Padding Oracle Attack or the Virtues of a Glomar response

Rohit Aggarwal wrote “While working on the excellent CryptoPals challenges, I came across the Padding Oracle Attack. The particular version of the attack I was working through, was on CBC mode Decryption when used with AES symmetric key cryptography. The attack has nothing to do with AES and everything to do with this block cipher mode of operation. Various forms of…”

By Image has "Wilse" lettered on it (part of the largely illegible text at lower left). That would be Anders Beer Wilse. Seattle Municipal Archives (Flickr: Construction of Cedar River Pipeline, 1900) [CC BY 2.0 (], via Wikimedia Commons

Setting up CI

Patrick Tschorn wrote “ for go I was recently asked to set up a CI server for one of our go projects and decided to try out 0.8. From my point of view, the two most attractive features of are that: the build is defined through a single .drone.yml file in the root directory of the…”

By Rept0n1x (Own work) [GFDL ( or CC BY-SA 3.0 (], via Wikimedia Commons

5 Whys considered harmful

Ian Rogers wrote “Adverse events happen – a website breaks down, a project doesn’t get delivered on time – and a  proposed technique to find ‘the root cause’ is to ask the “5 Whys”. Attributed to Sakichi Toyoda in the 1930’s and adopted by Toyota and other formal techniques it’s basically the technique of listing a fault and then asking…”

Just Enough Design

Ian Rogers wrote “On the one hand it’s become a bit of a cliché to say that Waterfall doesn’t work (in fact ‘waterfall’ may never have existed), but we know that rigid projects don’t deliver—when the level of resources is the only contingency in a project then budget overrun and missed deadlines (or lowered quality) become almost inevitable.…”

A basic recipe for an Elixir SSL server

Patrick Tschorn wrote “In this post, we’ll first try out Erlang’s SSL application interactively and then put together a simple Elixir SSL server OTP application using the Supervisor and GenServer behaviours. Preparation First of all, we’ll create a self-signed certificate: mkdir foo cd foo openssl genrsa -out key.pem 1024 openssl req -new -key key.pem -out request.pem # (using…”

Panegyric: showing off what we’ve done on Github

Tom Parker wrote “Last month, I said we’d be talking more about open source work that we’re doing. This month, I’ve been building Panegyric, a WordPress plugin (which is what this site is written in). This plugin (which isn’t live on the site yet, but will be soon) lists all the Github pull requests we’ve recently done. However…”

Grant Hollingworth Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Choosing the right scaffold

Ceri Storey wrote “One thing I’ve come to realise as I’ve matured as a developer, is that it turns out I’m merely human. That is somewhat obvious, but you often hear people opine on various discussion boards that their particular tools (that other people feel are error prone) are actually just fine; as long as you remember to…”

© Nevit Dilmen [CC BY-SA 3.0 ( or GFDL (], via Wikimedia Commons

GraphQL is really TreeQL and that’s OK

Ian Rogers wrote “Let’s have a look at GraphQL. It came out of Facebook as a replacement for REST style requests for querying data. It was initially developed from 2012 and made open source in 2015. As Facebook’s main database is the “social graph” it was naturally named GraphQL but, as we’ll see, that’s not a completely accurate…”

Anne Worner Points in the Right Direction (CC BY-SA 2.0)

Making the dockers work

Ceri Storey wrote “Over the past few weeks I’ve been fo­cusing mostly on build and de­ploy­ment tooling around docker and Kuber­netes. One par­tic­ular down­side of the cur­rent sys­tem, is our ap­plic­a­tions have a fair number of ser­vice de­pend­en­cies. Up until now, we’ve taken to run­ning everything in­side docker using dock­er­-­com­pose, but this feels to me more like a way…”

Automagical port allocation for tests

Ceri Storey wrote “It’s quite common to want to test a net­work ser­vice from the out­side, as if it was being ac­cessed from a cli­ent. Quite of­ten, people will pick a “well-­known” port to use, eg: port 8080 or 8888 for a HTTP ser­vice. But that means that if you leave a stray service process lying around, you’ll need to hunt it…”