Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Uncategorized
17
Posts
12
Posters
0
Views
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok Feuding crypto-experts hate-reviewing each other's code is exactly the kind of vibe we need. Talk about adversarial testing! đ
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok because who checks for buffer lengths in c anyways it just wastes cycles
wat
also pretty sure "user error" is exactly how exploits are born
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok
OMG. These two paragraphs are one after the other in their documentation (https://monocypher.org/manual/#CAVEATS ). Do they not see how tightly linked they are??> CAVEATS
> Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in undefined behaviour. Make sure your inputs are correct.
>
> SECURITY CONSIDERATIONS
> Using cryptography securely is difficult. Flaws that never manifest under normal use might be exploited by a clever adversary -
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok making input validation (with many preconditions and requiring specific knowledge) a user's responsibility sounds like a recipe for disaster
-
@soatok making input validation (with many preconditions and requiring specific knowledge) a user's responsibility sounds like a recipe for disaster
@inex @soatok "Look, I only gave the user a foot-gun. Most users know how to not use the foot-gun. I mean yes, it is a gun; and yes, it is pointed automatically at their foot; and yes, it is loaded and has a hair trigger; but users should know better. I mean they are programmers, for heaven's sake, they should know about trigger discipline."
-
@inex @soatok "Look, I only gave the user a foot-gun. Most users know how to not use the foot-gun. I mean yes, it is a gun; and yes, it is pointed automatically at their foot; and yes, it is loaded and has a hair trigger; but users should know better. I mean they are programmers, for heaven's sake, they should know about trigger discipline."
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
-
@rusty__shackleford @soatok Trying to determine if this is bad snark on their part or the output of an AI agent
-
@rusty__shackleford @soatok Trying to determine if this is bad snark on their part or the output of an AI agent
@cwebber @rusty__shackleford The "spell out the acronyms used in the filenames" part does gesture suggestively towards "AI"
The heel-turn on me allegedly not contacting them without an "You're absolutely right!" tells me that, even if it is AI, they at least edited the sycophancy out of it.
-
Loup-Vaillant wrote this on Lobste.rs in a dumb rant about my Matrix disclosure:
Personally I would actively avoid the check,
Hmm. What a weird thing to say.
Loup-Vaillant wrote a cryptography library called Monocypher, which famously had an EdDSA vulnerability mostly caused by their insistence on rolling their own custom EdDSA variant to avoid SHA512.
"I wonder how Monocypher holds up in 2026?"
Who said that? Well, anyway:
@soatok Wait, so the entire input validation scheme is "don't call it wrong?"
That's... well, that's a choice you can make, I guess.
-
@cwebber @rusty__shackleford The "spell out the acronyms used in the filenames" part does gesture suggestively towards "AI"
The heel-turn on me allegedly not contacting them without an "You're absolutely right!" tells me that, even if it is AI, they at least edited the sycophancy out of it.
@soatok @rusty__shackleford you're absolutely right
-
@soatok Wait, so the entire input validation scheme is "don't call it wrong?"
That's... well, that's a choice you can make, I guess.
@wordshaper Our Threat Model is "You must only accept secure inputs if you want secure outputs".
-
@wordshaper Our Threat Model is "You must only accept secure inputs if you want secure outputs".
@soatok good thing this code doesnât have to operate in an adversarial environment. Something unfortunate could happen.
-
-
undefined oblomov@sociale.network shared this topic
-
@rusty__shackleford @soatok Trying to determine if this is bad snark on their part or the output of an AI agent
@cwebber @rusty__shackleford @soatok I think the "the output length limit is a precondition" definitely stinks of AI, confusing pre and post like that. Either that or somebody is incredibly incompetent.
Resulting, now, in a situation where either someone has to admit how dumb they are or admit they let AI write this, which will result in a double down of angry denial, most likely.
-
@cwebber @rusty__shackleford @soatok I think the "the output length limit is a precondition" definitely stinks of AI, confusing pre and post like that. Either that or somebody is incredibly incompetent.
Resulting, now, in a situation where either someone has to admit how dumb they are or admit they let AI write this, which will result in a double down of angry denial, most likely.
@tekhedd @rusty__shackleford @soatok I did end up thinking about this Nancy comic after I sent this this morning
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Asked my dad to take a video of me shooting in the garden
-
@alienghic It was probably something like that
-
@82mhz <3
-
@cwebber uhoh uhoh uhoh uhoh
https://m.youtube.com/watch?v=Z7eF9F-RXCw
-
New blog post:
Website Update: Links Page
http://82mhz.net/posts/2026/03/website-update-links-page/
-
Io invece credo di aver scoperto come avere il Prime infinito đ¤Ł
-
@cwebber I'm currently working on structuring data and providing metadata (to large datasets) and a file named "uhoh.txt" that contains "uhoh" is just good.
-
This post did not contain any content.
