If I were to recommend you use a piece of cryptography-relevant software that I created, how would you actually know if it was any good? Trust is, first and foremost, a social problem. If I told you a furry designed a core piece of Internet infrastructure, the reception to this w … | Continue reading
In response to the GPG.Fail attacks, a Hacker News user made this claim about the 64-bit “Long Key IDs” used by OpenPGP and GnuPG, while responding to an answer I gave to someone else’s question: OK, to be clear, I am specifically contending that a key fingerprint does not includ … | Continue reading
If you think about emails as if they’re anything but the digital equivalent of a postcard–that is to say, they provide zero confidentiality–then someone lied to you and I’m sorry you had to find out from a furry blog that sometimes talks about applied cryptography. At the end of … | Continue reading
(with apologies to Gil Scott-Heron) If you get all of your important technology news from “content aggregators” like Hacker News, Lobste.rs, and most subreddits, you might be totally unaware of the important but boring infrastructure work happening largely on the Fediverse, indie … | Continue reading
I’m pleased to announce the immediate availability of a reference implementation for the Public Key Directory server. This software implements the Key Transparency specification I’ve been working on since last year, and is an important stepping stone towards secure end-to-end enc … | Continue reading
Why replace the elliptic package? Yesterday, the Trail of Bits blog published an intern’s post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof. This blog post was accompanied by a new chapter in their Testing Handbook … | Continue reading
Since I have your attention for the moment, I’d like you to ask yourself a question: What is it that drives you in life? Do you yearn for the feeling of safety? By seeking power, status, wealth, and fame? Is it cravings for pleasure that motivate your actions? Does a sense of obl … | Continue reading
It is tempting and forgivable to believe that we’re in control of our social media experiences. After all, we write what we want in our bio, select our avatars, and even come up with our own handles. We decide who we follow, what we post, and which recommendations to consider. It … | Continue reading
I have several projects in-flight, and I wanted to write a quick status update for them so that folks can find it easier to follow along. Please bear in mind: This is in addition to, and totally separate from, my full-time employment. Hell Frozen Over A while ago, annoyed by the … | Continue reading
One of the first rules you learn about technical writing is, “Know your audience.” But often, this sort of advice is given without sufficient weight or practical examples. Instead, you’re ushered quickly onto the actual tactile aspects of writing–with the hope that some seed was … | Continue reading
In a recent blog post, I laid out the argument that, if you have securely implemented end-to-end encryption in your software, then the jurisdiction where your ciphertext is stored is almost irrelevant. Where jurisdiction does come into play, unfortunately, is where your software … | Continue reading
In a recent blog post, I laid out the argument that, if you have securely implemented end-to-end encryption in your software, then the jurisdiction where your ciphertext is stored is almost irrelevant. Where jurisdiction does come into play, unfortunately, is where your software … | Continue reading
“Won’t someone think of the poor children?” they say, clutching their pearls as they enact another stupid law that will harm the privacy of every adult on Earth and create Prior Restraint that inhibits the freedom of speech in liberal democracies. If you’re totally ignorant of ho … | Continue reading
This is a furry blog, where I write about whatever interests me and sign it with my fursona’s name. I sometimes talk about furry fandom topics, but I sometimes also talk about applied cryptography. If you got a mild bit of emotional whiplash from that sentence, the best list of p … | Continue reading
Every time I lightly touch on this point, I always get someone who insists on arguing with me about it, so I thought it would be worth making a dedicated, singular-focused blog post about this topic without worrying too much about tertiary matters. Here’s the TL;DR: If you actual … | Continue reading
I have never seen security and privacy checklists used for any other purpose but deception. After pondering this observation, I’m left seriously doubting if comparison checklists have any valid use case except to manipulate the unsuspecting. But before we get into that, I’d like … | Continue reading
Next month, AMC+ is premiering a new series about furries that tracked down sexual abusers hiding within the furry fandom. You can watch the trailer for this below. And I do recommend watching the trailer before reading the rest of this blog post. Done? Okay. Bad Takes Almost imm … | Continue reading
I normally don’t like writing “Current Events” pieces (and greatly prefer focusing on what SEO grifters like to call “evergreen content”), but I feel this warrants it. Content warning: Violence, death, mentions of political extremism. What Does “Great” Mean? Imagining living unde … | Continue reading
It’s becoming increasingly apparent that one of the reasons why tech companies are so enthusiastic about shoving AI into every product and service is that they fundamentally do not understand why people dislike AI. I will elaborate. I was recently made aware of the Jetbrains deve … | Continue reading
The history of this blog might very well be a cautionary tail (sic) about scope creep. The Original Vision For Dhole Moments Originally, I just wanted a place to write about things too long for Twitter (back when I was an avid Twitter poster). I also figured, if nothing else, it … | Continue reading
The types of people that proudly call themselves “influencers,” and describe what they create merely as “content,” are so profoundly allergic to authenticity that it bewilders the mind. Don’t believe me? Look no further than the usage of “unalive” in the modern lexicon. The verb … | Continue reading
Internet discussions about end-to-end encryption are plagued by misunderstandings, misinformation, and some people totally missing the point. Of course, people being wrong on the Internet isn’t exactly news. Yesterday, a story in The Atlantic alleged that the Trump Administration … | Continue reading
(With severe apologies to Miles Davis.) Post-Quantum Cryptography is coming. But in their haste to make headway on algorithm adoption, standards organizations (NIST, IETF) are making a dumb mistake that will almost certainly bite implementations in the future. Sophie Schmieg wrot … | Continue reading
Towards the end of last year, we learned that a group (allegedly affiliated with the Chinese government, referred to as “Salt Typhoon”) breached T-Mobile and other telecommunications companies and caused all sorts of havoc. This isn’t really a blog post about that incident, but i … | Continue reading
Content Warning: This blog post talks about adult themes and sexuality. If you’re under 18, sit this one out. If you’ve been around the furry fandom for a while, you will notice that discourse tends to have a cyclical nature to it. I’ve written about this topic before. More than … | Continue reading
Last year, I urged furries to stop using Telegram because it doesn’t actually provide them with any of the privacy guarantees they think it gives them. Instead of improving Telegram’s cryptography to be actually secure, the CEO started spreading misleading bullshit about Signal®. … | Continue reading
Overconfident developers that choose to write their own cryptography code have plagued the information security industry since before it was even an industry. This in and of itself isn’t inherently a bad thing, despite the infosec truisms about never doing exactly that. Writing c … | Continue reading
It’s really not my place to ever command respect from anyone; and that’s not just because I’m a furry–which has always been towards the bottom of the geek hierarchy. I am well aware how little weight my words truly carry, even to other furries, as well as how little I really matt … | Continue reading
Last week, I wrote a blog post succinctly titled, Don’t Use Session. Two interesting things have happened since I published that blog: A few people expressed uncertainty about what I wrote about using Pollard’s rho to attack Session’s design (for which, I offered to write a proof … | Continue reading
Last year, I outlined the specific requirements that an app needs to have in order for me to consider it a Signal competitor. Afterwards, I had several people ask me what I think of a Signal fork called Session. My answer then is the same thing I’ll say today: Don’t use Session. … | Continue reading
Let’s talk about the Collatz Conjecture, which is like mathematicians’ original version of this programmer joke: The Collatz conjecture is an infamous trap for the young and ambitious. Despite its simple construction, it has evaded proofs and general solutions for nearly a centur … | Continue reading
I wrote what I thought would be the final blog post of 2024 last week, and was looking forward to starting 2025 strong with a blog I’d been drafting since July 2023. But then, a little after Midnight on Christmas, I received the following unsolicited email from “the muhu team”: N … | Continue reading
I’ve spent the better part of 2023 and 2024 trying to imagine the specific changes we technology nerds could make to improve things somewhat. I’ve shared some of my ideas and musings throughout the past year. Briefly: You are not required to read any of these blog posts. In fact, … | Continue reading
5 free ideas that Soatok doesn't have the time or energy to execute on. | Continue reading
What is it about being queer that makes loneliness, isolation, and rejection so much more intense than enduring than what our straight friends and family purport to experience? Are we just being sensitive, or egoistic? Do they perhaps feel these emotions with the same severity as … | Continue reading
Recently, I shared my thoughts on the Twitter Exodus. The short of that post is: Even though I’m quite happy on the Fediverse, I think the best outcome is for Bluesky to “win” the popularity contest today. It’s also in a good position to do so: People yearning for “old Twitter” f … | Continue reading
In 2010, Coda Hale wrote How To Safely Store A Password which began with the repeated phrase, “Use bcrypt”, where the word bcrypt was linked to a different implementation for various programming languages. This had two effects on the technology blogosphere at the time: At the tim … | Continue reading
This post is the first in a new series covering some of the reasoning behind decisions made in my project to build end-to-end encryption for direct messages on the Fediverse. (Collectively, Fedi-E2EE.) Although the reasons for specific design decisions should be immediately obvio … | Continue reading
Another wave of Twitter users are jettisoning the social media website in favor of alternatives. Some are landing in the Fediverse (Mastodon and other ActivityPub-enabled software). Others are going to BlueSky. Some are just outright abandoning social media entirely, disillusione … | Continue reading
It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they should be doing. It isn’t. The part of the free and open source software community that th … | Continue reading
If you’re new to reading this blog, you might not already be aware of my efforts to develop end-to-end encryption for ActivityPub-based software. It’s worth being aware of before you continue to read this blog post. To be very, very clear, this is work I’m doing independent of th … | Continue reading
Spoiler: It’s nothing scandalous or bad. Every once in a while, someone posts this photo on Twitter to attempt to dunk on furries: Over the years, I’ve seen this discourse play out several times. The people that post this photo usually don’t elaborate on why they think this photo … | Continue reading
Neil Madden recently wrote a blog post titled, Digital Signatures and How to Avoid Them. One of the major points he raised is: Another way that signatures cause issues is that they are too powerful for the job they are used for. You just wanted to authenticate that an email came … | Continue reading
Every hype cycle in the technology industry continues a steady march towards a shitty future that nobody wants. The Road to Hell Once upon a time, everyone was all hot and bothered about Big Data: Having lots of information–far too much to process with commodity software–was supp … | Continue reading
In 2022, I wrote about my plan to build end-to-end encryption for the Fediverse. The goals were simple: The primary concern at the time was “honest but curious” Fediverse instance admins who might snoop on another user’s private conversations. After I finally was happy with the c … | Continue reading
Ever since the Invisible Salamanders paper was published, there has been a quiet renaissance within my friends and colleagues in applied cryptography for studying systems that use Authenticated Encryption with Associated Data (AEAD) constructions, understanding what implicit assu … | Continue reading
I need everyone to understand something: This doesn’t matter. Dhole Moments is not the official outlet of anything that will affect you or your daily life. It carries no financial weight or political power. It doesn’t represent any company, organization, or government agency. To … | Continue reading
There are two mental models for designing a cryptosystem that offers end-to-end encryption to all of its users. The first is the Signal model. Predicated on Moxie’s notion that the ecosystem is moving, Signal (and similar apps) maintain some modicum of centralized control over th … | Continue reading