@soatok@furry.engineer
@soatok@furry.engineer avatar

soatok

@soatok@furry.engineer

He/him. Gay/demi dhole (Cuon Alpinus)

Blogger, programmer, security engineer, cryptography nerd. 30+

Too spicy for Twitter (banned with all the prominent journalists on 2022-12-16)

This profile is from a federated server and may be incomplete. Browse more on the original instance.

soatok, to random
@soatok@furry.engineer avatar

Do you suppose Protogen need dewormer?

soatok, to random
@soatok@furry.engineer avatar

Experiment you can participate in too if you'd like:

Instead of posting duplicate content on Twitter or BlueSky, post everything on Fedi first, then just paste links to your Fedi post on those platforms.

When people reply, copy a link to their tweet and reply to your Fedi post, then reply to them on Twitter with a link to your Fedi reply.

Expose the people you want to interact with to this platform so much that they are likely to decide for thenselves to sign up.

If successful, we can probably shift some of the better Twitter users to Fedi. And they'll feel welcomed and engaged.

Win goddamn win.

soatok, to random
@soatok@furry.engineer avatar

Me, still recovering from a 30 hour return flight from Spain:

"Now would be a perfect time to roll my own crypto!"

soatok,
@soatok@furry.engineer avatar

in b4

"And then I shot him, Your Honor."

soatok, to random
@soatok@furry.engineer avatar

Gaming on Linux discourse be like

"It's Linux's fault. Do better, FOSS!"

Gaming on Linux in practice be like:

https://www.protondb.com/app/1085660

andrew_chou, to random
@andrew_chou@toot.cafe avatar

Open question: how do you go about finding mentorship in a field where you're considered quite experienced? what models have worked well for involved parties?

context is that although I'm a senior-ish level software dev, I somewhat sorely wish I had opportunities to have a mentor in areas of interest that I don't have guidance for. unfortunately my work doesn't have the resources for this, so I'm left to figure this out on my own if I want to set something up.

soatok,
@soatok@furry.engineer avatar

@andrew_chou If you post a lot about an area you're interested in, it will be boosted towards people who share a specialization with your interest. Hitting it off with those people is probably the easiest way to find the mentorship you need. If not, you'll at least find friends with similar interests you can bounce ideas off of as you self-study.

soatok,
@soatok@furry.engineer avatar

@andrew_chou There's no such thing as a person who needs or does not need a mentor, IMO. You're never too experienced to learn something new, and anyone who would assume such is probably a poor match for you in that respect.

The question is whether one exists, or if you must turn inward instead.

soatok, to random
@soatok@furry.engineer avatar
alshafei, to privacy
@alshafei@mastodon.social avatar

Comparison of instant messengers: "SimpleX probably has the best privacy and anonymity of all the messengers compared here"

https://eylenburg.github.io/im_comparison.htm

Follow @simplex to keep track of the latest updates and ongoing improvements.

#Privacy #Anonymity #Security #Messengers

soatok,
@soatok@furry.engineer avatar

@triskelion @alshafei @simplex I don't see how SimpleX (which is anything BUT simple) mitigates Invisible Salamanders, given their reliance on AES-GCM.

Also, I don't see why they use Ed448 at all.

soatok,
@soatok@furry.engineer avatar

@triskelion @alshafei @simplex Like, there is no reason for this mess: https://github.com/simplex-chat/simplexmq/blob/master/protocol/overview-tjr.md#encryption-primitives-used

soatok,
@soatok@furry.engineer avatar

@triskelion @alshafei @simplex

"Yeah, I'll have, uh... The SIgnal Double Ratchet. But with Curve448! And I'll use AES-GCM instead of CBC+HMAC."

"Daring today, aren't we?"

soatok,
@soatok@furry.engineer avatar

@triskelion @alshafei @simplex
This needs a professional audit.

SimpleX was reviewed for three days by two people I respect in late 2022.
https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf

However, that is way too short a timeframe for something as important as E2EE.

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei AES-GCM is.

If you're in a situation where you can have multiple keys (i.e. group messaging), you can send two plaintexts that encrypt to the same (ciphertext, tag).

https://github.com/soatok/gcm-exploit

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei Oct 11 - 14 is 3 days

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei My complaint with Curve448 is that most things don't use it, so implementations are less reviewed.

The primary reason to select 448 over 25519 is a "biggest rock is best rock" approach to cryptography parameters. It doesn't help in any realistic scenario, nor against quantum attackers at all.

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei I'm not here to report a vulnerability. I was asked for my opinion, and I said I don't like your design.

One specific criticism is that you're using GCM but do not have any sort of Key Commitment in your protocol. That's not a vulnerability, to my knowledge.

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei That said, reporting issues in a public forum does not hurt anyone's credibility.

"Full disclosure is a damned good idea." - Bruce Schneier, Cryptographer

https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei If you don't want me to publish my criticisms of your designs, tell your users not to ask furries for their opinions of said designs 😂​

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei Also, in a general sense, I'm pretty sure pairwise ratchets is exactly the setup for an Invisible Salamanders style attack.

Alice -> Bob: Key1, P1
Alice -> Charlie: Key2, P2
Same C, T can be sent to both parties

But I haven't actually looked at your code, just critiquing your Markdown docs

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei I like ToB. Lots of great people there.

If you have a bigger audit scheduled with them, I'm happy to withhold further criticism until they've had a chance to look at it. Odds are, they'll find more than I will just casually looking at it.

(Also I don't have Haskell chops)

soatok,
@soatok@furry.engineer avatar

@simplex @triskelion @alshafei Nice!

If I found an exploitable implementation issue (like I did with Matrix earlier this week), I would of course report it privately. But my previous job conditioned me to never look at code on Fridays. ;P

soatok, to random
@soatok@furry.engineer avatar

Something I detest: Defeatist people who ass-moan whenever someone talks about changing something.

"You won't succeed"

"The fight's already lost"

"Why bother?"

Fuuuuuuuuuck you. I hate that pointless negativity.

Yes, I will probably fail. A lot! Maybe you've already tried before and failed, or maybe someone you know has.

Do you know what failures are?

Lessons.

Failing is how you learn to fucking succeed.

Failure doesn't mean you give up.

Failure means you study WHY you failed and see if you can change anything to get a different outcome.

I'm very quick to point out a doomed tactic, but that doesn't always mean the goal is unattainable.

soatok,
@soatok@furry.engineer avatar

To expand on this:

Security in all its forms (information, computer, physical, whatever) is at some level the discipline of studying how systems fail.

Attacking a system involves triggering a failure mode, usually one that benefits the attacker.

soatok, to random
@soatok@furry.engineer avatar

One of the Matrix developers saw fit to comment on my gist https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b?permalink_comment_id=5058644#gistcomment-5058644

In response, I actually looked at their code, identified two security vulnerabilities, and disclosed them to their security@ email.

This reaffirms the opinion I held previously.

soatok,
@soatok@furry.engineer avatar

@lanodan I haven't looked at the audit report yet. They might have only reviewed the Rust code, which I haven't looked at yet

soatok, to random
@soatok@furry.engineer avatar

It's still bewildering to me how puritans be like, "Sex is an addiction that corrupts the soul"

Meanwhile I can ask the kinkiest, horniest fuckers I know for platonic cuddles and they're okay with that

soatok,
@soatok@furry.engineer avatar
  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • tester
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • tacticalgear
  • osvaldo12
  • normalnudes
  • cubers
  • cisconetworking
  • everett
  • GTA5RPClips
  • ethstaker
  • Leos
  • provamag3
  • anitta
  • modclub
  • lostlight
  • All magazines
    •