fsebugoutzone.org:9999

       Post B3VDrThMM2FWE4fZmS by ruben@friendship.quest
 (DIR) More posts by ruben@friendship.quest
 (DIR) Post #B3VDrN6crhIhmPR9gu by soatok@furry.engineer
       2026-02-20T03:46:53Z
       
       0 likes, 0 repeats
       
       I&#39;ve had a few people ask why I didn&#39;t post the full Matrix email on my Fedi thread. There are two reasons:It wouldn&#39;t fit in 1k characters.Listen carefully:Y&#39;know how &quot;just getting caught cheating on your monogamous partner&quot; isn&#39;t the right time to discuss exploring ethical nonmonogamy?In a similar vein, asking for information while dismissing a report as &quot;no practical security impact&quot; is still dismissing the goddamn report.I excerpted the part of their email where they dismissed my report. That was the part that initiated the immediate disclosure. The inciting turn of phrase.It doesn&#39;t matter how much you piss on my leg, I&#39;m not going to believe it&#39;s raining.
       
 (DIR) Post #B3VDrNzZZPFkWp92Ku by soatok@furry.engineer
       2026-02-20T03:52:42Z
       
       0 likes, 0 repeats
       
       Matrix has many incentives to lie or mislead. Their leadership includes the CEO of a company whose product is a Matrix client. There&#39;s active political talks about the EU investing heavily in Matrix. He&#39;s got a vested interest in looking good, even at the expense of doing or even being good.On the other hand, I have nothing to gain. If everyone switches to Matrix tomorrow, nothing in my life changes. If Matrix self-implodes and everyone goes back to XMPP tomorrow, nothing in my lfie changes.The only things I want are:End-to-end encryption to be better.End-to-end encryption to become ubiquitous for communication protocols and apps.The large tech companies whose business models involve privacy violations and stealing from artists and other creative workers to burn down so gloriously that society forgets the word &quot;billionaire&quot; in twenty years.
       
 (DIR) Post #B3VDrP2RgD93m1UqS8 by soatok@furry.engineer
       2026-02-20T03:55:33Z
       
       0 likes, 0 repeats
       
       But what about &quot;don&#39;t make perfect the enemy of good&quot;?If your cryptography isn&#39;t damn near-perfect, it&#39;s shit. There aren&#39;t many cryptographic solutions that get a C+ in the world. It&#39;s either an A, A-, or an F.
       
 (DIR) Post #B3VDrQJUwINbjCTyfg by soatok@furry.engineer
       2026-02-20T03:58:01Z
       
       0 likes, 0 repeats
       
       An F in cryptography is aes-js / pyaes, as this Trail of Bits blog by Opal Wright explains:Mistakes in cryptography are not a sin, even if they can have a serious impact. They’re simply a fact of life. As somebody once said, “cryptography is nightmare magic math that cares what color pen you use.” We’re all going to get stuff wrong if we stick around long enough to do something interesting, and there’s no reason to deride somebody for making a mistake.What matters—what separates carelessness from craftsmanship—is the response to a mistake. A careless developer will write off a mistake as no big deal or insist that it isn’t really a problem—yadda, yadda, yadda. A craftsman will respond by fixing what’s broken, examining their tools and processes, and doing what they can to prevent it from happening again.Does this sound familiar?
       
 (DIR) Post #B3VDrQzKQlq9ow3Ns8 by soatok@furry.engineer
       2026-02-20T04:04:12Z
       
       0 likes, 0 repeats
       
       Now, am I saying that they&#39;re lying or deliberately misleading?No. I&#39;m describing the incentives they&#39;re operating under!This could be entirely subconscious or even unconscious decisionmaking and/or behavior for all I know.But it&#39;s really suspicious to insist that the specific attack I keep describing is handwaved as &quot;outside our threat model&quot; when their public threat model is so frustratingly incomplete that it might as well just say Cryptography: Vibes.I mean, look at it: https://spec.matrix.org/v1.17/appendices/#security-threat-model
       
 (DIR) Post #B3VDrRY4Lbd5YgJ81Q by soatok@furry.engineer
       2026-02-20T04:06:49Z
       
       0 likes, 0 repeats
       
       You wanna see a fucking threat model?Here: https://github.com/fedi-e2ee/public-key-directory-specification/blob/main/Specification.md#threat-modelAnd this is for an ActivityPub service that just stores data in immutable plaintext and serves it over HTTPS!
       
 (DIR) Post #B3VDrSRj0g9ILILZlw by FlohEinstein@chaos.social
       2026-02-20T04:23:54Z
       
       0 likes, 0 repeats
       
       @soatok wow, I only just learned about this project through this toot, and to see how much thought you put into this is just awesome. Can&#39;t wait for the 1.0.0 of #fedipkdhttps://publickey.directory/
       
 (DIR) Post #B3VDrTA2LvauYj4xqC by soatok@furry.engineer
       2026-02-20T04:24:56Z
       
       0 likes, 0 repeats
       
       @FlohEinstein Oh, yeah, I talk about it a lot here :Dhttps://soatok.blog/2026/01/15/software-assurance-that-warm-and-fuzzy-feeling/ talks about my testing methodology if you&#39;re curious
       
 (DIR) Post #B3VDrThMM2FWE4fZmS by ruben@friendship.quest
       2026-02-20T05:19:55Z
       
       0 likes, 0 repeats
       
       @soatok@furry.engineer this is a really great read! So many cases detailed that I had not considered as a user. I can’t wait for this to get adopted!
       
 (DIR) Post #B3VDrWCd2kRxzdJZnU by soatok@furry.engineer
       2026-02-20T04:09:01Z
       
       0 likes, 0 repeats
       
       Is it perfect? No. If a threat scenario comes up that I didn&#39;t imagine, that means I assume, by default, that we&#39;re vulnerable until I prove otherwise.