Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

As long as the passwords are not stored in plain text in memory - meaning they are only temporarily decoded in order to be provided (and then the memory wiped) - there is no difference than the underlying security of the file encryption on disk, no ? > On Oct 15, 2018, at 4:13 PM, Christopher

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

Exactly - and systems do not typically have this - yet are considered secure. If the plain text is ever available - and it almost always is (in the original input component, etc.) it is always subject to attack/hack - and as far as I am aware without hardware support (dongle, etc.) this is a

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

On Mon, Oct 15, 2018 at 2:17 PM robert engels wrote: > > As long as the passwords are not stored in plain text in memory - meaning > they are only temporarily decoded in order to be provided (and then the > memory wiped) - there is no difference than the underlying security of the > file

[go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

Hi Eric, thanks *a lot* for your valuable feedback! I really appreciate it. See comments inline: Am Montag, 15. Oktober 2018 12:09:32 UTC+2 schrieb EricR: > > Since you're looking for opinions on the security concept, two questions > spring immediately to my mind: > > 1. Does the daemon keep

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

If the memory in which the master key resides is not locked, then it may be written to the page file. An attacker may thus boot the machine from an external disk, mount the disk, read the page file, obtain the master key from the page file, and then decrypt the password database. The attack

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

On Mon, Oct 15, 2018 at 1:28 PM Matthias Schmidt wrote: > > Hi Eric, > > thanks *a lot* for your valuable feedback! I really appreciate it. See > comments inline: > > Am Montag, 15. Oktober 2018 12:09:32 UTC+2 schrieb EricR: >> >> Since you're looking for opinions on the security concept, two

[go-nuts] Re: [Proposal] Goroutine Scoped Context

Part 2: scoped context proposal. https://posener.github.io/context-scoping/ Please post replies in the blog itself. Enjoy! On Wednesday, October 10, 2018 at 9:38:18 PM UTC+3, Eyal wrote: > > Hi, > I wrote a proposal about making the context goroutine scoped. > Please read the current design

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

If the user has the ability to read the page file - i.e. root - then he also has the ability to use the debugger to inspect the live memory as well - so as the OP pointed out - if root is compromised - nothing is secure. > On Oct 15, 2018, at 4:36 PM, EricR wrote: > > If the memory in which

Re: [go-nuts] Re: Understanding the doc (why can't I?)

I would ascribe metaphysicality to the current name, and comprehensibility to a more accurate name. In this case, “shuffling” is just an example of what can be done. Abstraction is all very nice, until any applied meaning is completely lost in mumbo-jumbo. Neil Higgins (iPhone)

Re: [go-nuts] Re: Understanding the doc (why can't I?)

I'm curious. What name would you suggest? Note that what I said below applies here; shuffling is what is the intended use of rand.Shuffle. It could conceivably be used for alternative things, but then C's sprintf can be used for writing to arbitrary memory, though that is not what is intended.

Re: [go-nuts] Re: Understanding the doc (why can't I?)

Well, ok. But I would call “Shuffle” a misleading misnomer, because until the user defines a shuffler function (which perversely might not, or might fail to, shuffle anything), it does not shuffle anything. Thanks for taking the time to answer my question. Neil > On 16 Oct 2018, at 2:38 am,

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

To clarify, this is for a hardware device that protects a local resource - a network based protocol that challenges the device for access is a different story, and yes, when properly implemented is secure (unless someone steals your device! - which is why it is usually password + device, and

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

On Mon, Oct 15, 2018 at 4:33 PM robert engels wrote: > > To clarify, this is for a hardware device that protects a local resource - a > network based protocol that challenges the device for access is a different > story, and yes, when properly implemented is secure (unless someone steals >

Re: [go-nuts] Re: Understanding the doc (why can't I?)

Ok, Dan. With what you have told me, I acknowledge that shuffling is what it’s all about, so the metaphysics matches the physics on this case. So the problem is on my side: Probably a deficit in fluency with idiomatic code. -- You received this message because you are subscribed to the Google

Re: [go-nuts] Understanding the doc (why can't I?)

> May be it ought to be called FYShuffle? then we'ld have to rename it if we switched the algorithm (which has happened once for sort.Sort already). that's not what go is about :) maybe you're advocating for implementing a Shuffle interface, which brings us round about to where we are right now

Re: [go-nuts] Understanding the doc (why can't I?)

> Unlikely :-) > > The following is much less obscure. > > func Shuffle(slice inteface{}) > > & might have more more sense. e.g. > > var cards []card > ... > rand.Shuffle(cards) you've now restricted Shuffle to "shuffling" only slices. and it has to examine interface{}

[go-nuts] Re: Generics: an unwelcome conclusion and a proposal

On Tuesday, October 16, 2018 at 12:16:16 AM UTC-4, Beoran wrote: > > For niw, I don't see what complelling benefits allowing operators in > generic contracts would bring. > Consider Ian Lance Taylor's smoke test for generics. It is: can we implement min() and max() on a generic type. What

Re: [go-nuts] Re: Understanding the doc (why can't I?)

So as well as getting rid of the euphemistic name, the documentation should simply say that it delivers n pairs of random numbers in the relevant range to a user-defined function. Neil Higgins (iPhone) higgins-dem...@bigpond.com > On 16 Oct 2018, at 8:31 am, Neil Higgins <1955ne...@gmail.com>

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

On Monday, October 15, 2018 at 11:02:18 PM UTC-4, Ian Denhardt wrote: > > > There are other operators in the language that don't behave like > functions or methods (e.g. boolean operators like && and ||, which > short-circut), but the rest of them are things that don't have gobs of > use

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

Quoting Eric Raymond (2018-10-15 23:32:22) >Fair enough. I am completely willing to discard the possibility of >overloading && and || and almost any other operator that doesn't behave >like a function, because I think we get a rich enough set of contracts >from those that do. As

Re: [go-nuts] Re: Understanding the doc (why can't I?)

But this is not really what it does. You can see from the output of this code https://play.golang.org/p/88Llo7zHTeK ``` package main import ( "fmt" "math/rand" ) func main() { rand.Shuffle(10, func(i, j int) { fmt.Println(i, j) }) } ``` That `i` is not sampled from a random distribution, but

[go-nuts] Generics: an unwelcome conclusion and a proposal

I agree that operators in contracts and the proposed generics don't seem to mesh well. Your proposal would enable the use of operators in interfaces in an easy way. However, personally I think that perhaps we don't need operators at all. Suppose I was to implement a generic btrie or such

Re: [go-nuts] Understanding the doc (why can't I?)

¡left off the Len method! type Swapper interface { // Swap swaps the elements i and j. Swap(i, j int) // Len returns the number of elements that may be swapped. Len() int } func Shuffle(s Swapper) On Tue, 2018-10-16 at 03:46 +, Dan Kortschak wrote: > type Swapper interface { > // Swap

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

On Monday, October 15, 2018 at 11:59:44 PM UTC-4, Ian Denhardt wrote: > > I'm not in love with the inconsistency, and expect it to cause some > confusion with newbies, but I'd have to use it to see how big of a > footgun it is in practice. There are certainly worse ideas. > Yes. If that's

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

On Mon, Oct 15, 2018 at 3:10 PM robert engels wrote: > > Exactly - and systems do not typically have this - yet are considered secure. > If the plain text is ever available - and it almost always is (in the > original input component, etc.) it is always subject to attack/hack - and as > far as

Re: [go-nuts] Understanding the doc (why can't I?)

On Oct 15, 2018, at 6:44 PM, Neil Higgins <1955ne...@gmail.com> wrote: > > Ok, Dan. With what you have told me, I acknowledge that shuffling is what > it’s all about, so the metaphysics matches the physics on this case. So the > problem is on my side: Probably a deficit in fluency with

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

That is not true. If you lose the key, anyone else can use the device - which is why there is usually an additional requirement beyond the hardware key - I am referring to hardware dongles given to users. By LOSE I meant unknowingly lost - not that once I lose it and KNOW I’ve lost it I

Re: [go-nuts] Understanding the doc (why can't I?)

Oh well! Bakul - thank you for that little bit of affirmation. I feel better now :-) > The current Shuffle is confusing. May be because it has a somewhat clumsy interface. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

Maybe, but still, if they have root access to your machine, they can just as easily alter the accessing binary to send the decoded password elsewhere after it has decoded it… Which is why applications on osx are “signed” (to prohibit tampering) (although if you have root access - you could

[go-nuts] Generics: an unwelcome conclusion and a proposal

Recent discussion of possible generics designs has forced me to a conclusion I'm not happy with, because it requires a feature-cluster that I thought I was glad to be leaving behind in Python. That is this: The simplest and most effective way to solve the generics problem is to embrace

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

Also, what maybe I wasn’t clear here - that is the ‘verification is local - say a local app’, if the machine has been compromised - the binary can be edited to remove the security check - no need to even have the dongle - thus the requirement for an external resource being protected. > On Oct

Re: [go-nuts] Understanding the doc (why can't I?)

On Mon, 15 Oct 2018 20:39:11 -0600 andrey mirtchovski wrote: > > May be it ought to be called FYShuffle? > > then we'ld have to rename it if we switched the algorithm (which has > happened once for sort.Sort already). that's not what go is about :) Unlikely :-) The following is much less

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

On Monday, October 15, 2018 at 11:32:23 PM UTC-4, Eric Raymond wrote: > > Fair enough. I am completely willing to discard the possibility of > overloading && and || > A little thought showed me that this is not required. The straightforward way to write the contract of "!" would be that it

Re: [go-nuts] Re: Understanding the doc (why can't I?)

> Well, ok. But I would call “Shuffle” a misleading misnomer, because until the > user defines a shuffler function (which perversely might not, or might fail > to, shuffle anything), it does not shuffle anything. how would you implement shuffle in golang so that it's not a misleading misnomer?

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

Quoting Eric Raymond (2018-10-15 22:24:50) >The simplest and most effective way to solve the generics problem is to >embrace operator overloading and the kind of magic method designations >that go with it. This matches my intuition as well, though see below. >Can it even

Re: [go-nuts] Understanding the doc (why can't I?)

type Swapper interface { // Swap swaps the elements i and j. Swap(i, j int) } func Shuffle(s Swapper) On Mon, 2018-10-15 at 19:58 -0700, Bakul Shah wrote: > On Mon, 15 Oct 2018 20:39:11 -0600 andrey mirtchovski ail.com> wrote: > > > > > > > > May be it ought to be called FYShuffle? > > then

[go-nuts] Re: Generics: an unwelcome conclusion and a proposal

Well, you could certainly implement min or max generically without operators in contracts if you use a wrapper type for primitives and pointers. A bit more verbose perhaps, but that is also how it is now. I can only speak for myself and say that I would not be disappointed at all with such

[go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

Since you're looking for opinions on the security concept, two questions spring immediately to my mind: 1. Does the daemon keep the sensitive data in locked memory that cannot be paged out? If so, how cross-platform is this? 2. How does the client communicate securely with the daemon? Which

Re: [go-nuts] Understanding the doc (why can't I?)

On Mon, Oct 15, 2018 at 4:06 PM <1955ne...@gmail.com> wrote: > Issues (for me): > > Shuffle doesn't seem to swap anything (the thing you want shuffled isn't even an argument) It shuffle things by calling the function literal passed to rand.Shufle. Above it is `func(i, j int) { words[i], words[j]

[go-nuts] Understanding the doc (why can't I?)

*Here's the doc for shuffle in math/random*: func Shuffle(n int , swap func(i, j int )) Shuffle pseudo-randomizes the order of elements using the default Source. n is the number of elements. Shuffle panics if n < 0. swap

Re: [go-nuts] Generics: an unwelcome conclusion and a proposal

Cute. I think we're better off without it though; the use cases I can think of for "generic booleans" are all way too clever. FWIW, the uses of "generic booleans" I've seen in the wild don't actually work with your proposal, because they really do need to overload `and` and `or`, not just `not`.

[go-nuts] Re: Understanding the doc (why can't I?)

I've edited the example very slightly at: https://play.golang.org/p/s7CUSbS8P3I Let's break this down. Think about how you might shuffle a pack of cards, a simple way is to swap 2 cards around at a time. As long as you exchange enough cards enough times and both cards you chose are randomly

[go-nuts] Re: [ANN] Golem: A general purpose, interpreted scripting language

Thank you Mike, for your announcement. Weird: I was looking for a library like this. I will take a closer look at Golem and try to use your language. Thank you for your work and the effort you put into Golem. -- You received this message because you are subscribed to the Google Groups

Re: [go-nuts] Re: Command line password manager using AES symmetric key encryption, Argon2 KDF, Key-Agent and Keepass importer

On Mon, Oct 15, 2018 at 4:25 PM robert engels wrote: > > Maybe, but still, if they have root access to your machine, they can just as > easily alter the accessing binary to send the decoded password elsewhere > after it has decoded it… Which is why you disable remote root access on hosts that

Re: [go-nuts] Understanding the doc (why can't I?)

On Mon, 15 Oct 2018 21:29:07 -0600 andrey mirtchovski wrote: > > Unlikely :-) > > > > The following is much less obscure. > > > > func Shuffle(slice inteface{}) > > > > & might have more more sense. e.g. > > > > var cards []card > > ... > > rand.Shuffle(cards) > >