Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!
Imagine you’re a software developer, and you need to authenticate users based on a username and password. If you’re well-read on the industry standard best practices, you’ll probably elect to use something like bcrypt, scrypt, Argon2id, or PBKDF2. (If you thought to use something else, you’re almost certainly doing it wrong.) Let’s say, due to […]
Governments are back on their anti-encryption bullshit again. Between the U.S. Senate’s “EARN IT” Act, the E.U.’s slew of anti-encryption proposals, and Australia’s new anti-encryption law, it’s become clear that the authoritarians in office view online privacy as a threat to their existence. Normally, when the governments increase their anti-privacy sabre-rattling, technologists start talking more […]
How to more effectively report abuse to social media companies like Twitter.
We’ve more-or-less all been coping with the pandemic since early March. During this time, I’ve seen a lot of people stressed and depressed to their breaking points, usually while also blaming themselves for not being able to bottle their feelings up and believing no one else is at their limit. And that’s simply not true. […]
Earlier this week, security researcher Ryan Castellucci published a blog post with a somewhat provocative title: DKIM: Show Your Privates. After reading the ensuing discussions on Hacker News and Reddit about their DKIM post, it seems clear that the importance of deniability in online communications seems to have been broadly overlooked. Security Goals, Summarized When […]
Zoom recently announced that they were going to make end-to-end encryption available to all of their users–not just customers. This is a good move, especially for people living in countries with inept leadership that failed to address the COVID-19 pandemic and therefore need to conduct their work and schooling remotely through software like Zoom. I […]
Why blog about cryptography as a furry?
If living through the COVID-19 pandemic has taught us anything–and it surely hasn’t–it would be the importance of friendship and community to our physical and emotional well-being. For more on the subject of People Who Ought to Know Better Not Learning the Obvious Lessons from Misfortune, one needs look no further than social media. Popularity […]
A frequent source of confusion in the furry fandom is about commission pricing for furry art. This confusion is often driven by (usually younger) furries demanding free or severely cheap art from artists, and the aftermath of such exchanges. There’s a reason @SpicyFurryTakes posts so frequently. In the interest of not adding to the confusion, […]
I dislike politics in general. That doesn’t mean I don’t write about it when it’s relevant, but I’m always less happy with any of my writing that touches on these subjects. I usually feel obligated to condemn these pieces to Draft status in perpetuity. It’d be great if we lived in a world where I […]
Tonight on InfoSec Twitter, this gem was making the rounds: Hello cybersecurity and election security people,I sometimes embed your tweets in the Cybersecurity 202 newsletter. Some of you have a habit of swearing right in the middle of an otherwise deeply insightful tweet that I’d like to use. Please consider not doing this. Best,Joe Identity […]
This is the first entry in a (potentially infinite) series of dead end roads in the field of cryptanalysis. Cryptography engineering is one of many specialties within the wider field of security engineering. Security engineering is a discipline that chiefly concerns itself with studying how systems fail in order to build better systems–ones that are […]
Serious question: Why doesn’t the Furry Fandom have more comedians? I don’t mean racist loudmouth assholes who wouldn’t know a good joke if it cup-checked them every day after their second cup of coffee for a week straight (i.e. the racist birdbrain). I also don’t mean external comedians making lazy jokes at the expense of […]
There’s an old adage on the Internet: “Don’t feed the trolls.” The reasoning for such an argument is kind of a proof by induction if you squint hard enough at its structure: If you don’t feed the trolls, they’ll have to look elsewhere to get the engagement they crave. If you iterate the advice and […]
Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware. Depending on your persuasion, the previous sentence sounds like either needless pedantry, or it reads like tautology. But we need to be clear on our terms. Educational spyware is […]
Since the IETF’s CFRG decided to recommend OPAQUE as a next-generation Password Authenticated Key Exchange, there has been a lot of buzz in the cryptography community about committing authenticated encryption (known to the more academically inclined as Random Key Robustness), because OPAQUE requires an RKR-secure AE scheme. Random Key Robustness is a property that some […]
If you’re ever tasked with implementing a cryptography feature–whether a high-level protocol or a low-level primitive–you will have to take special care to ensure you’re not leaking secret information through side-channels. The descriptions of algorithms you learn in a classroom or textbook are not sufficient for real-world use. (Yes, that means your toy RSA implementation […]
Being a furry is like: Every once in a while, you’ll stumble across an enormous contingent of the furry fandom that you were entirely unaware of for years. Sure, you’d expect artists to be furry, but when you’ve run down the checklist of possible hobbies or professions to the point that furry doctors, furry lawyers, […]
As American students are preparing to return to the classroom during a pandemic–in flagrant disregard of everything ranging from our scientific understanding to matters of good taste–we keep hearing from politicians how essential education is. Of course, if they actually believed the words coming out of their mouth, you’d expect them to be a little […]
Some of you may be surprised to learn that my fursona is not a fox, nor a wolf; nor is it a fictitious fox-wolf hybrid popular within the furry fandom (which is usually called a “folf”). No, my fursona is a dhole, which is a real species of endangered wild dogs from Southeast Asia. The […]
Earlier this week, NIST announced Round 3 of the Post-Quantum Cryptography project and published their rationale for selecting from the Round 2 candidates. NIST did something clever this time, and Round 3 was separated into two groups: Finalists and Alternative Candidates. Finalists are algorithms that NIST (and the majority of the cryptographers involved in NIST’s […]
This is a bit different from my usual blog post, insofar as I don’t have much of a point except that I’m tired of repeating myself. The other day, I was frustrated about Pinterest clogging up the Google Image Search results and tweeted a really simple and well-known life-hack to counteract their search engine manipulation. […]
I recently needed to find an image that I didn’t have saved on my computer in order to share with a group chat. For laughs. Naturally, I did the first thing most of us do when that happens: I typed the query into Google’s Image Search. To my dismay, all of the first results were […]
Historical Context of Iota’s Hash Functions Once upon a time, researchers discovered that the hash function used within the Iota cryptocurrency (Curl-P), was vulnerable to practical collisions. When pressed about this, the Iota Foundation said the following: In response to this research, the Iota developers threatened to sue the researchers. Iota replaced Curl-P-27 with a […]
There seems to be a lot of interest among software developers in the various cryptographic building blocks (block ciphers, hash functions, etc.), and more specifically how they stack up against each other. Today, we’re going to look at how some symmetric encryption methods stack up against each other. If you’re just looking for a short […]
Sometimes my blog posts end up on social link-sharing websites with a technology focus, such as Lobste.rs or Hacker News. On a good day, this presents an opportunity to share one’s writing with a larger audience and, more importantly, solicit a wider variety of feedback from one’s peers. However, sometimes you end up with feedback […]
If you see the letters GNU in a systems design, and that system intersects with cryptography, I can almost guarantee that it will be badly designed to an alarming degree. This is as true of GnuPG (and PGP in general) as it is of designs like the proposed GNU Name System (IETF draft) and cryptographic […]
There are a lot of random topics I’ve wanted to write about since I started Dhole Moments, and for one reason or another, haven’t actually written about. I know from past experience with other projects that if you don’t occasionally do some housekeeping, your backlog eventually collapses under its own gravity and you can never […]
Rhyner has published a guide to chatting with furries and overcoming one’s anxiety and self-doubt. If you have a hard time starting up a conversation with furries, you’ll certainly find this helpful. Note that not all conversations have the same flow, and you definitely shouldn’t force yourself into the confines of [a] template structure. Keep […]
As America prepares for record-breaking infection statistics on a daily basis, many of us are looking at other countries safely reopening and wondering, “Why can’t we have nice things?” Of course, everyone has their favorite target to blame for this catastrophe. Democrats blame Republicans. Republicans blame Democrats. I’m not interested in blame. Regardless of who […]
This year (2020) has brought a lot of death. Friends, neighbors, coworkers, family members, and even some of the strangers you saw every day in your commute to work but never even stopped to learn their name. Of course, people dying isn’t exactly news. People in all of those groups have died all the time, […]
While the furry fandom can be a wonderful place and a force for good in the world, the topics that tend to circulate on Furry Twitter are somewhat seasonal: They repeat every so often–usually sparked by someone saying or doing something shitty–and never actually lead to a productive result. Let’s look at a few of […]
Despite the awesomeness and diversity that the furry fandom offers the world, there is a very narrow subset of furry content creation that has attained popular appeal within our community. If you want to create and share furry art, there are at least a half dozen furry websites dedicated to furry art (including FurAffinity). If […]
Moonraiser from Fuzzballstorytime.com published a review of the documentary film made by Ash Coyote called “The Fandom”. One thing I like most about this film is its representation of the LGBT community. It is a community that has faced many challenges over the years, but with the help of the furry fandom LGBT members have […]
A question I get asked frequently is, “How did you learn cryptography?” I could certainly tell everyone my history as a self-taught programmer who discovered cryptography when, after my website for my indie game projects kept getting hacked, I was introduced to cryptographic hash functions… but I suspect the question folks want answered is, “How […]
I rarely think about the labels that describe me. That isn’t because of privilege (I spent many years painfully aware of them), but because my friends are incredibly supportive and we’ve been able to cultivate an environment where I’m not constantly reminded of why I don’t “belong”. (It took many grueling years to achieve that, […]
I probably don’t need to remind anyone reading this while it’s fresh about the current state of affairs in the world, but for the future readers looking back on this time, let me set the stage a bit. The Situation Today (By “Today”, I mean early May 2020, when I started writing this series.) In […]
A paper was published on the IACR’s ePrint archive yesterday, titled LadderLeak: Breaking ECDSA With Less Than One Bit of Nonce Leakage. The ensuing discussion on /r/crypto led to several interesting questions that I thought would be worth capturing and answering in detail. What’s Significant About the LadderLeak Paper? This is best summarized by Table […]
If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implementations of cryptography, and my years of experience in this field have led me to dislike AES-GCM. This post is about why I dislike AES-GCM’s design, not […]
Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission. Understandably, the photographers and fursuiters whose work was ripped off by this website are upset and would like to exercise their legal recourse (i.e. DMCA takedown emails) of the scam […]
Cryptographers around the world are still designing privacy-preserving contact tracing systems for combating the spread of COVID-19. Even though some papers have been published (one using zero-knowledge proofs, another based on blockchain (sigh)), the ink is still very wet. The first framework designed by Apple and Google needs work but was surprisingly not god-awful. That […]
There are several different methods for securely hashing a password server-side for storage and future authentication. The most common one (a.k.a. the one that FIPS allows you to use, if compliance matters for you) is called PBKDF2. It stands for Password-Based Key Derivation Function #2. Why #2? It’s got nothing to do with pencils. There […]
In 2017, cryptography researchers from Kudelski Security demonstrated practical fault attacks against EdDSA (specifically Ed25519; RFC 8032). Their techniques are also applicable to Deterministic ECDSA (RFC 6979), and potentially work against any deterministic signature scheme (n.b. the Fiat-Shamir or Schnorr distinction isn’t meaningful in this context). Although that might seem alarming, fault attacks aren’t especially […]
Art by Kyume. Search engines have this feature where if you start to type a question, it will attempt to predict your question based on what other people have asked. This has some hilarious consequences. Sometimes this feature gets gamed by large hordes of shitty people (read: 4chan) typing provocative questions into search engines. Let’s […]
Update (2020-04-29): Twitter has fixed their oversight. Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text. The original article follows after the separator. I was recently made aware of a change to Twitter, which exposes a new Gender field. If you’ve […]
Let’s talk about digital signature algorithms. Digital signature algorithms are one of the coolest ideas to come out of asymmetric (a.k.a. public-key) cryptography, but they’re so simple and straightforward that most cryptography nerds don’t spend a lot of time thinking about them. Even though you are more likely to run into a digital signature as […]
My recent post about the alleged source code leaks affecting Team Fortress 2 and Counter-Strike: Global Offensive made the rounds on Twitter and made someone very mad, so I got hate DMs. …Look, I only said I got hate DMs, not that I got interesting or particularly effective hate DMs! Weak troll is weak, I […]
My friends play a lot of video games, and I sometimes join them, but more often I just observe. And over the years of observing, I’ve noticed a few things worth sharing. Every video game is somewhat different and the lines can sometimes be a bit blurry, but with a few exceptions, the concept of […]
There are two news stories today. Unfortunately, some people have difficulty uncoupling the two. The Team Fortress 2 Source Code has been leaked. Hackers discovered a Remote Code Execution exploit. The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient […]
Suppose you need to encrypt data between two peer-to-peer devices over an untrusted medium (i.e. the Internet), and you have an authenticated low-bandwidth channel that can be used to send and authenticate a few bytes (less than 100), but that channel isn’t itself encrypted (otherwise it’d be a chicken-and-egg problem). Aside: If it helps your […]
