Thad

@thad@infosec.exchange
1 Followers
35 Following
14 Posts
Show threadThad1d ago
@abacabadabacaba @soatok yeah, I’d second the idea to explicitly not allow multiple recipients for this scheme. KCI seems a bit of an edge case for a two party system, but allowing any member in a multiparty group to spoof any other member seems like a bit of a cliff. Unfortunate that schemes like MLS have to pull in signatures for this and can’t just use something similar to Noise_K.
Show threadThadNov 6, 2024

@b0rk same feeling when Python came up on https://progle.net

Me: “I know Python, this can’t by Python”
Also me, 2 minutes later: “…I know nothing”

progle()

Guess todays programming language in progle(). progle() is a game where you guess a programming language based on hints about it!

Show threadThadSep 20, 2024
@soatok @tursiae could Bob not reveal the shared symmetric key from the X3MAC to a third party? His private key is still protected by mixing the ephemeral key and the KDF, while having the shared key allows the third party to verify the message hash and prove it with Alice’s public signing key(?)
Show threadThadSep 20, 2024
@soatok looks a lot like a Noise_K pattern using the shared key to verify the message HMAC (?). Doesn’t seem like you’d get too much cryptographer side-eye for that. Neil did mention using auth KEM for something similar right? I kinda like it a lot.
ThadAug 14, 2024
@mkj @chickfilla @hack13 @soatok
Always encrypted also slightly simplifies exposure reasoning.
If group chats are “sometimes encrypted” then your information exposure questions are “is this group public or encrypted? If encrypted, who has (or might have) the key?”
If always encrypted, you only have one question: who has (or might have) a key? If you want a group to be “public” then publish the key publicly. Fewer variables, fewer mistakes.
ThadAug 6, 2024
@soatok yeah, I’d have thought of most of those off the top of my head - and probably anyone else in the space should have too. I guess you can’t just come back with a “standard rate” of $1200/hr or they might take you up on it. Too bad you don’t moonlight - it might well be worth it to some organizations.
ThadAug 6, 2024
@soatok not a matrix dev, but it seems like a useful response would be the name(s) of the person or group that you *would* recommend to do it for hire. The reason they’re engaged with you is because someone over there obviously respect your opinion. Who do you respect that would do a good job for them?
Show threadThadMar 19, 2024
@b0rk I liked hg, but prefer git. A bit because of speed (when I was using hg a lot years ago, it felt a bit slower than git), but mostly because of the ecosystem. When everyone is using git, it’s easier to go with the flow and get stuff done, rather than trying to convince people to use your thing that is maybe better, but not better enough to warrant a whole new tool for them to learn.
Show threadThadJan 6, 2024
@tqbf soulless antagonists gaslight, dehumanize and kill a minority in pursuit of acquiring natural resource. I mean, they’re almost the same movie except in one they get whisky and in the other they’re just incentivized with beans.