thx nsa

At the core of the bcrypt pbkdf is the magic string "OxychromaticBlowfishSwatDynamite". The particular value of the string doesn’t change the algorithm, but the hash works by encrypting this string. All generated outputs are really just ciphertext versions of the magic string. What does it mean?

Let’s arrange the words on a 4x8 grid.

Oxychrom aticBlow fishSwat Dynamite

An interesting pattern emerges with the capital letters. They form a triangle. Let’s take the letters inside.

xy atic fish yn

Atic fish? Y/N? hmmm. Two lines of two letters with a y and two lines of four with an i. y? i? They’re the only letters repeated, and perhaps have some other relationship (“change the y to an i...”). We’ll have to think about this some more. For now, let’s combine lines of equal lengths.

xyyn aticfish

yy is very unusual in English. Maybe it doesn’t belong. Or maybe it’s a hint about the i as well? There seems to be some relationship between i and y, certainly. What if we delete the ys and the is and also the letters between the is? As so:

xn atsh

And suddenly the hidden message is revealed. It’s an anagram for thx nsa.

Posted 2014-08-31 21:30:49 by tedu Updated: 2014-08-31 21:31:04
Tagged: openbsd rants software

2Q buffer cache algorithm

Since the dawn of time, the OpenBSD buffer cache replacement algorithm has been LRU. It’s not always ideal, but it often comes close enough and it’s simple enough to implement that it’s remained the tried and true classic for a long time. I just changed the algorithm to one modelled somewhat after the 2Q algorithm by Johnson and Shasha.


LRU is simple enough it doesn’t require much explanation. Keep a list of all buffers. Whenever you use one, put it on the front of the list. Whenever you need a new (recycled) buffer, take it from the end of the list. Those are the oldest, least recently used buffers. In high level terms, the current working set is at the front of the list and the previous working set is fading away off the end. It’s responsive to changes in the working set, very quickly replacing old unused buffers with the latest. In other words, it has a short history; it’s not “sticky”.

Continue reading 2Q buffer cache algorithm...

Posted 2014-08-31 21:30:36 by tedu Updated: 2014-08-31 21:30:36
Tagged: openbsd project software

Space Pirate Captain Harlock

A two hour long Final Fantasy (X, XII, XIII) cutscene, but uninterrupted by the need for level grinding. All the major motifs are present: good but actually evil churches that are actually governments, coverups and double crosses, dead but not dead people, ancient technology, preposterously ineffective battle tactics, collect all the MacGuffins quest, family squabbles, life in the shadow of the great war of the before times.

Posted 2014-08-31 21:30:26 by tedu Updated: 2014-08-31 21:30:26
Tagged: moviereview

Los Últimos Días

In Los Últimos Días, English title The Last Days, an extreme agoraphobia pandemic has swept the planet. Nobody can go outside without experiencing a fatal seizure. The movie doesn’t spend any time trying to explain the cause (which is good; better than a terrible explanation), but the Panic, as it is known, starts with a few cases and then affects more people over time until eventually everybody is trapped in whatever building they were last in. This sets us up for a story in a post apocalyptic world that’s a little different than the typical zombie virus plague outbreak.

It’s not a great movie (relies too much on flashbacks for my taste), but the concept is intriguing. Different spaces (office building, subway station, apartment building, indoor mall) all follow their own Lord of the Flies trajectory based on their occupant mix.

Posted 2014-08-19 04:42:16 by tedu Updated: 2014-08-19 04:42:16
Tagged: moviereview

your data

A few thoughts reflecting on Sen. Wyden’s not quite proposal. As noted on HN there’s some question of exactly what your data is. Is it information you created (or otherwise control) or is it information about you? Is it an email you composed by typing on a keyboard or is it a log entry created by an autonomous system of whose existence you are unaware? The thornier issues of what the government can or cannot do are best deferred until this basic question is answered.

A complete your data test would likely involve several factors, much like the fair use test does, and be decided on a case by case basis. For starters, though, we can begin by asking one question. To what extent can you describe the data? The owner of some data is likely to be the party that can describe the data (and importantly, its format) most accurately and completely. This is the tried and true Lost and Found test. “Hey, I lost my iPod.” “Can you describe it?” If the hotel concierge has a green iPod, but I tell them I lost a black iPod, it’s probably not mine.

Continue reading your data...

Posted 2014-08-18 21:23:05 by tedu Updated: 2014-08-18 21:23:05
Tagged: politics software thoughts


On the wall at Sketch.

Posted 2014-08-17 21:19:55 by tedu Updated: 2014-08-17 21:19:55
Tagged: business philly quote

in defense of opportunistic encryption

I’ve always been a secret admirer (and occasional not so secret advocate) of opportunistic encryption. Sometimes less flatteringly called unauthenticated encryption. Or even less flatteringly “not encrypted”. I’ve slowly come around, on the uselessness of unauthenticated encryption, but with the caveat that many times it’s not that bad. Here are a few notes on how I made self signed certs work for me. One could always go with one of those free certs, but seriously, fuck the CAbal.


The key word here is opportunity. Basically, it’s entirely optional but we’ll take it if we can get it. This generally means a blind key exchange, where we don’t check the identity of the other end. Self signed or otherwise unverified certs. Hence, unauthenticated.

Continue reading in defense of opportunistic encryption...

Posted 2014-08-14 00:59:07 by tedu Updated: 2014-08-26 19:28:17
Tagged: rants security software thoughts

don't encrypt all the things

A while back, I observed that https is a sign of serious business. Google recently decided something similar. At the time, it was mostly a curiosity. “Hey, you got your not serious lolcats in my serious dogecoins!” After a few recent developments, I’ve been thinking about it a bit more.

Long ago, SMTP relay traffic was unencrypted. Then came the great NSA freak out. People in submarines were tapping undersea cables and reading my email. So I did what any sensible lemming would do. I created some certs and turned on TLS. Then came Heartbleed. Suddenly the set of people who could read my email went from “people in submarines” to “people who can access github”. Not strictly an improvement.

Continue reading don’t encrypt all the things...

Posted 2014-08-14 00:58:57 by tedu Updated: 2014-08-30 04:19:21
Tagged: security software thoughts


Time had an article I liked about Kentucky’s healthcare exchange, Kynect. A similar piece with some of the highlights is in LA Times.

Mostly, I’m fascinated by McConnell’s attempts at threading the political needle now that people seem to like the law that he promised them they’d hate. “Hey, this law made us do something we never would have done, but now that we have and we like the result, that still doesn’t change anything. I’m always right.” Of course, voters seem equally confused about the name and nature of the law that was passed, so he still has some wiggle room.

Nothing new, people have always filtered reality through ideology, but in this case some of the facts are going to be hard for voters to ignore. Wonder how this will play out. In five years, will people be celebrating the (actually unchanged) healthcare law that “we should have had all along” after a few more rebranding exercises?

Tangential post on Bounded Rationality.

Posted 2014-08-11 02:29:52 by tedu Updated: 2014-08-11 02:29:52
Tagged: magreview politics

the language of money

From the New Yorker, Money Talks - Learning the language of finance. For a little while I thought this article was going somewhere, but as I read more I decided I don’t like it much at all. It positions itself as piercing the veil of obscurity surrounding financial and economic jargon, but then ultimately contributes even more confusion to the field.

Yes, the field of finance and economics (let’s lump them together) have a lot of specialized jargon. If you don’t understand what a “bear market” is, you’ll be left out of the conversation, and since finance undoubtedly has an impact on your life, this is bad. But it’s no different than many other fields. Practically every day the local meteorologist mutters something about a “cold front” (except when they’re muttering about an “occluded front”, whatever the hell that is). A doctor once told me to avoid “excessive ambulation” (no joke). Jargon is jargon. It’s a part of every field of study.

Continue reading the language of money...

Posted 2014-08-01 19:15:51 by tedu Updated: 2014-08-01 19:15:51
Tagged: business language magreview