Every time I click on one of these posts, I'm expecting it to be a tiny KVM switch. When did this whole KVM nomenclature catch on for virtual machines?
It certainly wasn't in common usage that early - at least not outside of linux circles. I don't really recall hearing it in this context before maybe the early 20's
Do you actually develop for a platform that (a) has a standards-compliant C compiler, (b) does not have a Rust target, and (c) has enough memory to be worth dealing with PDFs?
If you use the 3-prong version of the power adapter to connect to a grounded outlet, this problem goes away. Of course, Apple doesn't actually sell a 3-prong plug for their charger in Europe... so us lucky folks in the EU have to get a 3rd party one off the internet
I suspect what they meant is that there isn't an official Schuko nub that slides onto the brick and lets you hang it directly from the socket rather than carrying an extra meter of cable around. There is a BS1363 one, and those are only legit feasible in a grounded configuration (although I guess you could use a plastic ground spade to lift the child protection slider inside the socket if you were a particularly unpleasant engineer). Nice for those of us in British-adjacent countries.
YMMV. I throw away the non-corded variants because they rarely fit in the spaces that people think to put outlets, especially as the chargers have grown and (particularly) train operators love putting outlets attached to tables with about 5mm of clearance.
If you look through second-hand car listings in Europe, >400,000km is not that usual to see. In places where cars are relatively expensive, folks keep them running forever...
That said, a million miles is probably enough for anyone :D
> the SDK seems way larger than I had imagined, but that is normal for (software) things, I guess. "This API also enables the scheduling of tasks on the main thread from any other thread." was not easy to unpack nor see the use of in what was (to me) an audio-generation-centered API
VST plugins almost all have a GUI, thus the VST SDK has to support an entire cross-platform UI framework... This threading functionality is mostly about shipping input events/rendering updates back and forth to the main (UI) thread
There is no single UI framework in VST. The plugin API only has interfaces for creating/destroying/resizing a GUI window. You are not required to use VSTGUI.
The documentation on this is... uh... intimidating? I come away from this with the sense that I need to learn a whole lot about cryptography to make a good decision here:
Do not reference these kinds of docs whenever you need practical, actionable advice. They serve their purpose, but are for a completely different kind of audience.
For anyone perusing this thread, your first resource for this kind of security advice should probably be the OWASP cheatsheets which is a living set of documents that packages current practice into direct recommendations for implementers.
This is just a random list of links to standards and summary tables, some of which are wrong (urandom vs. random, for instance). The "A/L/D" scoring makes very little sense. CBC is legacy-allowable and CTR is disallowed; "verification of padding must be performed in constant time". For reasons passing understanding, "MAC-then-encrypt" is legacy-allowable. They've deprecated the internally truncated SHA2's and kept the full-width ones (the internally truncated ones are more, not less secure). They've taken the time to formally disallow "MD5 and SHA1 based KDF functions". There's a long list of allowed FFDH groups. AES-CMAC is a recommended general-purpose message authenticator.
This is a mess, and I would actively steer people away from it.
It's a bad audit checklist! If OWASP volunteers can't do a good one, they should just not do one at all. It's fine for them not to cover things that are outside their expertise.
I’d wager that something like 90% of developers who look at that page should close the tab instead of reading any of it.
If you’re building a system and need crypto… pick the canonical library for the ecosystem or language you’re working in. Don’t try to build your own collection of primitives.
Also, I gave the link to the appendix because there was a specific question about Argon2 parameters. For general developer audiences, they need to look at the standard itself which is a lot more high level about how to properly implement cryptography in software:
https://github.com/OWASP/ASVS/blob/master/5.0/en/0x20-V11-Cr...
For the most common use-cases of cryptography like authentication and secure communication there is more specific, but still high level guidance that is useful for developers as well:
Yes I fully agree. I’m a big fan of libraries like Google Tink that make you pick a use case and use the best implementation for that use case with built in crypto agility.
Most crypto libraries are not built like that however. They just give you a big pile of primitives/algorithms to choose from. Then frameworks get built on top of that, not always taking into account best practices, and leave people that are serious about security the job of making sure the implementation is secure. This is the point where you need something like ASVS.
What language today still doesn't have a de facto simplified toolbox for wrapping crypto operations?
If you're a developer, and you start trying to perform crypto operations for your service and the library you chose is making you question which cipher, what KDF parameters, or what DH group you want, that is 100% a red flag and you should promptly stop using that crypto library.
Can you give some examples of such commonly used libraries for languages like Java / C# / C++?
In my experience there are not many libraries like Google Tink around, and they are not in widespread use at all. Most applications doing encryption manually for specific purposes still have the words AES, CBC, GCM, IV etc hardcoded in their source code.
If you review such code, it’s still useful to have resources that show industry best practices, but I agree that the gold standard is to not have these details in your own code at all.
reply