Soatok Dreamseeker

He/him. Gay/demi dhole (Cuon Alpinus) furry.

Blogger, programmer, security engineer, cryptography nerd. 30+

Too spicy for Twitter (banned with all the prominent journalists on 2022-12-16)

I don't represent any company, individual, or community.

Soatok Dreamseekersoatok@furry.engineer
2025-06-27

@abacabadabacaba Sure. It might be helpful to comment directly on the github discussion.

Soatok Dreamseekersoatok@furry.engineer
2025-06-27

@abacabadabacaba Yeah, I know. It's not a goal AFAIK.

If you wanted KCI, you'd need ephemeral prekeys on both ends and at that point you might as well just use Signal.

Soatok Dreamseekersoatok@furry.engineer
2025-06-26

I proposed a way to incorporate Sender Authentication in age with the following advantages:

  1. No catch-22 between encryption and signing (no rebinding attacks)
  2. You have to be able to decrypt the message to verify the sender
  3. No new cryptographic primitives (e.g., signcryption)
  4. No in-band signaling or downgrade attacks

However, it does have one requirement that people accustomed to PGP use cases (and tolerant of PGP footguns) may find annoying:

You must know, in advance, the public key of the sender in order to be able to decrypt the message.

github.com/FiloSottile/age/dis

#crypto #encryption #cryptography #age

Soatok Dreamseeker boosted:
Steph :Autigirl2: :green:PurpleStephyr@thetransagenda.gay
2025-06-25

@soatok@furry.engineer I was thinking something similar a few days ago. What would happen if you flooded GitHub with trivial programs with naming or comments that imply it's doing something different. Like a "shortest path" function, but it's actually just fizzbuzz. How long until AI slop would just think that every problem is fizzbuzz and just offer some variation of fizzbuzz for every prompt?

Soatok Dreamseekersoatok@furry.engineer
2025-06-25
Soatok Dreamseekersoatok@furry.engineer
2025-06-25

@cinebox How do you know you've typed the correct unsafe one, versus any random sequence of digits?

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

@charlotte @craftxbox I do use Google Voice

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

@craftxbox To be clear: the people who deserve insults and terms of derision are the people actively evangelizing Matrix, XMPP, etc. and trying to talk over people with half a goddamn clue.

Lots of innocent and well-meaning people have been misled by these charlatans. I do not blame them.

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

@craftxbox

having never used signal, nor knowing specifically what the criticism actually is,

The criticism is morons whining about "boo hoo they require a phone number to sign up and nothing else"

It used to be valid criticism (you needed to give people your phone number to chat with you), but Signal fixed that when they rolled out usernames.

Then, said morons decide that Signal is somehow less secure because of this phone number requirement (and literally nothing else).

Meanwhile, you have so-called competitors that let you spew plaintext scoring higher on their idiotic "privacy" checklists.

Then well-meaning people ping me with these documents asking if I'm wrong about Signal (which is the only popular app that uses adequate cryptography to date).

would a successful simswap give an attacker the capability to silently register a new device or perform a lost key recovery?

No.

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

If you'd like an example of a threat model I wrote (for the Fediverse Key Transparency specification): github.com/fedi-e2ee/public-ke

Notice that it has:

  1. A list of specific technical assumptions.
  2. A list of assets in scope.
  3. A list of actors, which represent different types of attacks and tactics.
  4. Specific risks for various assets, for which the various actors may be relevant.

NIST has several documents for writing a threat model.

You don't need to be as formal as this about it, but trying to rebut me with not-a-goddamn-threat-model is a waste of everyone's time.

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

When I say something like, "The people who tut-tut over the phone number requirement never articulate anything resembling a coherent threat model" (when talking about Signal), I want to be very clear:

I mean an actual threat model.

Not a use-case.

Not a user story.

Not a set of wants.

Threat.
Model.

Learn what that is before replying.

Soatok Dreamseekersoatok@furry.engineer
2025-06-25

@AVincentInSpace That isn't a threat model, that's a user story!

Anyway, I already addressed this requirement on my blog: soatok.blog/2024/05/14/its-tim

I have to Signal accounts from one mobile phone. It's not exactly impossible.

Soatok Dreamseekersoatok@furry.engineer
2025-06-24

By the way, if you use Signal, go to Privacy > Phone Number and you can configure it like so:

Who can see my number: Nobody

Who can find me by my number: Nobody
Soatok Dreamseeker boosted:
mhoyemhoye
2025-06-24

I just saw somebody refer to a human person, like an actual meat-and-bone possessed-of-inalienable-rights-and-inherent-dignity human person, as "agentic".

Bernard Avishai once famously said that the danger of computers is not that they will eventually get as smart as people, but that we will meanwhile agree to meet them halfway, and I think about that every day. Not just in terms of smarts, but dignity, kindness and decency.

Soatok Dreamseekersoatok@furry.engineer
2025-06-24

@gsuberland My favorite is when the statement of work explicitly says "SGX side-channels are out of scope"

Soatok Dreamseeker boosted:
Graham Sutherland / Polynomialgsuberland@chaos.social
2025-06-24

it's 2025 and this is still the funniest security meme.

Edited version of Frog and Toad.

Frog put the cookies in SGX. "There," he said. "Now we will not eat any more cookies."

"But we can use side channels," said Toad.

"That is true," said Frog.
Soatok Dreamseeker boosted:
Lambda :neofox_flag_nb:lambda@chaosfurs.social
2025-06-24

@nytpu @ret "why would they even do it this specific unnatural way" is pretty much the running theme with PHP

Soatok Dreamseeker boosted:
Arch :arch:arch@floofy.tech
2025-06-24

one must imagine sysadmins happy

Soatok Dreamseeker boosted:
Jordan Petridisalatiera
2025-06-24

On X11 and the Fascists Maggots

I can't believe I needed to write this but here we are.

blogs.gnome.org/alatiera/2025/

First paragraph of the blogpost linked in the post.Last paragraph of the blogpost.

On behalf of all the desktop developers I have to state the following:

There is no place for Fascists within the Open Source and Free Software
communities or the society at large. You will never fester your poisonous
roots here. Go back to the cave you crawled out from where no sunlight
can reach.

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst