The arithmetic used is not constant time, meaning the actual computational steps involved leak information about the secret, were either the recombination of the shares or the initial splitting were observed via side channels.
The arithmetic does not guard against party identifiers being zero or overflowing to zero, although it is not likely to occur when used this way.
I think that specific attack is pretty hard to pull off pratice (in normal scenarios, Vault secret unseals do not happen very often). But it can be a big problem if you were using a scheme where Shamir Secret sharing is used frequently (e.g. it can be triggered by a request sent by the attacker) and (I believe) with different parts of the secret every time.
It's probably safer to use an audited library, but here's a library library that has been audited by two firms, and it's still using lookup tables:
The strangest thing is that the audit report by Cure53 mentions this issue, and says it was fixed, but it doesn't seem fixed (at least not in the way that I would expect and the way that HashiCorp fixed it, which is simply removing the tables and using constant-time math). The library maintainers seem to be very proactive and diligent about fixing other issues[1], so it really is strange.
Yes, I'm also interested. Will have a new baby, so while I'd like to do in-person, it wouldn't be feasible for the new few (or more?) batches. Though I still plan on grinding either way.
Tor isn't a money transmitter, but also, they were indicted more for the fact they actively sought out sanctioned individuals in marketing/dev outreach
I tried the product and I don't think this intro does it justice – this is a surprisingly authentic experience that I didn't think consumer AI was ready to do. There were definitely some rough edges, but this feels good enough to pay for as a tech screen.
That "lawful" interception allows certificate issuance to be a means of wiretap completely undermines any trust one should have in CAs. It seems that an alternative is greatly needed.
They _do_ do that anyway for iCloud. The E2EE support was inherently better, as it significantly reduced the decrypted content exposure to Apple. The uproar over the feature and Apple’s relenting on the implementation resulted in no E2EE as the default. Allegedly advanced data protection does do E2EE for iCloud Photos though. I can understand the good intentions playing out poorly and being ripe for abuse.
Apple confirmed they down scan iCloud for unwanted content, and it's pretty obvious doing that would be a huge privacy risk, and it's very debatable whether that actual risk is worse than the theoretical risk of scope creep in on-device assisted scanning.
The arithmetic used is not constant time, meaning the actual computational steps involved leak information about the secret, were either the recombination of the shares or the initial splitting were observed via side channels.
The arithmetic does not guard against party identifiers being zero or overflowing to zero, although it is not likely to occur when used this way.