/Security

Shamir Secret Sharing

- Max Levchin tl;dr: “This is the story of a catastrophic software bug I briefly introduced into the PayPal codebase that almost cost us the company (or so it seemed, in the moment.) I’ve told this story a handful of times, always swearing the listeners to secrecy, and surprisingly it does not appear to have ever been written down before. 20+ years since the incident, it now appears instructive and a little funny, rather than merely extremely embarrassing.”

featured in #436

How We Roll: Multifactor

- Colin Sidoti tl;dr: Colin explains the implementation of multifactor authentication (MFA) at Clerk. Clerk provides a self-serve flow for users to configure MFA, and developers can customize it with hooks. SMS OTP is optional due to security concerns, allowing users to disable it at both the application and user levels. Clerk ensures adherence to best practices for a robust MFA system.

featured in #435

Zenbleed

- Tavis Ormandy tl;dr: “If you remove the first word from the string "hello world", what should the result be? This is the story of how we discovered that the answer could be your root password!”

featured in #434

Why Even Let Users Set Their Own Passwords?

- Hugo Landau tl;dr: Hugo argues for a rethink of the way we handle passwords, pointing out the contradictions and shortcomings of current practices. They suggest that issuing high-entropy, randomly generated passwords to users, similar to API keys or TOTP, may be more secure than the current standard of user-created passwords.

featured in #433

How Passwordless Works

- Alan Parra tl;dr: This post explains how passwordless can be implemented using modern technologies such as WebAuthn, while at the same time providing a better user experience and security than the traditional password-based approach.

featured in #423

Break Glass, Not Rules: Ensuring Compliance in Emergency Code Changes

- Dave Gaeddert tl;dr: In "break glass" scenarios, code review often gets skipped. But many compliance frameworks like SOC2 require that all changes get reviewed. PullApprove tracks these unreviewed pull requests as "bypassed" and facilitates a post-merge review process.

featured in #419

Testing A New Encrypted Messaging App's Extraordinary Claims

tl;dr: The author used reverse engineering and decompilation tactics to view the inner-workings of an encryption app that was making “wild” claims, comparing its novel encryption protocol against established encrypted messaging apps.”

featured in #414

How Passwordless Works

- Alan Parra tl;dr: This post explains how passwordless can be implemented using modern technologies such as WebAuthn, while at the same time providing a better user experience and security than the traditional password-based approach.

featured in #409

Cloud-Native Privileged Access Management

tl;dr: DevOps practices have revolutionized how apps and infrastructure are managed, but access hasn't kept up. Shared secrets like passwords and keys – the #1 source of data breaches – are the norm. Teleport replaces shared secrets like passwords, keys, tokens, and even browser cookies with true identity, removing risk while letting engineers go fast.

featured in #400

Database Cryptography Fur The Rest Of Us

tl;dr: The author defines database cryptography, how it manifests for both relational and NoSQL databases, searchable encryption, and provides a case study of MongoDB’s Client-Side encryption.

featured in #394