Skip to content

Instantly share code, notes, and snippets.

View paragonie-scott's full-sized avatar

Scott paragonie-scott

View GitHub Profile
paragonie-scott / composer.diff
Created April 16, 2015 02:34
diff --git a/tmp/phr_471Znr/vendor/autoload.php b/tmp/phr_6bTGzo/vendor/autoload.php
index 46c0c70..65ab5cb 100644
--- a/tmp/phr_471Znr/vendor/autoload.php
+++ b/tmp/phr_6bTGzo/vendor/autoload.php
@@ -4,4 +4,4 @@
require_once __DIR__ . '/composer' . '/autoload_real.php';
-return ComposerAutoloaderInit0d991f5b8a84042e16cf24b4b1b48953::getLoader();
+return ComposerAutoloaderInit6ccd5a50ed5df4dc5993d5b375e26928::getLoader();
paragonie-scott / Asymmetric.php
Last active August 29, 2015 14:21
Crypto API
namespace Cryptography;
class Asymmetric
// Let's not let users hang themselves; if we need more padding options let's add them later
const PAD_DEFAULT = 0;
const DRIVER_OPENSSL = 'openssl';
const DRIVER_SODIUM = 'libsodium';
paragonie-scott /
Created May 22, 2015 19:16
Paragon Initiative Enterprises - Open Source Projects in Development Queue
  • JSON -> Content-Security-Policy header compiler for Apache and nginx configurations
paragonie-scott /
Created June 7, 2015 19:20
On the Industry

This is just a collection of thoughts and feelings about the technology industry and guidelines I feel should be upheld.

Public Speaking

Don't Present Original Research at Expensive Events

If a minimum wage employee cannot reasonably afford to attend an event (e.g. saving $300 for DEFCON is probably the upper limit), original research should NOT be presented at that event.

Presenting cutting-edge ideas to the wealthy only serves to insulate the fat cats from the disruptions of the poor. There are plenty of other researchers that hunger for career progression that will serve the whims and aims of the upper class that can afford to drop several thousand dollars on a technology conference.

paragonie-scott /
Created November 28, 2015 19:13
Why does Scott seem so self-promoting?

This is my formal response to variations of the question, Why do you always link to in your technical discussions? which some people have asked (or implied while accusing me of being up to no good).

The short answer is because I always try link to the most relevant answer I can provide to a specific technical question, and the most relevant way to introduce a point I'm about to make is usually a blog post that I've already written.

But more importantly, I stand by everything written on that website. If a blog post doesn't line up with my current understanding of security engineering, cryptography, and the art/science of web development in PHP, I'll go back and change the post to keep it in line with new information.

Many of the blog points explain, in significant detail, a technical matter that I don't feel like reiterating every time someone is about to make the same mistake that the community has already learned from.

Typically, when someone makes this accusati

paragonie-scott /
Last active February 2, 2016 01:25
LOL Entropy Estimates

Okay, let's say you have:

  • A password that consists of a single unknown character repeated an unknown number of times.
  • A strong password hashing algorithm that doesn't impose an upper limit on length.

How hard is your incredibly unwise passphrase for a cracker to guess?

First, you have to know which character it is. If we go with printable ASCII characters, that gives us 94 possibilities.

However, if we stretch the alphabet out to include all UTF-8 codepoints, you get 1,112,064 possible values.

scott@debian ~ $ php -dmbstring.func_overload=2 sammy_test.php
scott@debian ~ $ php sammy_test.php
paragonie-scott /
Created February 19, 2016 00:00 — forked from joepie91/
Remove Wired's "ad-blocker veil"


  • February 19, 2016: Initial release.


GitHub Gist doesn't send notifications when people leave a comment, so shoot me an e-mail at I'll gladly fix it. Fuck advertising.

paragonie-scott / WhatsAppSaudi.txt
Created July 13, 2016 19:10
WhatsApp Blocking Encrypted Calls to All Saudi Numbers
Suppose I have a friend named Alice. Alice has registered to WhatsApp with a
Saudi number but resides in Europe. We chat over WhatsApp regularly. We are both
using the latest version of WhatsApp for Android (2.16.155).
However, Alice is unable to receive or initiate WhatsApp calls, even though she
is in Europe and is using European WiFi. If you can test this, I suggest you do.
Get a Saudi phone number, register to WhatsApp, and then fly to France and make
a call. You will encounter the same result even if you're on French WiFi.
WhatsApp claims that "the Saudis are blocking the initial handshake [for