Notices by Soatok Dreamseeker (soatok@furry.engineer)

Always disheartening to be reminded that a certain rapist exists when you get an IETF mailing list email

https://geekfeminism.fandom.com/wiki/Jacob_Appelbaum_rape_report

@ferrix I dunno, probably "drama"?

If you thought my teardowns of Matrix, Session, et al. were brutal, I never once made a Lockpicking Lawyer style video tearing them apart.

This is gold.

https://www.heise.de/news/TeleGuard-Sicherheitsexperten-entschluesseln-Messenger-Nachrichten-11261132.html

@Sobex @julia The mud puddle test is from @matthew_d_green I just cite it frequently

I've got 3 blog post ideas in the hopper but, between work and other demands for my time, I have no idea when I'll get to any of them

[internal screaming]

I should take a vacation or something but I'm booked solid until the end of June on client work hahahaha

Being friends with WoW players and with security researchers is sufficient to synthesize the following idea:

Retribution-Oriented Programming

There's this Calvin and Hobbes strip where Calvin's dad says that if we actually wanted more leisure time, we'd invent machines that did things more slowly, and I think about it all the time.

@wizzwizz4 Hmm, @benpate and @evan might know offhand if they're doing anything special here.

MLS doesn't do anything (IIRC), as the mechanism has to go a level higher. I know MIMI has been talking about it, but the specifics are not something I know offhand.

(Yeah, I know AI slop has totally killed the emoji headers thing for most people, but my web design skills are calcified squarely in the last 2010s era, so please bear with me until I commission an artist to replace them with gay furry stickers.)

After a long weekend, I've finally updated https://publickey.directory to reflect the current state of affairs for the Public Key Directory which brings Key Transparency to the Fediverse, as part of the effort to build End-to-End Encryption (E2EE) for ActivityPub.

https://publickey.directory

This project now supports* Post-Quantum Cryptography! (We're shipping ML-DSA-44 now and will consider new algorithms in the future.) HPKE also uses mlkem768x25519 (a.k.a. X-Wing).

* The only part that doesn't currently require post-quantum cryptography is RFC 9421 (HTTP Message Signatures), because no one has bothered to specify an IANA codepoint for it yet. I'm planning to write a C2SP spec soon if no one beats me to it. For the interim, Ed25519 is still allowed there, but in v2 I plan to drop it.

@TheAlgorythm Not sure about your question. I would imagine not, unless it's constructed weirdly (versus "sigA && sigB must both be true").

@da_667 Because you're good people

You never truly know if that new furry rando in your mentions is a good friend of yours trying out a new name/species/gender

@charlotte slams table DRM

And of course the hotel reservations platform is happily spitting out the name of guests and their contact info to the Deleted User email address

@x_cli @chiraag @khm @kunev @mcc That said, I recommend talking to the @trailofbits crypto folks if you want to dive into TEE hell. I don't claim to be an expert on that stuff.

@x_cli @chiraag @khm @kunev @mcc

Having stuff (like contacts) in the secure enclave is great, but secure enclaves don't have storage, so when you need to restart the task running in the enclave, either you loose all the data, or you store it on disk in an encrypted form to load it back in in the new task. Where is the encryption key for that data?

Burned into the Silicon, if you take SGX at face value.

it seems someone decided to prove you really can just publish any nonsense protocol draft with the IETF https://www.ietf.org/archive/id/draft-meow-mrrp-00.html

-NIST gives up enriching most CVEs
-Russia tried to disrupt Swedish power plant
-EU releases age verification app
-OpenAI announces its own private cyber model
-Russia hacked Ukrainian prosecutors
-Grinex shuts down after hack
-Zerion blames North Korea for crypto-heist
-Autovista ransomware attack
-BlueLeaks 2.0 data is now up for sale
-Krybit ransomware hacks rival 0APT
-Anthropic rolls out KYC for Claude

Podcast: https://risky.biz/RBNEWS552/
Newsletter: https://news.risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/

@x_cli @chiraag @khm @kunev @mcc What a remarkably lazy argument to make.

You are correct that part 1 of an 8-part series does not mention metadata, but https://soatok.blog/signal-crypto-review-2025-part-8/ sure as shit does.