This post is the first in a new series covering some of the reasoning behind decisions made in my project to build end-to-end encryption for direct messages on the Fediverse. (Collectively, Fedi-E2EE.) Although the reasons for specific design decisions should be immediately obvio … | Continue reading
Another wave of Twitter users are jettisoning the social media website in favor of alternatives. Some are landing in the Fediverse (Mastodon and other ActivityPub-enabled software). Others are going to BlueSky. Some are just outright abandoning social media entirely, disillusione … | Continue reading
It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they should be doing. It isn’t. The part of the free and open source software community that th … | Continue reading
If you’re new to reading this blog, you might not already be aware of my efforts to develop end-to-end encryption for ActivityPub-based software. It’s worth being aware of before you continue to read this blog post. To be very, very clear, this is work I’m doing independent of th … | Continue reading
Spoiler: It’s nothing scandalous or bad. Every once in a while, someone posts this photo on Twitter to attempt to dunk on furries: Over the years, I’ve seen this discourse play out several times. The people that post this photo usually don’t elaborate on why they think this photo … | Continue reading
Neil Madden recently wrote a blog post titled, Digital Signatures and How to Avoid Them. One of the major points he raised is: Another way that signatures cause issues is that they are too powerful for the job they are used for. You just wanted to authenticate that an email came … | Continue reading
Every hype cycle in the technology industry continues a steady march towards a shitty future that nobody wants. The Road to Hell Once upon a time, everyone was all hot and bothered about Big Data: Having lots of information–far too much to process with commodity software–was supp … | Continue reading
In 2022, I wrote about my plan to build end-to-end encryption for the Fediverse. The goals were simple: The primary concern at the time was “honest but curious” Fediverse instance admins who might snoop on another user’s private conversations. After I finally was happy with the c … | Continue reading
Ever since the Invisible Salamanders paper was published, there has been a quiet renaissance within my friends and colleagues in applied cryptography for studying systems that use Authenticated Encryption with Associated Data (AEAD) constructions, understanding what implicit assu … | Continue reading
I need everyone to understand something: This doesn’t matter. Dhole Moments is not the official outlet of anything that will affect you or your daily life. It carries no financial weight or political power. It doesn’t represent any company, organization, or government agency. To … | Continue reading
There are two mental models for designing a cryptosystem that offers end-to-end encryption to all of its users. The first is the Signal model. Predicated on Moxie’s notion that the ecosystem is moving, Signal (and similar apps) maintain some modicum of centralized control over th … | Continue reading
Earlier this year, I wrote about planned effort to design a federated Key Transparency proposal. The end goal for this work was constrained to building end-to-end encryption into a new type of Direct Message on the Fediverse, with other protocols and services being a stretch goal … | Continue reading
I don’t consider myself exceptional in any regard, but I stumbled upon a few cryptography vulnerabilities in Matrix’s Olm library with so little effort that it was nearly accidental. It should not be this easy to find these kind of issues in any product people purportedly rely on … | Continue reading
XMPP is a messaging protocol (among other things) that needs no introduction to any technical audience. Its various implementations have proliferated through technical communities for decades. Many large tech companies today used to run XMPP servers. However, the basic protocol t … | Continue reading
A lot of recent (and upcoming) blog posts I’ve written, and Fediverse discussions I’ve participated in, have been about the security of communication products. My criticism of these products is simply that, from a cryptography and security perspective, they’re not a real competit … | Continue reading
Can’t get enough of blog posts written by furries? This post aims to curate some of the other blogs written by furries that are worth sharing with my regular readers. Many (but not all) of these furry blogs are focused on technology in some way. Background Information Many years … | Continue reading
My inaugural blog post went live on April 21, 2020. This post is scheduled to go live on Sunday, July 21, 2024. If you are reading this post, then at least 1,552 days have transpired since my first blog post went live. The Confederacy lasted from February 6, 1861 to May 9, 1865, … | Continue reading
A common narrative on discussion boards like Hacker News is that my inclusion of my fursona on my technical blog posts somehow makes them unsuitable for consumption in a business setting. (This claim is made despite the fact that I’ve never posted pornographic art on this blog.) … | Continue reading
Four years ago, I wrote a (surprisingly popular) blog post about the notion of wear-out for symmetric encryption schemes. Two years ago, I wrote a thing about extending the nonce used by AES-GCM without introducing foot-guns. This was very recently referenced in one of Filippo Va … | Continue reading
In late 2022, I blogged about the work needed to develop a specification for end-to-end encryption for the fediverse. I sketched out some of the key management components on GitHub, and then the public work abruptly stalled. A few of you have wondered what’s the deal with that. T … | Continue reading
Many of the most annoying and pervasive problems with the furry fandom–from the cyclical nature of Twitter discourse to the increasingly frustrating issue of furry convention main hotel registrations selling out immediately after opening–are entirely predictable if you know even … | Continue reading
I have been a begrudging user of Telegram for years simply because that’s what all the other furries use. When I signed up, I held my nose and expressed my discontent at Telegram by selecting a username that’s a dig at MTProto’s inherent insecurity against chosen ciphertext attac … | Continue reading
Thanks to Samantha Cole at 404 Media, we are now aware that Automattic plans to sell user data from Tumblr and WordPress.com (which is the host for my blog) for “AI” products. In response to journalists probing this shady decision from Automattic leadership, the company said noth … | Continue reading
There is, at the time of this writing, an ongoing debate in the Crypto Research Forum Group (CFRG) at the IETF about KEM combiners. One of the participants, Deirdre Connolly, wrote a blog post titled How to Hold KEMs. The subtitle is refreshingly honest: “A living document on how … | Continue reading
The people afraid to show their peers or bosses my technical writing because it also contains furry art are some of the dumbest cowards in technology. Considering the recent events at ApeFest, a competitive level of stupidity is quite impressive. To be clear, the exhibited stupid … | Continue reading
Dhole Moments is not a music blog. I will not pretend to be an expert on music, music theory, or music appreciation. But it goes even further than that: I am so untalented at music that I exert a vacuum pressure on musicians who cross my path at furry conventions. Regular readers … | Continue reading
If you’ve paid attention to Hacker News or various technology subreddits in recent years, you may have noticed the rise of VPN companies like Tailscale and ZeroTier. At the core of their networking products is a Noise-based Protocol (often WireGuard). If you haven’t been paying a … | Continue reading
A few days ago, I wrote a personal blurb about my experience with Return-to-Office, Forced Relocation, and top-down Corporate Bullshit. This was a departure from my usual fare in two ways: I had figured that quick write-up would fill the void while I work on the more ambitious te … | Continue reading
I quit my job towards the end of last month. When I started this blog, I told myself, “Don’t talk about work.” Since my employment is in the rear view mirror, I’m going to bend that rule for once. And most likely, only this one time. Why? Since I wrote a whole series about how [… … | Continue reading
Last year, I went to the Quantum Village and encountered some absolute bullshit, which I proceeded to call out. This year, while I was walking around the Crypto + Privacy Village at DEFCON 31 in fursuit, a wild Cendyne approached me and asked, “There are going to be some debates … | Continue reading
Recently, there has been a lot of misinformation and propaganda flying around the American news media about the furry fandom. Unfortunately, this seems to be increasing with time. Consequently, there are a lot of blanket statements and hot takes floating around social media right … | Continue reading
Regular readers of Dhole Moments should always keep this in mind: | Continue reading
Recently, it occurred to me that there wasn’t a good, focused resource that covers commitments in the context of asymmetric cryptography. I had covered confused deputy attacks in my very short (don’t look at the scroll bar) blog post on database cryptography., and that’s definite … | Continue reading
An introduction to database cryptography. | Continue reading
A quick reference to anti-furry dog-whistles for busy journalists and investigative reporters. | Continue reading
Tails from the Cryptographic Side of Security Research | Continue reading
A recap of this blog and its author in 2022 | Continue reading
Ever since the famous “Open Sesame” line from One Thousand and One Nights, humanity was doomed to suffer from the scourge of passwords. Even in a world where we use hardware tokens with asymmetric cryptography to obviate the need for passwords in modern authentication protocols, … | Continue reading
When it comes to AES-GCM, I am not a fan. Most of my gripes fall into one of two categories: However, one of my gripes technically belongs in both categories: The small nonce size, which is caused by AES’s block size, limits the amount of data you can safely encrypt with a single … | Continue reading
I got banned for criticizing Twitter’s security, as I’ve done often in the past without repercussion. | Continue reading
As Twitter’s new management continues to nosedive the platform directly into the ground, many people are migrating to what seem like drop-in alternatives; i.e. Cohost and Mastodon. Some are even considering new platforms that none of us have heard of before (one is called “Hive”) … | Continue reading
What will become of the Internet, and the furry fandom, if Elon Musk kills Twitter? | Continue reading
A nuanced answer to the obvious question in response to Patreon firing an entire Security Team in 2022. | Continue reading
We don't need stupid rules about fursuiting at furry conventions | Continue reading
Cryptographic agility is a vaguely defined property, but is commonly understood to mean, “Able to quickly swap between cryptographic primitives in response to new attacks.” Wikipedia defines cryptographic agility as: Cryptographic agility is a practice paradigm in designing infor … | Continue reading
feat. Vikram Sharma of QuintessenceLabs | Continue reading
Form generating and processing library for PHP 8 projects | Continue reading
and Got Banned for Doing the Right Thing | Continue reading