Cryptographers and cryptography engineers love to talk about the latest attacks and how to mitigate them. LadderLeak breaks ECDSA with less than 1 bit of nonce leakage? Raccoon attack brings the Hidden Number attack to finite field Diffie-Hellman in TLS? And while this sort of research is important and fun, most software developers have much […]
Boycott Zed Shaw’s writing. (With bonus zero-days in his work.)
The fatal flaw of Birdwatch’s current design and how it can be fixed.
RSA is for encrypting symmetric keys, not entire messages. Pass it on.
The server for thedonald.win is hosted at 220.127.116.11. Read on to learn how I discovered this.
Earlier tonight, someone decided to change their Twitter handle and display name to impersonate a furry and solicit money to the scammer’s PayPal account. This is the same kind of lazy technique that script kiddies use to phish people for passwords, but more targeted. The goal is to dupe someone into sending the scammer money […]
Imagine you’re a software developer, and you need to authenticate users based on a username and password. If you’re well-read on the industry standard best practices, you’ll probably elect to use something like bcrypt, scrypt, Argon2id, or PBKDF2. (If you thought to use something else, you’re almost certainly doing it wrong.) Let’s say, due to […]
Governments are back on their anti-encryption bullshit again. Between the U.S. Senate’s “EARN IT” Act, the E.U.’s slew of anti-encryption proposals, and Australia’s new anti-encryption law, it’s become clear that the authoritarians in office view online privacy as a threat to their existence. Normally, when the governments increase their anti-privacy sabre-rattling, technologists start talking more […]
Earlier this week, security researcher Ryan Castellucci published a blog post with a somewhat provocative title: DKIM: Show Your Privates. After reading the ensuing discussions on Hacker News and Reddit about their DKIM post, it seems clear that the importance of deniability in online communications seems to have been broadly overlooked. Security Goals, Summarized When […]
Tonight on InfoSec Twitter, this gem was making the rounds: Hello cybersecurity and election security people,I sometimes embed your tweets in the Cybersecurity 202 newsletter. Some of you have a habit of swearing right in the middle of an otherwise deeply insightful tweet that I’d like to use. Please consider not doing this. Best,Joe Identity […]
This is the first entry in a (potentially infinite) series of dead end roads in the field of cryptanalysis. Cryptography engineering is one of many specialties within the wider field of security engineering. Security engineering is a discipline that chiefly concerns itself with studying how systems fail in order to build better systems–ones that are […]
Spyware written for educational institutions to flex their muscles of control over students and their families when learning from their home computer is still, categorically, spyware. Depending on your persuasion, the previous sentence sounds like either needless pedantry, or it reads like tautology. But we need to be clear on our terms. Educational spyware is […]
If you’re ever tasked with implementing a cryptography feature–whether a high-level protocol or a low-level primitive–you will have to take special care to ensure you’re not leaking secret information through side-channels. The descriptions of algorithms you learn in a classroom or textbook are not sufficient for real-world use. (Yes, that means your toy RSA implementation […]
I recently needed to find an image that I didn’t have saved on my computer in order to share with a group chat. For laughs. Naturally, I did the first thing most of us do when that happens: I typed the query into Google’s Image Search. To my dismay, all of the first results were […]
If you see the letters GNU in a systems design, and that system intersects with cryptography, I can almost guarantee that it will be badly designed to an alarming degree. This is as true of GnuPG (and PGP in general) as it is of designs like the proposed GNU Name System (IETF draft) and cryptographic […]
A question I get asked frequently is, “How did you learn cryptography?” I could certainly tell everyone my history as a self-taught programmer who discovered cryptography when, after my website for my indie game projects kept getting hacked, I was introduced to cryptographic hash functions… but I suspect the question folks want answered is, “How […]
I probably don’t need to remind anyone reading this while it’s fresh about the current state of affairs in the world, but for the future readers looking back on this time, let me set the stage a bit. The Situation Today (By “Today”, I mean early May 2020, when I started writing this series.) In […]
Update (2021-01-09): There’s a newer blog post that covers different CloudFlare deanonymization techniques (with a real world case study). Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission. Understandably, the photographers and fursuiters whose work was ripped off by […]
Cryptographers around the world are still designing privacy-preserving contact tracing systems for combating the spread of COVID-19. Even though some papers have been published (one using zero-knowledge proofs, another based on blockchain (sigh)), the ink is still very wet. The first framework designed by Apple and Google needs work but was surprisingly not god-awful. That […]
Update (2020-04-29): Twitter has fixed their oversight. Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text. The original article follows after the separator. I was recently made aware of a change to Twitter, which exposes a new Gender field. If you’ve […]
There are two news stories today. Unfortunately, some people have difficulty uncoupling the two. The Team Fortress 2 Source Code has been leaked. Hackers discovered a Remote Code Execution exploit. The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient […]