https://ericchiang.github.io/ Recent content in posts on Eric Chiang Hugo -- gohugo.io en-us Tue, 25 Feb 2025 00:00:00 +0000 https://ericchiang.github.io/post/protoc-plugins/ Tue, 25 Feb 2025 00:00:00 +0000 https://ericchiang.github.io/post/protoc-plugins/ There aren’t a ton of great options for API definition languages. OpenAPI and gRPC are the only real game in town, but each have their own shortcomings. OpenAPI is a huge, awkward language for expressing types. gRPC is focused on its own protocol rather than interoping with more general semantics like REST. Since I vastly prefer the Protocol Buffer language over YAML, I was recently looking into REST bindings for gRPC, but the inconsistency of the ecosystem stands out. https://ericchiang.github.io/post/confidential-gpus/ Mon, 27 Jan 2025 00:00:00 +0000 https://ericchiang.github.io/post/confidential-gpus/ Recently, I’ve had a few conversations about NVIDIA Confidential Compute, usually in the context of startups trying to sell security products to AI companies. The pitch generally looks like this: Companies are protective of their weights and their data. We should be able to train and/or run models on GPUs securely using attestation primitives. In the same way that we might store a private key in an HSM, surely we can design a similar construct for AI. https://ericchiang.github.io/post/zero-trust/ Thu, 12 Dec 2024 00:00:00 +0000 https://ericchiang.github.io/post/zero-trust/ This blog post is a written version of a talk that Eric and Maya gave at NorthSec in 2022. You can also watch the recording and get the slides. This blog post is also cross-posted to Maya’s blog. We put together the material for this post in 2022 during the peak of the zero trust hype cycle when RSA show floor booths, marketing materials, analyst reports, and even a US executive branch memorandum couldn’t stop talking about zero trust. https://ericchiang.github.io/post/rust-libs/ Mon, 26 Feb 2024 00:00:00 +0000 https://ericchiang.github.io/post/rust-libs/ Every tool that gets big enough eventually provides a way to support third-party logic. Maybe you expose APIs for clients to call. Maybe you take some code and run it in a sandbox. Maybe you embed a Lua interpreter. For many programs, extensibility means dynamic shared libraries. Good old, “here’s a .so file for you to dlopen().” PKCS #11, Sudo Plugins, Python and NodeJS addons, SQLite and Postgres extensions, Nginx and httpd modules, even LD_PRELOAD hacks. https://ericchiang.github.io/post/cgo/ Sat, 17 Feb 2024 00:00:00 +0000 https://ericchiang.github.io/post/cgo/ What’s a little shared memory between friends? As someone who works a lot with operating systems, there are many scenarios that require loading C libraries. Plugins that use shared libraries, low-level device APIs, random Linux utilities. Despite modern options for interprocess communication, sometimes you get a header file and a shared object and have to run with it. This post covers cgo, Go’s C interoperability layer. Referencing C Go programs reference C symbols through the magic “C” package. https://ericchiang.github.io/post/spotify/ Mon, 12 Feb 2024 00:00:00 +0000 https://ericchiang.github.io/post/spotify/ Apologies in advanced for the music tastes. I recently learned Spotify provides downloads for users’ streaming history. For me, this is over 10 years worth of data, so at the very least it seemed like a good nostalgia trip. This post covers some of my analysis of my personal export, and hopefully is a good starting place if you’re interested in exploring your own. To request your data, visit your Spotify account’s privacy page and select “Extended streaming history. https://ericchiang.github.io/post/rust-borrow/ Tue, 07 Sep 2021 00:00:00 +0000 https://ericchiang.github.io/post/rust-borrow/ I’ve been having fun with Rust lately. Rust is notoriously difficult, but at some point it clicks and starts to look like any language: structs and methods. Except you don’t have to worry about a bad free() causing a vulnerability, or basic string operation segfaulting. Success with Rust’s memory model depends on understanding a few core concepts, and this post will go over references (and when to avoid them). My first mistake was to think of references (&T) as pointers. https://ericchiang.github.io/post/tpm-keys/ Mon, 04 Jan 2021 00:00:00 +0000 https://ericchiang.github.io/post/tpm-keys/ The Trusted Platform Module is a security device that sits on a physical motherboard, runs in a CPU trust zone, or is provided by a hypervisor. By functioning below the OS and boot sequence, it provides a trust anchor to verify those systems even if they’ve been compromised. TPMs are required for any device qualified for Windows, underpinning technologies like Windows’ BitLocker, various features in ChromeOS, and Linux’s Integrity Measurement Architecture. https://ericchiang.github.io/post/kiss/ Sun, 05 Jan 2020 00:00:00 +0000 https://ericchiang.github.io/post/kiss/ Growing up in the Bay Area, I used to go to the Zeum in San Francisco with my parents. Since rebranded as the Children’s Creativity Museum, it’s a space in Yerba Buena Gardens that hosts exhibits catering to kids. By far, my favorite activity was the claymation where I’d get to design characters and shoot short scenes. I figured out how to make a model jump using wires and add a muzzle flash with one frame of red clay. https://ericchiang.github.io/post/privileged-containers/ Mon, 23 Sep 2019 00:00:00 +0000 https://ericchiang.github.io/post/privileged-containers/ Disabling security features Applications that interact with host systems such as network plugins or storage drivers can have issues when run in a container, requesting access that’s been restricted by the kernel. For these cases, container runtimes have an out to disable these security features and let the process access the host. In Kubernetes this is achieved with the “privileged” security context field: containers: - name: flannel image: quay.io/coreos/flannel:v0.11.0-amd64 command: - "/opt/bin/flanneld" - "--ip-masq" - "--kube-subnet-mgr" - "--iface=$(POD_IP)" env: - name: POD_IP valueFrom: fieldRef: fieldPath: status. https://ericchiang.github.io/post/user-namespaces/ Wed, 20 Feb 2019 00:00:00 +0000 https://ericchiang.github.io/post/user-namespaces/ Ian Coldwater recently had a great thread on bridging the gap between the security and container worlds. A lot of those answers wont fit in a tweet, so here’s my attempt for a more in-depth response. Namespaces for everyone User namespaces are a way to create unique views of user and group IDs. Unlike other namespaces, they can be created by non-root users and are primarily used by unprivileged processes to access capabilities normally reserved for root. https://ericchiang.github.io/post/containers-from-scratch/ Sat, 07 Jan 2017 00:00:00 +0000 https://ericchiang.github.io/post/containers-from-scratch/ This is write up for talk I gave at CAT BarCamp, an awesome unconference at Portland State University. The talk started with the self-imposed challenge “give an intro to containers without Docker or rkt.” Often thought of as cheap VMs, containers are just isolated groups of processes running on a single host. That isolation leverages several underlying technologies built into the Linux kernel: namespaces, cgroups, chroots and lots of terms you’ve probably heard before. https://ericchiang.github.io/post/go-letsencrypt/ Fri, 13 Nov 2015 00:00:00 +0000 https://ericchiang.github.io/post/go-letsencrypt/ Just want to jump into the GitHub project? Click here. If you haven’t heard, Let’s Encrypt is trying to secure the internet with automated and free TLS certificates. In preperation for the Public Beta in December, I’ve written a simple client in Go which you can go get on GitHub. This post uses that client to take you through the workflow of signing up, completing challenges, and requesting certificates. Let’s Encrypt! https://ericchiang.github.io/post/testing-dbs-with-docker/ Mon, 14 Sep 2015 00:00:00 +0000 https://ericchiang.github.io/post/testing-dbs-with-docker/ Databases, authentication management, metric aggregators; there’s a service or API for everything. There’s also a place called dependency hell. Dependency hell. Where it’s impossible to run a test on your laptop. Where bugs are found by running a main, clicking around, and seeing what breaks. Where you cross your fingers and pray that new versions don’t break everything. Where we use mocks and stubs to combat a growing technology stack. https://ericchiang.github.io/post/go-tls/ Sun, 21 Jun 2015 00:00:00 +0000 https://ericchiang.github.io/post/go-tls/ NOTE: For an updated version of this post, see the GopherCon 2019 talk “PKI for Gopher”. (Video, Slides) For a long time my knowledge of TLS was Googling “how to configure nginx as an HTTPS proxy.” Okay, the cert goes here and the key goes here, that’s my job done. But with more and more pushes for things HTTPS and HTTP/2 (which defaults to using TLS), it sometimes helps to understand this a little better. https://ericchiang.github.io/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://ericchiang.github.io/about/ Co-Founder and CTO at Oblique. email: eric.chiang.m@gmail.com github: @ericchiang bluesky: @ericchiang.bsky.social linkedin: profile Work Oblique - March 2025 - present Google - July 2018 - March 2025 CoreOS (acquired by Red Hat) - November 2015 - June 2018 Yhat (YC W15) - March 2014 - November 2015 IBM (intern) - June 2013 – September 2013 Genentech (intern) - March 2013 – June 2013 Cloudera (intern) - May 2012 – August 2012 Talks https://ericchiang.github.io/license/ Mon, 01 Jan 0001 00:00:00 +0000 https://ericchiang.github.io/license/ All code snippets on this site (ericchiang.github.io) are provided under the following license: Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER.