In 2012, JSON was the lingua franca of the web and the Unix toolbox had nothing for it. One PhD student at Cambridge wrote a functional language in 510 KB of C. Forty years of flat text tools, plus one for trees.
A function call costs 0.001 ms. A network call between two microservices costs 1 to 5 ms. That is factor 5,000 before any business logic executes. One rather wonders what one gets for that markup.
Capsicum vs seccomp: Process Sandboxing — Vivian Voss
A compromised process inherits the full authority of the user who launched it. Two operating systems fixed this with opposite philosophies. One removed the doors. The other posted a bouncer.
There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifiairpwn, backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites. [oid]: an OID or “Object IDentifier” is intended [brs]: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.8.pdf [crtsh]: https://crt.sh/?q=blog.brycekerley.net [lol-diginotar]: https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates [iv-ocsp]: https://www.imperialviolet.org/2011/03/18/revocation.html [mac-ocsp]: Jeff Johnson’s [crlite]: these use cascading bloom filters which [short-lived]: the CA/BF baseline requirements [trustico-chrome]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [trustico-gone]: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/ [trustico-compromise]: https://groups.google.com/g/mozilla.dev.security.policy/c/wxX4Yv0E3Mk/m/o1cdfx2nAQAJ [enclaves]: Amazon Web Services (AWS) and [history]: i mean, i remember from when it happened [parasite]: You may have realized that I don’t think [van-halen]: https://snackstack.net/2023/07/03/in-search-of-van-halens-brown-mms/ [osi]: I’m not going to hit you with a [responsibility]: in every part of your life! [bloom]: [later]: At time of publishing, it’s March 8, 2026 [hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security [hsts]: This is generally a hardcoded value, [cattle]: “cattle” is when there’s [ari]: https://letsencrypt.org/2025/09/16/ari-rfc [caddy-ari]: I checked Caddy, the front-end server [left]: there may be value in trying to renew [audits]: https://cabforum.org/about/information/auditors-and-assessors/audit-criteria/
Linux Internals: How /proc/self/mem writes to unwritable memory - offlinemark
Introduction An obscure quirk of the /proc/*/mem pseudofile is its “punch through” semantics. Writes performed through this file will succeed even if the destination virtual memory is marked unwritable. In fact, this behavior is intentional and actively used by projects such as the Julia JIT comp
Message Passing Is Shared Mutable State — Causality
The failure of message passing to eliminate concurrency bugs wasn't surprising, it was predicted. Edward Lee argued in 2006 that the shared-memory vs. message-passing debate was a false dichotomy. Go was a billion-dollar natural experiment. The results confirmed the prediction.
This post has been on my back burner for well over a year. This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we c…
DNS-PERSIST-01: A New Model for DNS-based Challenge Validation
When you request a certificate from Let’s Encrypt, our servers validate that you control the hostnames in that certificate using ACME challenges. For subscribers who need wildcard certificates or who prefer not to expose infrastructure to the public Internet, the DNS-01 challenge type has long been the only choice. DNS-01 works well. It is widely supported and battle-tested, but it comes with operational costs: DNS propagation delays, recurring DNS updates at renewal time, and automation that often requires distributing DNS credentials throughout your infrastructure.
IPsec for high speed network links: Performance analysis and enhancements
Network packets security has always been significantly important and well researched topic but the network throughput and latency are not optimal on h…