@SwiftOnSecurity I don't even know which crowdstrike thing this is meant to callback to
undefined
Soatok Dreamseeker
@soatok@furry.engineer
Posts
-
This post did not contain any content. -
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
-
On this day, all signatures should use the XMSS (hash-based signature system) -
I don't believe that's a part of the current spec (https://swicg.github.io/activitypub-e2ee/mls)@evan @benpate @bonfire Such attacks are rare to begin with, so I don't know how well their behavior maps to game theory, but if I were prone to gamble, I would bet on "they found an easier attack" sooner than "the possibility that someone might compare fingerprints is enough to dissuade the tactic". Social engineering is unreasonably effective on most people.
-
I don't believe that's a part of the current spec (https://swicg.github.io/activitypub-e2ee/mls)@benpate @risottobias @bonfire But for posterity:
https://github.com/soatok/mastodon-e2ee-specification
I started this in 2022 and then shifted gears to Key Transparency with the intent to switch back once that problem was solved. KT slots neatly into the "Federated PKI" vacancy on the 2022 repo
-
I don't believe that's a part of the current spec (https://swicg.github.io/activitypub-e2ee/mls)@benpate @risottobias @bonfire I think you misunderstood.
I'm suggesting that the decision to not include secure public key management will tie your hands to support whatever insecure thing you're doing now for the sake of backwards compatibility, so I'm probably better off working on my own thing than trying to participate.
-
I don't believe that's a part of the current spec (https://swicg.github.io/activitypub-e2ee/mls)@benpate @risottobias @bonfire Ah, I guess that means I should dust off my original draft from 2022
-
Tell me about something cool you're working on in 2026.Tell me about something cool you're working on in 2026.
-
This "UK watchdog" can eat shit. -
The Revolution Will Not Make the Hacker News Front PageThe Revolution Will Not Make the Hacker News Front Page
(with apologies to Gil Scott-Heron) If you get all of your important technology news from "content aggregators" like Hacker News, Lobste.rs, and most subreddits, you might be totally unaware of the important but boring infrastructure work happening largely on the Fediverse, indie web, and other less-centralized communities. This is no accident. The rough consensus of these spaces has been strongly in favor of the…
http://soatok.blog/2025/12/17/the-revolution-will-not-make-the-hacker-news-front-page/
-
Yo, check this out. -
Moving Beyond the NPM elliptic PackageMoving Beyond the NPM elliptic Package
If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.
http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/
#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages
-
2015: "Not using AWS or CloudFlare is an availability risk, because DDoS"2015: "Not using AWS or CloudFlare is an availability risk, because DDoS"
2025: "Using AWS or CloudFlare is an availability risk, because surprise outages"
-
Of fucking course it was DNSIt was DNS
Of course it was DNS
Fuck Andy Jassy(A new haiku to consider)
-
Of fucking course it was DNSOf fucking course it was DNS
-
@cadey Look what you inspired'nhttps://github.com/fedi-e2ee/pkd-server-go/pull/6@cadey Look what you inspired
-
https://swicg.github.io/activitypub-e2ee/mlsholy crap, MLS in ActivityPub if the Fediverse becomes end to end encrypted, it may legitimately become The Best way to communicate online in any sort of fashion@jhwgh1968 @anthropy Well, @evan is well aware of it
-
I've just been informed that I'm not allowed to refer to platonic friend groups as a "palicule"I've just been informed that I'm not allowed to refer to platonic friend groups as a "palicule"