Eric Chiang
@ericchiang.bsky.social
@oblique.security. Ex Google Security, CoreOS.
ericchiang.github.io
ericchiang.github.io
Reposted by Eric Chiang
🚨 Tap and Ride is LIVE! 🚨
Starting today, you can pay for BART right at the fare gates with a 💳 contactless-enabled debit or credit card or use 🤳 mobile payment, like Apple Pay and Google Pay.
There is zero registration or setup process required.
Starting today, you can pay for BART right at the fare gates with a 💳 contactless-enabled debit or credit card or use 🤳 mobile payment, like Apple Pay and Google Pay.
There is zero registration or setup process required.
August 20, 2025 at 9:25 PM
🚨 Tap and Ride is LIVE! 🚨
Starting today, you can pay for BART right at the fare gates with a 💳 contactless-enabled debit or credit card or use 🤳 mobile payment, like Apple Pay and Google Pay.
There is zero registration or setup process required.
Starting today, you can pay for BART right at the fare gates with a 💳 contactless-enabled debit or credit card or use 🤳 mobile payment, like Apple Pay and Google Pay.
There is zero registration or setup process required.
Wrote about a fun @golang.org type trick where APIs can force clients to pass string constants as arguments. Happens to be _extremely_ useful for SQL builders!
oblique.security/blog/injecti...
oblique.security/blog/injecti...
Injection-proof SQL builders in Go | Oblique
SQL builders are always one bad logic bug away from full-blown query injection. This post covers how Oblique uses Go type tricks to prevent this entire class of backend issues.
oblique.security
August 18, 2025 at 3:48 PM
Wrote about a fun @golang.org type trick where APIs can force clients to pass string constants as arguments. Happens to be _extremely_ useful for SQL builders!
oblique.security/blog/injecti...
oblique.security/blog/injecti...
Reposted by Eric Chiang
How can you use a Terraform Provider to automate your Permission System?
Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.
It's Office Hours format so bring any questions you may have.
www.youtube.com/live/OlQ70bq...
Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.
It's Office Hours format so bring any questions you may have.
www.youtube.com/live/OlQ70bq...
Use Terraform Providers to Automate Your Permission System
AuthZed now has a Terraform and OpenTofu Provider for the AuthZed Cloud API!
This provider automates the management of resources in AuthZed Dedicated environments:
Service accounts for programma...
www.youtube.com
August 14, 2025 at 3:46 PM
How can you use a Terraform Provider to automate your Permission System?
Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.
It's Office Hours format so bring any questions you may have.
www.youtube.com/live/OlQ70bq...
Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.
It's Office Hours format so bring any questions you may have.
www.youtube.com/live/OlQ70bq...
It turns out workload identity isn't a complete mess in 2025 (only a little one)? Wrote a bit about authenticating GitHub Actions identity directly using OpenID Connect.
Instead of minting long-lived API keys, you can use GitHub Actions' OpenID Connect support for workload identity. Here's how we authenticate config-as-code workflows in Oblique without secret management headaches.
Better security + Better developer experience 💟
oblique.security/blog/github-...
Better security + Better developer experience 💟
oblique.security/blog/github-...
Authenticating GitHub Actions without API keys | Oblique
Instead of minting long-lived APIs keys and warning users “keep this secret,” let's use GitHub Action's OpenID Connect support instead.
oblique.security
July 31, 2025 at 11:22 PM
It turns out workload identity isn't a complete mess in 2025 (only a little one)? Wrote a bit about authenticating GitHub Actions identity directly using OpenID Connect.
Oh hey, what's this fancy new IAM company?
Identity management has quietly become the primary security perimeter. But it's a mess — identity requires constant manual work that security teams burn out from.
At Oblique, we're helping organizations make their access controls actually maintainable.
Full post: oblique.security/blog/identit...
At Oblique, we're helping organizations make their access controls actually maintainable.
Full post: oblique.security/blog/identit...
Identity management is harder than it should be | Oblique
Identity management is surprisingly hard, as access controls change constantly, and getting them right requires context. We founded Oblique to work on impactful security problems.
oblique.security
June 23, 2025 at 8:27 PM
Oh hey, what's this fancy new IAM company?
Reposted by Eric Chiang
A friend needs a Workday test instance to build something interesting. Anyone know how to get one?
(A Workday instance; I kinda already know how to get a friend.)
(A Workday instance; I kinda already know how to get a friend.)
June 9, 2025 at 11:30 PM
A friend needs a Workday test instance to build something interesting. Anyone know how to get one?
(A Workday instance; I kinda already know how to get a friend.)
(A Workday instance; I kinda already know how to get a friend.)
Every day I'm glad my job isn't staring into the IAM abyss of a large Cloud org.
matduggan.com/iam-is-the-w...
matduggan.com/iam-is-the-w...
May 16, 2025 at 9:00 PM
Every day I'm glad my job isn't staring into the IAM abyss of a large Cloud org.
matduggan.com/iam-is-the-w...
matduggan.com/iam-is-the-w...
Every time you feel useless, remember that GitHub as a notifications tab
May 7, 2025 at 8:02 PM
Every time you feel useless, remember that GitHub as a notifications tab
who needs coherent cyber policy when we excel so much at corporate ligation?
www.nytimes.com/2025/05/06/t...
www.nytimes.com/2025/05/06/t...
Meta Awarded $167 Million in Damages From Israeli Cybersecurity Firm
www.nytimes.com
May 7, 2025 at 2:34 AM
who needs coherent cyber policy when we excel so much at corporate ligation?
www.nytimes.com/2025/05/06/t...
www.nytimes.com/2025/05/06/t...
Reposted by Eric Chiang
New experimental garbage collector for Go programs! github.com/golang/go/is...
runtime: green tea garbage collector · Issue #73581 · golang/go
Green Tea 🍵 Garbage Collector Authors: Michael Knyszek, Austin Clements Updated: 2 May 2025 This issue tracks the design and implementation of the Green Tea garbage collector. As of the last update...
github.com
May 2, 2025 at 6:54 PM
New experimental garbage collector for Go programs! github.com/golang/go/is...
Reposted by Eric Chiang
📣Today, we’re super excited to announce our latest product addition: Continuous Profiling for GPUs! Check out the use cases and sign up for early access on the announcement post! 🔥📈
www.polarsignals.com/blog/posts/2...
www.polarsignals.com/blog/posts/2...
April 1, 2025 at 3:49 PM
📣Today, we’re super excited to announce our latest product addition: Continuous Profiling for GPUs! Check out the use cases and sign up for early access on the announcement post! 🔥📈
www.polarsignals.com/blog/posts/2...
www.polarsignals.com/blog/posts/2...
"middleware:middleware:middleware:middleware:middleware" is the new bloody mary
zhero-web-sec.github.io/research-and...
zhero-web-sec.github.io/research-and...
Next.js and the corrupt middleware: the authorizing artifact
CVE-2025-29927
zhero-web-sec.github.io
March 24, 2025 at 2:42 PM
"middleware:middleware:middleware:middleware:middleware" is the new bloody mary
zhero-web-sec.github.io/research-and...
zhero-web-sec.github.io/research-and...
Awesome to see Landlock making unprivileged isolation so easy. As someone who maintained bubblewrap jails, I'm hoping that this takes over user namespaces. Things like network controls are always mess there.
github.com/Zouuup/landrun
github.com/Zouuup/landrun
GitHub - Zouuup/landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel.
Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun
github.com
March 23, 2025 at 5:01 PM
Awesome to see Landlock making unprivileged isolation so easy. As someone who maintained bubblewrap jails, I'm hoping that this takes over user namespaces. Things like network controls are always mess there.
github.com/Zouuup/landrun
github.com/Zouuup/landrun
Reposted by Eric Chiang
"No way to see this coming" says only auth protocol with regular auth bypasses
github.blog/security/sig...
github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
March 14, 2025 at 9:46 PM
"No way to see this coming" says only auth protocol with regular auth bypasses
github.blog/security/sig...
github.blog/security/sig...
March 12, 2025 at 10:50 PM
Reposted by Eric Chiang
On my way to New York! I’ll be in there from Monday until Thursday evening, and still have some room to meet on Wednesday afternoon, anyone want to chat databases/observability/performance? Feel free to DM me!
March 2, 2025 at 5:08 PM
On my way to New York! I’ll be in there from Monday until Thursday evening, and still have some room to meet on Wednesday afternoon, anyone want to chat databases/observability/performance? Feel free to DM me!
I finally read up NVIDIA Confidential Compute, so you don't have to! Surely this will make all of our AI secure
ericchiang.github.io/post/confide...
ericchiang.github.io/post/confide...
Eric Chiang | Confidential Compute and GPUs
ericchiang.github.io
January 28, 2025 at 4:37 PM
I finally read up NVIDIA Confidential Compute, so you don't have to! Surely this will make all of our AI secure
ericchiang.github.io/post/confide...
ericchiang.github.io/post/confide...
Do OSS, it'll be fun!
*Ten years later and still getting reports on my day off about other people's buggy implementations*
*Ten years later and still getting reports on my day off about other people's buggy implementations*
January 20, 2025 at 6:16 PM
Do OSS, it'll be fun!
*Ten years later and still getting reports on my day off about other people's buggy implementations*
*Ten years later and still getting reports on my day off about other people's buggy implementations*
Reposted by Eric Chiang
According to Giraffe Security, AWS staff have somehow managed to re-introduce the same RCE vulnerability into its platform three times over the past four years
giraffesecurity.dev/posts/amazon...
giraffesecurity.dev/posts/amazon...
January 8, 2025 at 10:47 PM
According to Giraffe Security, AWS staff have somehow managed to re-introduce the same RCE vulnerability into its platform three times over the past four years
giraffesecurity.dev/posts/amazon...
giraffesecurity.dev/posts/amazon...
One of the coolest pieces of security tech I read about in 2024 was PyPI's builder identity verification done by Trail Of Bits. Didn't see much fanfare in my feeds when it was published, but defiantly worth the read.
blog.trailofbits.com/2024/11/14/a...
blog.trailofbits.com/2024/11/14/a...
Attestations: A new generation of signatures on PyPI
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestatio…
blog.trailofbits.com
January 5, 2025 at 6:32 PM
One of the coolest pieces of security tech I read about in 2024 was PyPI's builder identity verification done by Trail Of Bits. Didn't see much fanfare in my feeds when it was published, but defiantly worth the read.
blog.trailofbits.com/2024/11/14/a...
blog.trailofbits.com/2024/11/14/a...
Reposted by Eric Chiang
Streaming media DRM has nothing to do with TPMs and the FSF is just plain wrong: mjg59.dreamwidth.org/70954.html
January 2, 2025 at 1:16 AM
Streaming media DRM has nothing to do with TPMs and the FSF is just plain wrong: mjg59.dreamwidth.org/70954.html
If the rust compiler is slow, why don't rustaceans simply rewrite it in rust?
writing Rust libraries feels like such a burden of always trying to decide "would my users prefer ergonomics or shorter compile time?"
December 25, 2024 at 8:18 PM
If the rust compiler is slow, why don't rustaceans simply rewrite it in rust?
Reposted by Eric Chiang
The Go Blog
Go Protobuf: The new Opaque API
Michael Stapelberg
16 December 2024
go.dev/blog/protobu...
#golang
Go Protobuf: The new Opaque API
Michael Stapelberg
16 December 2024
go.dev/blog/protobu...
#golang
Go Protobuf: The new Opaque API - The Go Programming Language
We are adding a new generated code API to Go Protobuf.
go.dev
December 16, 2024 at 8:10 PM
The Go Blog
Go Protobuf: The new Opaque API
Michael Stapelberg
16 December 2024
go.dev/blog/protobu...
#golang
Go Protobuf: The new Opaque API
Michael Stapelberg
16 December 2024
go.dev/blog/protobu...
#golang