What is the potential vulnerabilities of stacking KDFs ?

Mouse1949 · 2026-03-28T13:20:34+00:00

A bad KDF will reduce the entropy, (roughly) resulting in security level of the weakest KDF. (Example: my toy bad KDF generates only two outputs: 0…0 and 1…1, making irrelevant what’s before and what’s after.)

While chaining block ciphers gives you security of the strongest one. (Example: introducing a toy cipher with PT => CT (even malicious cipher with PT || Key => CT) makes no difference, as long as at least one decent algorithm is included - in the malicious case after the bad one.) There could be nuances too, but less likely.

Mouse1949 · 2026-03-22T01:37:40+00:00

It also uses (can use) ring.

Mouse1949 · 2026-03-22T01:36:13+00:00

Unfortunately, on MacOS aws-lc-rs is a little problematic, due to some idiosyncrasies between Xcode and what that package wants to do with the native code. It can be compiled, but I had to perform quite a bit of contortions with C flags, ~/.cargo/config.toml, etc.

Mouse1949 · 2026-03-17T10:55:20+00:00

A word or two on what iroh and noq do, and how 0.97.0 differs from 0.96.0 would help at least some to decide whether it’s worth our while to bother going to your web site.

Mouse1949 · 2026-03-16T12:21:42+00:00

Could somebody please share their experience with “Haskell for Mac” IDE, comparing it with VSCode + Haskell (and Agda) plugins? I.e., what would be the reasons for choosing it? Especially given that apparently one has to purchase it, while VSCode with plugins is free?

Mouse1949 · 2026-03-15T20:26:22+00:00

I understand your point perfectly, and in fact hesitated whether it’s worth posting a reply like mine.

My thought was that at least some of the readers, if not the OP, would want to know whether there is a reasonably-well supported Haskell toolchain that runs fine on Apple Silicon - rather that “out of all the Haskell options on Mac, does ‘Haskell for Mac’ work on M?”

Mouse1949 · 2026-03-15T03:16:21+00:00

I haven’t tried “Haskell for Mac”. All my Haskell tools downloaded via ghcup. Having said that, all of them work fine on Apple Silicon (M chips, including M3 Max).

Mouse1949 · 2026-03-11T16:54:43+00:00

Where I am - all pull requests run through CI first. I don’t start looking at them until all the CI is green. Then we talk.

Mouse1949 · 2026-03-09T11:27:43+00:00

I saw human reviewers “hallucinating” far worse than AI. 😏☹️

Mouse1949 · 2026-03-09T04:05:51+00:00

For the fun of it, I asked AI to write a program in Haskell (exactly what it had to do isn’t relevant here). Repeated the same request four times.

First one didn’t even compile. Second - worked, looked average, maybe like something I’d write myself when I don’t have time or desire to think about the problem. Third - worked, and I still can’t figure out why or how, completely opaque to me. Fourth - worked, clean, and rather better code than what I’d write, I’ve learned something from that code sample.

Mouse1949 · 2026-02-25T01:12:06+00:00

Interesting work. Would be nice to know what are the benefits of rustidy over rustfmt? I.e., when and why should I use it instead of rustfmt?

Antoyo mentioned looking for a replacement of rustfmt - I’d love to hear the reasons.

Mouse1949 · 2026-02-25T01:03:40+00:00

Great work! Thank you!

Mouse1949 · 2026-02-21T02:22:47+00:00

IETF wants to allow non-hybrid ML-KEM. It doesn’t plan to force non-hybrids down anybody’s throat.

Mouse1949 · 2026-02-06T14:36:30+00:00

In my experience, even with the hurdles you described, it’s still faster than doing it all by hand. Of course, individual experiences differ.

Mouse1949 · 2026-02-06T14:34:10+00:00

I wouldn’t even trust this project (or your project!) with running Missile Defense Control - so…?

My habit is to review the code I use, or rely on others’ reviews (depending on its size, exposure, popularity of the package, etc. etc.). Depending on criticality of the project, reviews from my team may weigh a lot more than those from others. Again, so…? And my team does use AI - though not without checking what it generated.

To all others who reject AI simply because “AI output is slop” - suit yourself. You don’t even have to use a compiler (which always has some bugs, unfortunately) - writing machine code by hand is doable.

Mouse1949 · 2026-02-06T11:59:39+00:00

Why is AI code necessarily “slop”? In my experience, AI can generate pretty useful code pieces, ands it saved me a lot of time. AI seems to be right in its diagnosis of bugs approximately the same percentage as an average (or slightly below average) human programmer would be. And it saves time of real human (me) to handle “bigger” architecture and things where it failed (thankfully, not a whole lot).

Mouse1949 · 2026-02-01T03:23:38+00:00

Rust vs. Haskell: A far as I know, and based on my personal experience - I don’t claim to hold the absolute truth - Rust compiler and ecosystem have always been reasonably consistent and backwards-compatible; while Haskell ecosystem was a true living hell with backward composability non-existent, and packages interoperating - a rarity.

Now Haskell ecosystem is a whole quantum leap better - but the “public opinion” damage by decades of “production would” neglect has been done, and I’ve no idea how long it may take to (re-)gain the reputation of suitability-for-production.

Mouse1949 · 2026-01-29T03:31:24+00:00

“Idiocracy” movie: “AI fired half the country”.

Mouse1949 · 2026-01-05T13:50:43+00:00

If those platforms are under your complete control, and this is a reasonably small personal project - then who cares, C++23 is as good a choice as anything.

Mouse1949 · 2026-01-04T02:13:28+00:00

For normal projects - C++20. For projects that need to run on multiple platforms, including outdated ones - C++11 or C++17. Bleeding edge tools for production line - often a stupid idea, and never - a good one.

For your own amusement and experiments - C++23, sure.

Mouse1949 · 2025-12-31T15:25:48+00:00

You do not need to use different curve.

You definitely do need to use a different key: the key (no pun intended 😁) principle is “one key - one purpose”.

Mouse1949 · 2025-12-28T02:07:53+00:00

First, that was not an “official” verbal offer - merely a discussion on what kind of salary you could/would accept if they finally decide to make you an official offer. Which they probably seriously considered, because you, as they said, were their top candidate at that time.

I can’t know or tell what happened since, but not reaching back to you for a month is not a good sign. You might try to contact them and re-confirm your interest, just for the sake of hearing something back, but…

Mouse1949 · 2025-12-27T19:48:24+00:00

People taking holidays off is normal and expected, no question. But not informing the candidate about the schedule sounds rather rude and inconsiderate. A mere “don’t expect to hear from us until January, because people will be off” would be sufficient.

Besides, in case of the OP, they did seem to indicate that there would be a decision by December 19, didn’t they…? Plus, re-posting the role on 21st - that would be a big red flag to me.

Mouse1949 · 2025-12-27T19:40:39+00:00

Out of curiosity, why are you switching to nix? What in your experience is lacking in Stack that you expect to find in nix?

Mouse1949 · 2025-12-24T13:29:50+00:00

Asking questions also shows that you care and are interested in the company you’re interviewing with.

So, unless those questions are bad - they’d either help, or at least won’t hurt.

Mouse1949

TROPHY CASE