Eric Chiang's Avatar

Eric Chiang

@ericchiang

@oblique.security. Ex Google Security, CoreOS. ericchiang.github.io

116
Followers 120
Following 41
Posts 07.03.2024
Joined
Posts Following

Latest posts by Eric Chiang @ericchiang

Look, I'll take being a year behind Filippo as not being too bad.

25.02.2026 20:17 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Passkey PRFs for end-to-end encryption | Oblique The passkey PRF extension lets syncable credentials do much more than login users. See how apps are using this for end-to-end encryption.

Turns out, I'm the only one who didn't know about the passkey PRF extension. Wrote up a post about using it for end-to-end encryption!

oblique.security/blog/passkey...

25.02.2026 20:06 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
Go Playground - The Go Programming Language

Yep!

If two goroutines are blocked by sleeping the same amount of time, then synctest picks which to unblock at random:

go.dev/play/p/J7XMk...

09.02.2026 03:17 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

GCP managed certs work by pointing Cloudflare DNS records at your load balancer. Manage both through Terraform and that's hopefully not too terrible when you're spinning up services on new subdomains.

16.12.2025 02:32 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

Bad news everyone

10.12.2025 05:47 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

I've heard of tougher noogler projects

24.09.2025 01:28 πŸ‘ 4 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Surely someone there is smart enough to just implement 802.1x for corp devices?

24.09.2025 01:24 πŸ‘ 5 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Video thumbnail

🚨 Tap and Ride is LIVE! 🚨

Starting today, you can pay for BART right at the fare gates with a πŸ’³ contactless-enabled debit or credit card or use 🀳 mobile payment, like Apple Pay and Google Pay.

There is zero registration or setup process required.

20.08.2025 21:25 πŸ‘ 38 πŸ” 11 πŸ’¬ 3 πŸ“Œ 6
Preview
Injection-proof SQL builders in Go | Oblique SQL builders are always one bad logic bug away from full-blown query injection. This post covers how Oblique uses Go type tricks to prevent this entire class of backend issues.

Wrote about a fun @golang.org type trick where APIs can force clients to pass string constants as arguments. Happens to be _extremely_ useful for SQL builders!

oblique.security/blog/injecti...

18.08.2025 15:48 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 1
Preview
Use Terraform Providers to Automate Your Permission System AuthZed now has a Terraform and OpenTofu Provider for the AuthZed Cloud API! This provider automates the management of resources in AuthZed Dedicated environments: Service accounts for programma...

How can you use a Terraform Provider to automate your Permission System?

Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.

It's Office Hours format so bring any questions you may have.

www.youtube.com/live/OlQ70bq...

14.08.2025 15:46 πŸ‘ 3 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

It turns out workload identity isn't a complete mess in 2025 (only a little one)? Wrote a bit about authenticating GitHub Actions identity directly using OpenID Connect.

31.07.2025 23:22 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Oh hey, what's this fancy new IAM company?

23.06.2025 20:27 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

A friend needs a Workday test instance to build something interesting. Anyone know how to get one?

(A Workday instance; I kinda already know how to get a friend.)

09.06.2025 23:30 πŸ‘ 50 πŸ” 4 πŸ’¬ 8 πŸ“Œ 0

We're doing new container runtimes in 2025? Hell yeah

09.06.2025 21:02 πŸ‘ 5 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

So if I'm reading this right

Step 1 - generate a private key with no forward secrecy

Step 2 - upload private key to twitter (but don't worry it's protected by a low entropy PIN)

Ummmmmmmmm

05.06.2025 15:51 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
So that's effectively the AWS story, which is terrible but at least it's possible to cobble together something that works and you can audit. Google looked at this and said "what if we could express how much we hate Infrastructure teams as a service?" Expensive coffee robots were engaged, colorful furniture was sat on and the brightest minds of our generation came up with a system so punishing you'd think you did something to offend them personally.

So that's effectively the AWS story, which is terrible but at least it's possible to cobble together something that works and you can audit. Google looked at this and said "what if we could express how much we hate Infrastructure teams as a service?" Expensive coffee robots were engaged, colorful furniture was sat on and the brightest minds of our generation came up with a system so punishing you'd think you did something to offend them personally.

Every day I'm glad my job isn't staring into the IAM abyss of a large Cloud org.

matduggan.com/iam-is-the-w...

16.05.2025 21:00 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

What a sicko

07.05.2025 20:34 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Every time you feel useless, remember that GitHub as a notifications tab

07.05.2025 20:02 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Meta Awarded $167 Million in Damages From Israeli Cybersecurity Firm

who needs coherent cyber policy when we excel so much at corporate ligation?

www.nytimes.com/2025/05/06/t...

07.05.2025 02:34 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
runtime: green tea garbage collector · Issue #73581 · golang/go Green Tea 🍡 Garbage Collector Authors: Michael Knyszek, Austin Clements Updated: 2 May 2025 This issue tracks the design and implementation of the Green Tea garbage collector. As of the last update...

New experimental garbage collector for Go programs! github.com/golang/go/is...

02.05.2025 18:54 πŸ‘ 123 πŸ” 41 πŸ’¬ 2 πŸ“Œ 2

@mayakaczorowski.com's been using it a ton and had great things to say.

05.04.2025 18:31 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

πŸ“£Today, we’re super excited to announce our latest product addition: Continuous Profiling for GPUs! Check out the use cases and sign up for early access on the announcement post! πŸ”₯πŸ“ˆ

www.polarsignals.com/blog/posts/2...

01.04.2025 15:49 πŸ‘ 8 πŸ” 3 πŸ’¬ 0 πŸ“Œ 5

You're not even using nix packages? What kind of tech hipster are you?

27.03.2025 16:06 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.

Scraping Kubernetes codebases for os/exec continues to pay dividends

www.wiz.io/blog/ingress...

26.03.2025 18:27 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Next.js and the corrupt middleware: the authorizing artifact CVE-2025-29927

"middleware:middleware:middleware:middleware:middleware" is the new bloody mary

zhero-web-sec.github.io/research-and...

24.03.2025 14:42 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

I really wish progressive web apps took off so every app didn't come with a chrome fork

24.03.2025 01:25 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
GitHub - Zouuup/landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun

Awesome to see Landlock making unprivileged isolation so easy. As someone who maintained bubblewrap jails, I'm hoping that this takes over user namespaces. Things like network controls are always mess there.

github.com/Zouuup/landrun

23.03.2025 17:01 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

Quick reminder:

14.03.2025 21:48 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

Was it petty? Yes. Was it necessary? Also yes.

14.03.2025 22:45 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Post image

Quick reminder:

14.03.2025 21:48 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0