So funny to see Zugo around...

They've had offered us to bundle their 'nice' toolbar inside the VLC installer so that every install of VLC would have install this thing...

And they proposed a very high value for each install...

Tarsnap had a CTR nonce collision. It's a bad bug that's fairly common and easy to explain.

CTR mode turns AES into a stream cipher, meaning it can encrypt a byte at a time instead of 16 bytes at a time. It does this by using the block cipher core to encrypt counters, which produces a "keystream" that you can XOR against plaintext to use as a stream cipher.

For this to be secure, as with any stream cipher, it is crucial that the keystream never repeat. If you encrypt two plaintexts under the same keystream, you can XOR them together to cryptanalyze them; even easier, if you know the contents of one of the plaintexts, you can XOR the known plaintext against the ciphertext to recover the keystream!

To avoid repeating keystreams, CTR mode uses a nonce, which is a long cryptographically secure random number concatented to the counter before encrypting.

To avoid that catastrophic security bug, CTR mode users have to make sure the nonce never repeats (and also that the counter never repeats, e.g. by wrapping). We have found both bugs multiple times in shipping products, and now Colin found it in his product.

And so I come to the moral of my story: Colin is clearly a gifted crypto dev. He can talk lucidly and at length about the best ways to design crypto-secured protocols. He has found crypto flaws in major systems before. He is as expert as you could expect anyone to be on any product.

And Colin didn't get it right; what's more, the manner in which he got it wrong was devastating (in cryptographic terms).

Colin handled this well, largely due to the fact that he's an expert and knows how to handle it.

How likely is it that anyone less capable than Colin could have handled it so well? Moreover, if Colin can make a devastating mistake with his crypto code, how many worse mistakes would a non-expert make?

You should avoid writing crypto code if at all possible. Nate Lawson is fond of saying, "you should budget 10 times as much to verification as you do for construction of cryptosystems"; I would amend that only to add a price floor to it, because you cannot get real validation of a cryptosystem for less than many tens of thousands of dollars --- if your system is simple.

Does anyone else avoid Facebook because they themselves suck as person? I don't use FB because the activities on it are things I am better off not doing.

I felt strange doing anything on it because I felt people were judging me. It was like I had developed this persona of an educated and successful and fun person when I was on it because I hadn't made any new "friends" since beginning grad school and I was so stressed out, miserable and broke that I was never brave enough to admit it on my own.

After surfing through the countless photos of my friend's girlfriend or my ex gf, I honestly used to feel guilty with the voyeurism. I use to feel hurt seeing my ex gf happy, lonely seeing old friends enjoying themselves, smirk seeing my friend do something stupid. I hated when people tagged me for the same reasons.

I wasted tons of time friending people I would not even wish birthday. I spent countless awkward chat conversations that never went beyond "I had a great day". I spent useless time tweaking my photos and wall so that my family wouldn't see the language that I or my friends were using. I tried to post Go's result on my wall. It became less of enjoying the game than to acquire certain points so that I could post them on my wall.

I logged into Facebook when I didnt have anything to do, which happened a lot. I used to open Facebook like I opened my email and reddit. After a while I just felt too shitty.

I deleted the account. I share photos through Flickr. Not all my friends are there but those who are have taught me a lot about taking photographs. I joined Blip.fm. Not all my friends are there but those who are truly share the passion I have for music. I deleted all my contacts in the messenger and added only those that I truly feel comfortable talking to.

My girlfriend calls me anti social. But she too has come to accept that Facebook is prone to our weakest traits as humans. We love attentions. We love to think of ourselves as something we want to be. We trade our true feelings to be included. We want to be popular. We want our taste in music and art to be value. We crave for external success. It was like high school all over again.

Wow, I was prepared to mock it after seeing that w3.org actually had to design something, but it's rather good.

Additionally, it's considered OK to slam men in media, where it isn't right to do it to women.

The next time you see a commercial that makes use of gender roles, swap the genders and see if the commercial would still be suitable. Most don't hold up to this scrutiny.

The article pokes fun at Netflix for purchasing little-known, unpopular titles, as if Hollywood is somehow putting one over on Netflix. But what drew me to Netflix initially was its ultra-deep selection of DVDs, which was far better than the local video store. Seems to me Netflix is trying the same thing with streaming, building the biggest catalog as fast as possible so people will view it as the #1 streaming choice, even if Warner Brothers withholds its marquee movies and sticks it with "Pushing Daisies."