If you’ve seen The Imitation Game or studied computer science in school, you have likely heard of Enigma, Alan Turing, or some of the other advances in cryptography that took place during the Second World War. During this time and until the 1970s, governments from around the world had near-total control of all cryptographic systems. It was nearly impossible to learn about encryption without going through a government agency. One of the major contributing factors to cryptography becoming a discipline within the public domain was Whitfield Diffie and Martin Hellman’s invention of public-key cryptography in 1976.
Brute force attackers guess passwords, passphrases, and private keys in an attempt to eventually get the right answer and crack the security of a system. They systematically guess every combination. For example, if they were guessing telephone numbers in the US: (000) 000-0000 (000) 000-0001 (000) 000-0002 ... (000) 000-0010 (000) 000-0011 ... The question is, how do they know when they have the right key? It depends on the system.
Choosing the right dependencies is a difficult task. Assuming the developer of an application is the best programmer in the world, the “best” thing to do would be to write the entire codebase alone. This would eliminate the bugs, vulnerabilities, and malicious intrusions of inferior developers. The trouble is that we like to move quickly in order to be able to compete in the market and offer new features. We try to avoid re-inventing the wheel when the wheel in question is widely used, is peer-reviewed, and we consider it stable and trusted.
We all have hundreds of online accounts. Ideally, as many of those accounts as possible have unique passwords. Unique passwords however present a difficult problem. No one can remember hundreds of strong passwords. To fix this problem, we created password managers. Now, all of our passwords are neatly stored in one place, encrypted by one master password or passphrase. The problem with this of course is the master password or passphrase needs to be very secure.
In the wake of the hearings about Facebook’s new Libra blockchain, it is more important than ever that we all understand the difference between trustworthy and trustless apps. A trustworthy app is an app whose developers are known and trusted by the community. The developer’s reputations and businesses are on the line, so it motivates them to make sure their applications have few bugs and no malicious code. A trustless app is an app whose code is open-source so that the community can see for themselves that the code has few bugs and no malicious code.
We recently integrated Snyk into boot.dev as a way to get more visibility into known vulnerabilities in boot.dev’s codebase. Snyk has already patched a critical vulnerability in lodash for us. This allowed us to continue releasing new versions before the official fix for lodash was published a few days ago. We can’t speak to whether Snyk is a cost-effective tool for commercial applications. However, their support for the open-source community by offering free integrations is worth the few minutes it takes to install.