[go: up one dir, main page]

Blog

Dhole Moments, Soa Talks, and Other Bad Puns…

Soatok’s Informal Guide to Threat Models

After a long day of exhausting conversations about Hybrid Post-Quantum Cryptography, random jackasses trying to play gotcha with endpoint attacks against end-to-end encrypted messaging apps, and message board discussions in the wake of dumb politicians pushing more “age verification” bullshit on us all, it’s become abundantly clear to me that the phrase “threat model” is…

Hybrid Constructions: The Post-Quantum Safety Blanket

The funny thing about safety blankets is they can double as stage curtains for security theater. “When will a cryptography-relevant quantum computer exist?” is a question many technologists are pondering as they stare into crystal balls or entrails. Two people I admire recently made a public long bet about that question, with a $5000 donation…

Cryptography Engineering Has An Intrinsic Duty of Care

To understand my point, I need to first explain three different cryptography attack papers / blog posts. I promise this won’t be boring. Three Little Disclosures Misuse-Prone Ciphers For All In a blog post titled Carelessness versus craftsmanship in cryptography, cryptography analyst and Queer in Cryptography emcee Opal Wright delves into the misuse-prone and side-channel-riddled…

Cryptographic Issues in Matrix’s Rust Library Vodozemac

If you’re reading this after Matrix’s blog post, make sure you read the addendum to this one. Two years ago, I glanced at Matrix’s Olm library and immediately found several side-channel vulnerabilities. After dragging their feet for 90 days, they ended up not bothering to fix any of it. The Matrix.org security team also failed…

Is End-to-End Encryption Optional For Large Groups?

One of the recent topics in Messaging App Discourse is whether it makes sense to prioritize End-to-End Encryption (E2EE) when searching for an alternative to Discord. Who’s Saying “No”? I’m going to quote 0xabad1dea here, because she is awesome and explains my “opposition” position better than anyone else: So You Want To Write An Open…

On Discord Alternatives

Next month, Discord is going to start requiring age verification. The backlash from gamers everywhere has been predictable and justified. I guess their company name checks out. I’ve had a few people reach out to me because of my prior vulnerability disclosures and criticism of encrypted messaging apps. (Thanks, Toggart.) Unfortunately, asking a cryptography-focused security…

Software Assurance & That Warm and Fuzzy Feeling

If I were to recommend you use a piece of cryptography-relevant software that I created, how would you actually know if it was any good? Trust is, first and foremost, a social problem. If I told you a furry designed a core piece of Internet infrastructure, the reception to this would be mixed, to say…

Practical Collision Attack Against Long Key IDs in PGP

In response to the GPG.Fail attacks, a Hacker News user made this claim about the 64-bit “Long Key IDs” used by OpenPGP and GnuPG, while responding to an answer I gave to someone else’s question: OK, to be clear, I am specifically contending that a key fingerprint does not include collisions. My proof is empirical, that no…

Everything You Need to Know About Email Encryption in 2026

If you think about emails as if they’re anything but the digital equivalent of a postcard–that is to say, postcards provide zero confidentiality–then someone lied to you and I’m sorry you had to find out from a furry blog that sometimes talks about applied cryptography. At the end of 2025, at the 39th Chaos Communications…

The Revolution Will Not Make the Hacker News Front Page

(with apologies to Gil Scott-Heron) If you get all of your important technology news from “content aggregators” like Hacker News, Lobste.rs, and most subreddits, you might be totally unaware of the important but boring infrastructure work happening largely on the Fediverse, indie web, and other less-centralized communities. This is no accident. The rough consensus of…

Something went wrong. Please refresh the page and/or try again.


Follow My Blog

Get new content delivered directly to your inbox.