Tommaso Gagliardoni

@[email protected]
268 Followers
144 Following
705 Posts

Cryptography, privacy, quantum security, infosec, retro vibes.

I am a mathematician and computer security scientist, with a strong interest in cryptography and anonymity, specialized in quantum security and complex cryptographic protocols. I am also a privacy hacktivist and public speaker, blahblahblah, read my Linkedin bio for this s**t, this is my Mastodon corner.

I co-develop Shufflecake, an open source privacy disk encryption tool to help journalists, activists, and whistleblowers evade unjust prosecution.

I am an advocate of digital self-sovereignty. You will see me often ranting about Big Tech, enshittification, and surveillance capitalism.

Fascinated with anime, Japan, RPGs, retro computing, and all things 80-90's. Notice I wrote "fascinated", not "knowledgeable".

Here you won't find peace nor forgiveness, but just: #cryptography #privacy #quantum #security #infosec #retro vibes!

Homepagehttps://gagliardoni.net/
Linkedinhttps://www.linkedin.com/in/tommasogagliardoni/
Shufflecakehttps://shufflecake.net/
My own companyhttps://www.lucumo.net/
Tommaso Gagliardoni10h ago

Holy moly we made it! Shufflecake v0.6.0 is out!

https://fosstodon.org/@shufflecake/116722317387591722

This is a BIG upgrade for Shufflecake! Lot of stuff and usability improvements, it's basically ready for packaging now!

#shufflecake #privacy #security #foss #floss #libre #opensource #linux #cypherpunk #crypto #cryptography

The Shufflecake Project (@[email protected])

💥 ❤️ 📣 NEW RELEASE 📣 ❤️ 💥 #Shufflecake v0.6.0 is a *major refactor* with a *TON* of news! Full refactor of the codebase, automated installer, packetization-readiness, DKMS, list of opened volumes, bugfixes... There is really *too much to list*, make sure to check the CHANGELOG. *External contributions are now open again!* https://codeberg.org/shufflecake/shufflecake-c/releases/tag/v0.6.0 #linux #foss #floss #opensource #libre #cypherpunk #security #cryptography #privacy

Fosstodon
Tommaso Gagliardoni10h ago
Gaius Baltar10h ago

Shufflecake v0.6.0 is RELEASED!!!

Huge shoutout to Elia and Tom (@tomgag) for the good work they are doing :)

Go grab it at https://codeberg.org/shufflecake/shufflecake-c.git

#shufflecake #plausibledeniability

shufflecake-c

Full C implementation of Shufflecake. Shufflecake is a plausible deniability (hidden storage) layer for Linux.

Codeberg.org
Tommaso Gagliardoni10h ago
The Shufflecake Project10h ago

💥 ❤️ 📣 NEW RELEASE 📣 ❤️ 💥 #Shufflecake v0.6.0 is a *major refactor* with a *TON* of news! Full refactor of the codebase, automated installer, packetization-readiness, DKMS, list of opened volumes, bugfixes... There is really *too much to list*, make sure to check the CHANGELOG. *External contributions are now open again!*

https://codeberg.org/shufflecake/shufflecake-c/releases/tag/v0.6.0

#linux #foss #floss #opensource #libre #cypherpunk #security #cryptography #privacy

Shufflecake v0.6.0 - shufflecake/shufflecake-c

### [0.6.0] - 2026-06-09 - Renamed Shufflecake CLI executable from `shufflecake` to `sflc` (but kept `shufflecake` as symlink for retrocompatibility). - System-wide installation with `make install` and uninstall with `make uninstall`. - Refactor and cleaning the project tree. - Refactor...

Codeberg.org
Tommaso Gagliardoni5d ago

Claude Opus 4.8 has quite a few annoying quirks, and it's important to be precise about which ones, because this is the typical claim that needs to be substantiated by facts rather than hinted at. This is not just uncanny — it's painful to look at.

#anthropic #claude #opus #opus48 #ai #llm #humor #emdash

Tommaso Gagliardoni5d ago

Hey #nostr I was thinking: is anyone developing an Android app (and related NIP) for Nostr key management, similar to #Amber but, instead of relays, using local/near field connections? Like, NFC, USB/serial, Bluetooth? So it wouldn't require network connection between signing device and Nostr client?

#security #privacy #digitalselfsovereignty #bitcoin #cryptography #crypto

Tommaso Gagliardoni6d ago
sash6d ago

I found that crafted #MeshCore node names could compromise #HomeAssistant instances running meshcore-card, with an XSS leading to remote root access on the HA host. An attacker could then access anything controlled or visible through Home Assistant. The attacker doesn't need to be near the target, as MeshCore advertisements are repeated over the mesh, which is dense in NL.

This also affects around 20 public MeshCore analyzer websites. Some of those run CoreScope, where it looks like a vibecoding bot broke the XSS filter while hallucinating a bugfix. The analyzers are mostly public data though. In addition, the less popular MeshCore-Home-Assistant-Panel-v2 is likely also affected, but I was unable to make contact with the maintainer.

MeshCore node names are only 32 bytes, and each rendered in a different place in the page, so I had to be creative to run a more substantial payload. I found a way with three node names using an iframe feature I never heard of before.

https://mxsasha.eu/posts/meshcore-xss-home-assistant/

Rooting Home Assistant through MeshCore: XSS attacks with a LoRa node name

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card. MeshCore …

Tommaso Gagliardoni6d ago

Today Letsencrypt announced their plans for PQC migration and, oh boy, it's refreshing! TL;DR, Letsencrypt considers migration to quantum-resistant certificates a priority, and lays down a reasonable path to migrate. In so doing, they take the time to explain how, so far, the security community has been mainly focused on the problem of quantum-resistant secrecy (encryption) rather than authentication (signatures/certificates), and they explain why the sentiment is changing now, and why it is particularly relevant for Letsencrypt.

https://letsencrypt.org/2026/06/03/pq-certs

Not wanting to be the "told you so" guy, I've been saying this for at least 2 years now:

https://gagliardoni.net/#20260603_hndl

This is not to say that Harvest-Now-Decrypt-Later is a less urgent threat, but it's not as asymmetric as people have been believing so far. Glad to see things are changing!

#cryptography #crypto #security #quantum #pqc #postquantum #quantumsecurity #letsencrypt #ai

A Post-Quantum Future for Let's Encrypt

Let’s Encrypt is committed to a post-quantum-safe Web PKI. The path we’re planning to take is Merkle Tree Certificates (“MTCs”), a new approach that adds post-quantum authentication to the web without sacrificing the speed and reliability that have made TLS universal. This post is about these plans and why we believe MTCs are worth pursuing as a key to a post-quantum future. An increasingly urgent problem For much of the last several years, the conversation about post-quantum cryptography has been a conversation about encryption. The reasoning was straightforward: an attacker who records encrypted traffic today might be able to decrypt it years from now once quantum computers can break the underlying math. Authentication, the part of TLS that indicates a server is who it says it is, has been a less urgent problem. A quantum computer needs to forge a signature in real time, not retroactively, so threats to authentication hinge on the existence of a cryptographically relevant quantum computer (CRQC).

Tommaso GagliardoniJun 2

When a software update causes a PTSD trigger.

#xzutils #security #hacking #foss #floss #opensource

Tommaso GagliardoniJun 1

I have been dragged into the rabbit hole of GnuPG/LibrePGP VS Sequoia/OpenPGP and, boy it is ugly. Yeah, yeah, I know, PGP is bad, but of all the ugly things that could have happened to the FOSS crypto space, this is really unwelcome. I wish people would just sit at a table and talk.

#pgp #gpg #sequoia #crypto #cryptography #security #foss #floss #libre #drama #ietf #privacy #openpgp #librepgp

Tommaso GagliardoniMay 27

Rise and Fall of Hosting Provider Gandi.net

https://gagliardoni.net/#20260528_gandi_downfall

The sad story of Gandi.net is a textbook example of enshittification, which I think is interesting to talk about, because of the many expectations that were betrayed, and the deeper reflection linking to vampire capitalism. I also report the user-hostile process that I had to undergo in order to migrate away from them.

#gandi #gandi_net #enshittification #capitalism #it #france #privacy #privateequity

Tommaso Gagliardoni's Homepage