn’t migrate existing programs to safer languages. And sometimes people just do things in ope...| David Adrian
I recently found myself being repeatedly asked for career advice. I’m not very good at this, as the best I could offer people in terms of what worked for me is basically “get overeducated, then make better decisions 10 years ago”. In the context of “cybersecurity”, one piece of advice I can give, that’s applicable to careers, leadership, and getting things done, is to understand the types of security roles and teams that exist, and which kinds of companies have them.| David Adrian
Around the time that Elden Ring came out, I had the thought that it seemed like AAA games were getting worse, especially post-pandemic. Elden Ring was both open-world and loudly heralded as one of the best games in years; however it seemed like, in general, there were more and more open-world games and more games in large franchises (rather than new IP). Unlike Elden Ring, on average, I felt like these games were not very good. My hypothesis was that the open-world “genre” was increasing ...| David Adrian
A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the CA. Distrusts can happen for security reasons, compliance reasons, or simply due to a lack of trust in the operators. In the past, the complexity and user impact ...| David Adrian
HTTPS adoption in 2024 is around 95-98%, as measured by page loads in Chrome (it would be better if it was 100%!). These days, a plaintext HTTP site is a rarity, enough that many users of Chrome’s “Always Use Secure Connections” mode, which presents a full-page interstitial warning the user before accessing an HTTP page, see an average of zero warnings per week. But it didn’t always used to be this way!| dadrian.io
In late March 2024, the open source community discovered a backdoor in XZ Utils, a suite of tools that use the xz compression algorithm. The xz backdoor was embedded inside liblzma, and took effect when liblzma was used in OpenSSH, a common remote-login tool. You can read about this extensively in many places elsewhere. Since then, many people leveraged the xz backdoor to highlight their favorite systemic issue in open source.| dadrian.io
Inspired by some discussion on Hacker News about whether it was a bad career move to switch from “CTO” to “developer”, I want to talk about CTOs. Specifically, CTO is not a real job and you should likely not aspire to be one1 especially if you view yourself as primarily someone who sticks to engineering career ladders, either as a manager or as an individual contributor. TLDR: Don’t trust anyone who’s a “CTO” that’s not a technical cofounder.| dadrian.io
This evening, it was announced that Jim Harbaugh was leaving his job as head coach of Michigan football to become the head coach of the Los Angeles Chargers in the NFL. Destiny is calling him, and it’s wearing a Super Bowl ring. It seems silly to cry about a head coach leaving a college football team, but I did. I cried even though I fully expected this to happen (although I had been predicting Harbaugh the Bears, who ended up mysteriously firing everyone except their head coach).| dadrian.io
This post is about HTTPS (X.509) certificates used on the web1. It has two parts: Certificates explained without cryptography Certificates explained with cryptography The explanation with cryptography depends on the explanation without cryptography, so you’ll want to either read both, or only read Part 1. Certificates and certification authorities, explained without cryptography Websites use certificates to prove that they’re the “real” website2, and not an imposter. The certificate i...| dadrian.io
Certification authorities (CAs) are the entities responsible for validating domain control and issuing the certificates used for HTTPS. The Baseline Requirements (BRs) are technical and policy requirements that govern certification CA behavior, compliance with the BRs is “verified” by external auditors. Root programs are ran by certificate consumers that maintain root stores, such as Mozilla, Apple, Microsoft, and Chrome. Root programs require compliance with the BRs. The BRs are maintain...| dadrian.io
It’s early 2023. All the big tech companies have done at least one round of layoffs1. Many midsize tech companies have as well. The rationale for layoffs at smaller startups that aren’t yet revenue positive is simple: cut costs and try to get to profitability faster. But why are big tech companies that make billions of dollars every quarter also laying people off? Revenue for big tech companies increased drastically during COVID Costs (dominated by headcount), grew to match, but on imperf...| dadrian.io
Designing schemas for large-scale data analysis for OLAP (e.g. BigQuery, Snowflake, Avro, JSON Lines, etc.) is different from designing data structures in code or schemas for relational databases. This post focuses on advice for creating schemas for large-scale data analysis. I use X.509 certificates as concrete example of a dataset in need of a schema because I’ve worked with it a lot in the last 10 years or so. When describing schemas, I represent types in protobuf format, since it’s a ...| dadrian.io
The market is in a “downturn”, and this is percolating into the venture-backed startup ecosystem. The broad consensus is that the top end of startup valuations are coming back to reality. But what does this mean? What makes a valuation out of this world? And how does this affect employees1? Startup valuations are determined by the amount of money a company raises in exchange for a percentage of ownership. Usually2, this is a 20% stake, meaning that a company that raises a $15M Series A is...| dadrian.io
Rodents of Unusual Size? I don't believe they exist. There’s endless discourse around tech debt. Kellan has some really good categorizations of different types, Will Larson has a great explainer of organization debt in his book, and I also like the idea of product debt. Throughout my career, I’ve been an engineer complaining about tech debt, a manager prioritizing (and deprioritizing) addressing tech debt, and a product manager, where I assume I primarily inspire the creation of new tech ...| dadrian.io
The July 31st, 2021 episode of the Security, Cryptography, Whatever podcast was the great “roll your own crypto”1 debate between Thomas Ptacek and Filippo Valsorda, moderated by Deirdre Connolly, with additional commentary provided by me. Loosely, Filippo was arguing that the mantra of “don’t roll your own crypto” has been ineffective and mostly serves as a form of gatekeeping in which the people the phrase is targeted at don’t listen to it anyway.| dadrian.io
This introduces people familiar with Git to trunk-based development, and vice-versa. I wrote it for work in reference to Github, but it applies to any Git web UI that supports pull requests. I’ve been told it’s a useful reference, so I’m posting a lightly-edited version publicly. tl;dr: One idea is one commit. Implement trunk-based development using the standard Github branch and PR-based development process, defaulting to squash commits. Rebase onto main to resolve merge conflicts.| dadrian.io
The preorders for the latest generation of game consoles (PS5, Xbox Series X/S) were snapped up, and the restocks are flying off the shelves in minutes. Sony and Microsoft say that they’re ramping up production, but to expect supply shortages through June of 2021. Consoles are snapped up within seconds after online restocks. Why aren’t Sony and Microsoft making this easier for consumers by introducing an order queue?| dadrian.io
Paul Graham recently posted Write Simply. I respect Paul Graham as a founder and an investor. His essays on startups are insightful, but I always felt like something was a little bit off. It turns out that this is because he presents opinions as facts, then disguises this with his writing style. His more recent essays have also strayed away from his original technical and startup-focused writing, and are much less compelling.| dadrian.io
Go uses the net.Conn interface to abstract different types of network connections. A net.Conn has both Read and Write methods, and is usable as an io.Reader and an io.Writer. Some common implementations of net.Conn are net.TCPConn, which uses TCP to provide reliable streams, and tls.Conn, which wraps an existing net.Conn and uses TLS to provide secure streams. A net.Conn object is usually created with a Dialer object, or with the net.| dadrian.io
The Big Ten has a bit of a situation on their hands. The Big Ten cancelled the Fall 2020 college football season, and expected to be praised as leaders and legends. Instead, many coaches, players, and athletic directors were upset. Some fans were angry, yet many others had realized months ago that it simply did not make sense to try to play football during an uncontrolled pandemic, especially without access to rapid testing.| dadrian.io
Last December, I defended my PhD at the University of Michigan. At the time, I’d been in grad school for four and a half years, and I’d been working with my research group for another year before that. I also went to Michigan for undergrad, so I’ve been living in Ann Arbor for nearly nine years. Why did I do this? Before I go on, I want to say a few things up front.| dadrian.io
In my experience, a lot of the non-academics in the security research community aren’t nearly as familiar with which academic conferences are notable, so here they are. These conferences are not structured like many “industry” conferences. Instead, these conferences consist of presentations of peer-reviewed academic papers that were submitted to and peer-reviewed by the conference’s publication committee (PC). Security Conferences This is a rundown of the “big four” top-tier acade...| dadrian.io
An article has been going around the Internet recently, arguing that branded vulnerabilities are no longer helping application security and have instead become an instance of the “boy who cried wolf” phenomenon. The Badlock bug is a textbook example of over-hyping vulnerabilities for marketing purposes rather than for promoting good security hygiene. The disclosing team’s dubious motivations have been written about extensively over the last several weeks, and “thought leaders” are c...| dadrian.io
Large-scale quantum computers are capable of breaking all of the common forms of asymmetric cryptography used on the Internet today. Luckily, they don’t exist yet. The Internet-wide transition to post-quantum cryptography began in 2022 when NIST announced their final candidates for key exchange and signatures in the NIST PQC competition. There is plenty written about the various algorithms and standardization processes that are underway. The conventional wisdom is that it will take a long t...| dadrian.io
