Ah, the Matrix guy decided to chime in on the Hacker News thread about my blog.
https://news.ycombinator.com/item?id=46979742#46982871
Of course his comment is bullshit.
Conversation
Notices
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 08:59:10 JST 
Soatok Dreamseeker
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 09:04:59 JST
Soatok Dreamseeker
Like, the issues I found aren't even particularly difficult to mitigate. I provided some sample code in my Matrix disclosure blog post and pointed to a bitsliced AES implementation (BearSSL) for systems that can't do AES-NI.
Hell, you could probably get a fucking LLM to do it. Trail of Bits published a Claude skill for detecting whether a compiler has undermined the intent for code to be constant-time. But the heavy-lifting is done by a Python script.
Shipping cryptography without side-channels was table-stakes for being taken seriously.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 09:06:36 JST
Soatok Dreamseeker
@mochabeau Yes. It, like XMPP, has a plaintext mode, which means it's not in the same league as Signal to begin with. (And some asshole talking over me to tell people to use Matrix instead of Signal is what prompted me to even look at their code then.)
-
Embed this notice
Beau (mochabeau@infosec.exchange)'s status on Thursday, 12-Feb-2026 09:06:37 JST 
Beau
@soatok even if it was secure, doesn't matrix not encrypt stuff like reactions and message reply context?
-
Embed this notice
Beau (mochabeau@infosec.exchange)'s status on Thursday, 12-Feb-2026 09:13:03 JST
Beau
@soatok ive heard many people don't even use matrix e2ee anyways cause of [🔒 message failed to decrypt]
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 09:14:28 JST
Soatok Dreamseeker
The Matrix guy is incentivized to control the narrative here. No surprise there.
But I implore anyone paying attention to critically evaluate the facts and what he said then as well as what he's saying now.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 10:02:38 JST
Soatok Dreamseeker
There are more pathetic comments on the Hacker News thread.
For example:
(Would you believe this guy has -18 karma?)
-
Embed this notice
let Alephwyr=dragon{realist:true,moral:true, strong=true,body=♀} (alephwyr@chitter.xyz)'s status on Thursday, 12-Feb-2026 10:04:14 JST 
let Alephwyr=dragon{realist:true,moral:true, strong=true,body=♀}
@soatok Remembering the post about how furry weirdness is a failproof modern ward against capitalist encroachment.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 10:09:10 JST
Soatok Dreamseeker
The crucial thing Arathorn hasn't figured out is he's his own worst enemy when it comes to public relations.
Several folks have told me they stopped trusting Matrix. But not because of my write-up. They stopped trusting Matrix because of how Matrix responded to my write-up.
They couldn't just said something banal like, "Thanks for contributing to the security of Matrix," and done less damage to their own reputation.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 10:09:27 JST
Soatok Dreamseeker
@lunemercove Haha fair
-
Embed this notice
「Carmilla」 luné's villain era (lunemercove@eldritch.cafe)'s status on Thursday, 12-Feb-2026 10:09:36 JST 
「Carmilla」 luné's villain era
@soatok whenever I see these kinds of guys I am fascinated in a way. like a particular kind of dipshit frozen in amber from the 00s.
(I know unfortunately they're still making that kind of guy and it's usually creeping out of some sort of anti-LGBT bigotry. but my first thought is ALWAYS "how did you time travel to here?")
-
Embed this notice
Risotto Bias (risottobias@toot.risottobias.org)'s status on Thursday, 12-Feb-2026 10:15:07 JST 
Risotto Bias
@soatok a good amount of my own judgement on a company is how they recover from an attack or treat a security researcher.
hostility? not purchasing.
owning up to it with public whitepaper / lessons learned? awesome.
-
Embed this notice
Luna Lactea (jackemled@furry.engineer)'s status on Thursday, 12-Feb-2026 12:16:38 JST 
Luna Lactea
@soatok Of course most of this seems to be hidden now & I can only see two things that give no context. Matrix moment. HackerNews moment.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 12:28:50 JST
Soatok Dreamseeker
@jackemled https://web.archive.org/web/20260211235740/https://news.ycombinator.com/item?id=46979742#46982871
-
Embed this notice
Luna Lactea (jackemled@furry.engineer)'s status on Thursday, 12-Feb-2026 12:35:26 JST
Luna Lactea
@soatok Thank you.
How long has it been since this guy has gone outside? He writes like a YouTube comments section flamer.
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 12-Feb-2026 12:51:12 JST
Soatok Dreamseeker
@kiri Given that my previous disclosure was in May 2024 (published August 2024), and then https://furry.engineer/@soatok/116055556402436098...
Yeah, probably not.
-
Embed this notice
:copyleft: Kiri :tux: (kiri@fosstodon.org)'s status on Thursday, 12-Feb-2026 12:51:13 JST 
:copyleft: Kiri :tux:
@soatok I'm a good example of that! I got turned off Matrix as "the platform" when that whole "oh yeah we knew about those issues but didn't do anything about it because we were already working on the new thing", but then the following attitude was what cemented the notion of "I can't trust this to ever be better, can I?"
-
Embed this notice
All GNU social JP content and data are available under the