My point was, the article is excellent, high quality content. However, I wouldn't be able to send this to a board of directors or my CTO as part of an argument on why you should roll your own crypto for example. People's lifestyle choices are their own business, it doesn't bother me, but it's just unfortunate it makes an excellent technical article something I probably wouldn't include in a list of sources.
Facts - this has always been such a wild argument to me.
Like, if Hitler solved P=NP would we just pretend that he didn't? No, we'd suck it up and acknowledge the facts because that's what matters. Something being presented in a way you don't like doesn't make it factually incorrect, and if you can't engage with the facts you shouldn't be in the conversation.
Seriously, technical blogs that are more "personal voice" / stylized are more trustworthy! It is nearly impossible for those that want to spread misinformation (or just promoting their own services/stuff) to not become the bland corporate style blog with no flavor trying to appeal to everyone/generate clicks.
This leads to those technical blogs that do have flavor likely being from those with true experience or passion. Of course, this includes furry infosec blogs.
However, I wouldn't be able to send this to a board of directors or my CTO
There's another good answer around, but tbh if this was true, I'd consider it a feature.
You want an actual honest-to-god paper? In a black-and-white printable PDF typeset in TeX (because LaTeX isn't hardcore enough)?
Fuck you, pay me. And if you're that serious, pay for peer review as well.
What, you won't? Maybe you don't actually care either, and "can I show this to my CTO" is just a smoke screen disguising your own problems, possibly even from yourself.
its ironic in the tech community that so many people are like "it should be a meritocracy blah blah blah" but can't handle a bit of furry art, even when the content is just crazy technical and probably way beyond all but like 100 people on the planet. if it was furry porn, sure that would be inappropriate, but it's not.
I think you and the above commenter are being a bit unfair.
I can (and have previously) sent this blog (not this specific post) around friends, coworkers, even some higher ups.
If I sent this blog to anyone who's voice matters in the organizational hierarchy, at best I'd get weird looks and a note in an HR document, because people associate furries with sexual content still; at worst depending on the org I can guarantee I'd be reprimanded if not outright fired.
There's a difference between not personally caring and caring when it comes to one's own job security / workplace perception.
at best I'd get weird looks and a note in an HR document, because people associate furries with sexual content still; at worst depending on the org I can guarantee I'd be reprimanded if not outright fired.
I don't think this is a realistic concern.
If my blog had pornographic art on it, you could make an argument structured that way, but it simply does not. In fact, nothing is even mildly suggestive. Most reasonable people that see my stickers will go, "Oh, it's a cartoon character, sounds kid-friendly."
Furthermore, even if this did escalate for some weird reason to HR because someone looked at a cartoon dog-like character and assumed, "This is a sex thing" (which would be extremely poor reasoning on their part, this is all you need to say:
Yes, this extremely technical report comes from an author that likes to insert his cartoon character between paragraphs. Did you understand the technical arguments, or was his informal writing style confusing?
It will never go further than that.
Companies would be remiss to push the issue. The incentive structures just aren't there.
And in the off-chance that you encounter a black swan event of a boss who will fire you over someone else's writing having work-safe furry art on it, that's a toxic work environment. Do you really want to stick around that ship when it inevitably sinks?
Like, game theory isn't my forte, but I don't see any viable way for my blog post to actually harm anyone. I've gotten selfies with tech company CEOs in my fursuit before. Whatever you're afraid of only exists in your mind.
I don't know where you live, but I suspect you vastly overestimate how conservative the people who have power over you are. I saw a similar bias for front desk positions, it is almost always unfounded. Not everyone holds the far right ideas you fear they do.
Some definitely will associate this with furries and sex, in a negative way.
As long as they keep such thoughts to themselves (and among friends), that’s a private matter, and none of my business. Though to be honest, if people can’t stand safe-for-children cartoon characters in a technical blog post, that is also kind of their problem — not mine, no the blog’s, not society’s.
But the moment they make me suffer negative consequences at work for something as innocuous as linking to Soatok’s blog, that is acting out far right politics.
Fuck the far right. If you are working for such pieces of shit and don’t really have a way out, I urge you to consider resisting in some way. Could be a union, or something more covert. Those people don’t deserve to wield any kind of power. To the extent that you can, please don’t let them.
Well, if the answer is "Only Work In An Ideal Workplace, In An Ideal World", then that answer solves almost all problems I encounter ... well, everywhere, TBH.
It's not even that. It's "don't work in an environmemt so judgmental and suffocating that strangers exaggerate scenarios on Rwddit threads to compare to your lived experience".
However, I wouldn't be able to send this to a board of directors or my CTO
Honestly? I would. Not only that, I would not hesitate to include a picture of the anthropomorphic blue dhole in my own slideshow if I were to ever cite /u/Soatok in a keynote in front big shots: it's such a recognisable brand, and I suspect one of the best way to credit him.
I don't understand what's the problem with anthropomorphic animals as personas: we routinely show anthropomorphic animals to children for crying out loud.
i agree, but also, saying this as someone who loves furry artwork, it did feel pretty unnecessary. the artwork is pretty high-quality but it doesn't really serve any purpose (not even as a way to better illustrate tone the way some blogs do).
It's not so much that it doesn't add anything, and everyone's welcome to their own opinions and lifestyle, that's none of my business. But can you imagine sending this to your CTO or using it as justification for not rolling your own crypto to a technical board of directors...
I can and I have done so in the past as pitches to CTO and CEO.
As a project lead of a security sensitive component, I would go the other way round: If I ever found out that a member if our team was hiding relevant information because of personal sensibilities regarding the presentation style, I'd kick them of the team and probably make a good argument for having them fired for unprofessional and malicious behavior.
If you're in a problem space where cryptography is involved to any extent more than "we use SSH and TLS", then your CTO is overwhelmingly likely to be used to furries existing, or at least acknowledges the eccentricities of security nerds online.
I follow this blog via RSS regularly. IIRC, this is meant to be his personal furry blog. Removing the furry art would be defeating the point of the blog.
... the fact that a personal furry blog happens to be a higher quality technical blog than a whole lot of "more professional" technical blogs is pretty funny, but ultimately besides the point.
Hooray for not being another medium article in an age on AI generated articles. The furry part is great in that it adds personal flair and honestly reminds me of the early internet.
I don't have a specific study but you can Google "furries in programming".
The reason I believe that furries are overrepresented in the technology field is that the weirder and less mainstream your fandom is the more you need technology to meet other people with similar interests. Furries are very niche and therefore primarily interact with each other through forms mediated by technology that used to be arachic and difficult to setup. Connecting to a BBC was not street level consumer friendly, you needed special expertise to do so. This has never changed. Even with the advent of Facebook and other messaging systems you need some technical acumen to successfully navigate discord/Facebook/etc outside of super surface level interactions.
tl;dr furries needed technology to meet each other so the fandom has a selection bias towards the technically inclined.
Source - myself; I've been involved in "fandom" generally for over 25 years and have been programming professionally for over 15. I'm also a furry. Yiff yiff.
The character design is mine, but the art is not. I've credited all the artists in the captions, with a link to their portfolios. (I do this despite having paid for the art because them getting proper credit is important to me.)
Ed25519 Keypairs generated from their KeyPairUtilities object only have 128 bits of entropy, rather than the ~253 bits (after clamping) you’d expect from an Ed25519 seed.
That seems like a really weird choice. I looked at the libsodium documentation, and it says that when using crypto_sign_seed_keypair(), it expects crypto_sign_SEEDBYTES of entropy. This is presently defined as 32 bytes.
The advantage of this approach is that mnemonics are 13 words rather than 25, but this seems like a pretty dubious savings.
I also looked at the Quarkslab security audit, to see if they had a justification for this choice. They call out the same issue, under section SESS-AND-04. This was back in 2021!
As you stated the reason for reduced entropy is to achieve shorter mnemonic seed phrases, if the user is going to write down their seed its easier to write down 13 words than 25. The claimed reduction in security is addressed in a response here https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture essentially the SHA512 hashing step invalidates the proposed attack.
The claimed reduction in security is addressed in a response here [...] essentially the SHA512 hashing step invalidates the proposed attack.
If they're going to reduce the size of the seed by 50%, I would like to see some audit attention about whether this choice makes the protocol insecure.
The audit doesn't give me any confidence that this is secure. Session characterizes the audit like this:
Session’s generation of Ed25519 keys using 128 bits of entropy was explicitly identified in Quarkslab’s audit of Session, and Session developers had similar discussions with the Quarkslab team. Ultimately, they classified this finding as “low” because although the approach was non-standard, there was no practical nor theoretical method found to exploit this non standard approach.
I don't believe this characterization of the audit. I think that if the auditor found an vulnerability, then later realized that the vulnerability was not really exploitable, the vulnerability would be removed from the final report.
Instead, the issue is still in the report, which tells me that Session and their auditor weren't able to come to agreement about whether the seed size reduction is a vulnerability. Instead, the auditor included Session's response in the report, neither agreeing or disagreeing with it. This tells me that they either don't agree with Session's position, or their auditors don't have enough familiarity with crypto to evaluate if Session is right. Either one is worrisome.
I also don't place much importance on the Low rating. These ratings are, to some extent, negotiable.
If it distracts you that much, just add this site to Chrome's Security and Privacy settings to not display images. If you're at all interested in cryptography and security, this guy knows what he's talking about.
ProudlyGeek@reddit
Interesting technical read. Guy obviously knows his stuff, article was cheapened by all the furry artwork though 🤦🏼
Soatok@reddit
My furry blog has furry art on it. Film at 11.
What does "cheapened" even mean here? I'm not selling anything.
ProudlyGeek@reddit
My point was, the article is excellent, high quality content. However, I wouldn't be able to send this to a board of directors or my CTO as part of an argument on why you should roll your own crypto for example. People's lifestyle choices are their own business, it doesn't bother me, but it's just unfortunate it makes an excellent technical article something I probably wouldn't include in a list of sources.
Soatok@reddit
Why not? It's good enough for NIST's Computer Security Resource Center to cite in a call for comments on block cipher modes, despite the furry art and informal writing style.
I'd already penned a response to this line of discussion before years ago.
Duckarmada@reddit
I sincerely appreciate your writing, but particularly your authenticity.
cat_in_the_wall@reddit
fuck the police. you do you.
ToaruBaka@reddit
Facts - this has always been such a wild argument to me.
Like, if Hitler solved P=NP would we just pretend that he didn't? No, we'd suck it up and acknowledge the facts because that's what matters. Something being presented in a way you don't like doesn't make it factually incorrect, and if you can't engage with the facts you shouldn't be in the conversation.
Emergency-Walk-2991@reddit
This is not a great example, as the hypothermia data from the nazis is used unaccredited in modern times.
admalledd@reddit
Seriously, technical blogs that are more "personal voice" / stylized are more trustworthy! It is nearly impossible for those that want to spread misinformation (or just promoting their own services/stuff) to not become the bland corporate style blog with no flavor trying to appeal to everyone/generate clicks.
This leads to those technical blogs that do have flavor likely being from those with true experience or passion. Of course, this includes furry infosec blogs.
Emergency-Walk-2991@reddit
That opening paragraph is a fucking barn burner LMAO
eattherichnow@reddit
There's another good answer around, but tbh if this was true, I'd consider it a feature.
You want an actual honest-to-god paper? In a black-and-white printable PDF typeset in TeX (because LaTeX isn't hardcore enough)?
Fuck you, pay me. And if you're that serious, pay for peer review as well.
What, you won't? Maybe you don't actually care either, and "can I show this to my CTO" is just a smoke screen disguising your own problems, possibly even from yourself.
cat_in_the_wall@reddit
its ironic in the tech community that so many people are like "it should be a meritocracy blah blah blah" but can't handle a bit of furry art, even when the content is just crazy technical and probably way beyond all but like 100 people on the planet. if it was furry porn, sure that would be inappropriate, but it's not.
13steinj@reddit
I think you and the above commenter are being a bit unfair.
I can (and have previously) sent this blog (not this specific post) around friends, coworkers, even some higher ups.
If I sent this blog to anyone who's voice matters in the organizational hierarchy, at best I'd get weird looks and a note in an HR document, because people associate furries with sexual content still; at worst depending on the org I can guarantee I'd be reprimanded if not outright fired.
There's a difference between not personally caring and caring when it comes to one's own job security / workplace perception.
Soatok@reddit
I don't think this is a realistic concern.
If my blog had pornographic art on it, you could make an argument structured that way, but it simply does not. In fact, nothing is even mildly suggestive. Most reasonable people that see my stickers will go, "Oh, it's a cartoon character, sounds kid-friendly."
Furthermore, even if this did escalate for some weird reason to HR because someone looked at a cartoon dog-like character and assumed, "This is a sex thing" (which would be extremely poor reasoning on their part, this is all you need to say:
It will never go further than that.
Companies would be remiss to push the issue. The incentive structures just aren't there.
And in the off-chance that you encounter a black swan event of a boss who will fire you over someone else's writing having work-safe furry art on it, that's a toxic work environment. Do you really want to stick around that ship when it inevitably sinks?
Like, game theory isn't my forte, but I don't see any viable way for my blog post to actually harm anyone. I've gotten selfies with tech company CEOs in my fursuit before. Whatever you're afraid of only exists in your mind.
13steinj@reddit
Not everyone has the affordance to work somewhere that is forward thinking enough to not associate furries with sexual content.
Not all such places are sinking ships on that fact alone.
One can be positive / not personally care about the artwork while still having a working environment that would.
loup-vaillant@reddit
I don't know where you live, but I suspect you vastly overestimate how conservative the people who have power over you are. I saw a similar bias for front desk positions, it is almost always unfounded. Not everyone holds the far right ideas you fear they do.
13steinj@reddit
Some people I've worked for / with have been semi openly homophobic and anti-trans after work at drinks.
You dont magically know everyone's work environment.
Some definitely will associate this with furries and sex, in a negative way.
loup-vaillant@reddit
As long as they keep such thoughts to themselves (and among friends), that’s a private matter, and none of my business. Though to be honest, if people can’t stand safe-for-children cartoon characters in a technical blog post, that is also kind of their problem — not mine, no the blog’s, not society’s.
But the moment they make me suffer negative consequences at work for something as innocuous as linking to Soatok’s blog, that is acting out far right politics.
Fuck the far right. If you are working for such pieces of shit and don’t really have a way out, I urge you to consider resisting in some way. Could be a union, or something more covert. Those people don’t deserve to wield any kind of power. To the extent that you can, please don’t let them.
josefx@reddit
Forward thinking? Antromorphic characters where the staple of kids cartoons for decades. How old are you, a century or three?
lelanthran@reddit
Well, if the answer is "Only Work In An Ideal Workplace, In An Ideal World", then that answer solves almost all problems I encounter ... well, everywhere, TBH.
Soatok@reddit
It's not even that. It's "don't work in an environmemt so judgmental and suffocating that strangers exaggerate scenarios on Rwddit threads to compare to your lived experience".
eattherichnow@reddit
Yeah, cute furry mascots, famously associated with sex by everyone, especially people who aren't extremely online nerds.
Strus@reddit
If your CTO can stand seeing furries when many highly skilled security researchers/programmers are furries, they may not be a a very good CTO.
I mean if you read a lot about programming/security from high quality sources, you see article with furry art at least once a month.
ByteArrayInputStream@reddit
"How dare people on the Internet have a personality? How am I supposed to share this information with soulless ghouls now?"
loup-vaillant@reddit
Honestly? I would. Not only that, I would not hesitate to include a picture of the anthropomorphic blue dhole in my own slideshow if I were to ever cite /u/Soatok in a keynote in front big shots: it's such a recognisable brand, and I suspect one of the best way to credit him.
I don't understand what's the problem with anthropomorphic animals as personas: we routinely show anthropomorphic animals to children for crying out loud.
josefx@reddit
Not everyone wants to spend their free time generating content for degenerates.
The_SystemError@reddit
Yeah! Some people draw furry art instead!
lelanthran@reddit
"Cheapening" a message has nothing to do with sales.
I can easily cheapen a message by including my sexual preference in the message. You can, too.
fuckparalysis@reddit
nitpick
mszegedy@reddit
i agree, but also, saying this as someone who loves furry artwork, it did feel pretty unnecessary. the artwork is pretty high-quality but it doesn't really serve any purpose (not even as a way to better illustrate tone the way some blogs do).
ritaPitaMeterMaid@reddit
I read food blog occasionally. Apparently he read criticized for our and doubled down. I agree with you though, it doesn’t add anything.
ProudlyGeek@reddit
It's not so much that it doesn't add anything, and everyone's welcome to their own opinions and lifestyle, that's none of my business. But can you imagine sending this to your CTO or using it as justification for not rolling your own crypto to a technical board of directors...
Thelmara@reddit
Yes, because I'm pretty sure my boss can handle pictures of anthropomorphic animals.
And if not, how in the hell is that OP's problem?
ludovico_26end@reddit
I can and I have done so in the past as pitches to CTO and CEO. As a project lead of a security sensitive component, I would go the other way round: If I ever found out that a member if our team was hiding relevant information because of personal sensibilities regarding the presentation style, I'd kick them of the team and probably make a good argument for having them fired for unprofessional and malicious behavior.
Soatok@reddit
If you're in a problem space where cryptography is involved to any extent more than "we use SSH and TLS", then your CTO is overwhelmingly likely to be used to furries existing, or at least acknowledges the eccentricities of security nerds online.
And if they aren't? It's a teachable moment.
Thelmara@reddit
Furry art on the personal blog of a furry is unnecessary?
tnemec@reddit
I follow this blog via RSS regularly. IIRC, this is meant to be his personal furry blog. Removing the furry art would be defeating the point of the blog.
... the fact that a personal furry blog happens to be a higher quality technical blog than a whole lot of "more professional" technical blogs is pretty funny, but ultimately besides the point.
ebalonabol@reddit
Eh, would rather have that than unedited AI images I see a lot in blog posts nowadays
Lachee@reddit
The furry art enhances the seriousness. Everyone knows the 10x developers are either all trans, femboys, or furries.
reddituser567853@reddit
That’s how you it’s quality. The majority of top cyber security experts are furries.
I don’t want to hear about this topic unless it’s from a tism touch furry
lamp-town-guy@reddit
At least it doesn't look like just another dev blog. It has soul.
binheap@reddit
Hooray for not being another medium article in an age on AI generated articles. The furry part is great in that it adds personal flair and honestly reminds me of the early internet.
__ark__@reddit
Personally I think it adds a lot of legitimacy
ToaruBaka@reddit
I was going to skip this article because I was already feeling sus about Session, but now I'm definitely reading it.
Chevaboogaloo@reddit
To me it signals that they spend 80% of their time programming and 20% of their time being a furry and nothing else.
So yeah they probably know their shit
mpinnegar@reddit
Furries are the backbone of the tech industry. It just adds to the legitimacy of the article.
PreciselyWrong@reddit
Source? Furries are a very small niche in programming
_zenith@reddit
In security they are very overrepresented
Go to a hacker con. Tons of furries haha
PreciselyWrong@reddit
People attending American security cons are not a representative slice of all people who work in IT security
_zenith@reddit
No, just the most skilled and influential of them
PreciselyWrong@reddit
That I highly doubt
mpinnegar@reddit
I don't have a specific study but you can Google "furries in programming".
The reason I believe that furries are overrepresented in the technology field is that the weirder and less mainstream your fandom is the more you need technology to meet other people with similar interests. Furries are very niche and therefore primarily interact with each other through forms mediated by technology that used to be arachic and difficult to setup. Connecting to a BBC was not street level consumer friendly, you needed special expertise to do so. This has never changed. Even with the advent of Facebook and other messaging systems you need some technical acumen to successfully navigate discord/Facebook/etc outside of super surface level interactions.
tl;dr furries needed technology to meet each other so the fandom has a selection bias towards the technically inclined.
Source - myself; I've been involved in "fandom" generally for over 25 years and have been programming professionally for over 15. I'm also a furry. Yiff yiff.
PreciselyWrong@reddit
Sure, but furries are overrepresented in programming. But still a very small minority
eattherichnow@reddit
Actually that's either author's OC, or commissioned art - and therefore it makes the article look more expensive, not cheaper.
Soatok@reddit
The character design is mine, but the art is not. I've credited all the artists in the captions, with a link to their portfolios. (I do this despite having paid for the art because them getting proper credit is important to me.)
Keejef@reddit
The claims made by the researcher in the above post are incorrect and/or misleading, there's a full response via the Session blog here https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture. Many of the claims are based on a misreading of Session's code or misinterpretation of the underlying cryptography.
Soatok@reddit
I think you will find that you misunderstand the underlying cryptography. Rebuttal post coming soon.
Smooth-Zucchini4923@reddit
That seems like a really weird choice. I looked at the libsodium documentation, and it says that when using
crypto_sign_seed_keypair(), it expectscrypto_sign_SEEDBYTESof entropy. This is presently defined as 32 bytes.The advantage of this approach is that mnemonics are 13 words rather than 25, but this seems like a pretty dubious savings.
I also looked at the Quarkslab security audit, to see if they had a justification for this choice. They call out the same issue, under section SESS-AND-04. This was back in 2021!
Keejef@reddit
As you stated the reason for reduced entropy is to achieve shorter mnemonic seed phrases, if the user is going to write down their seed its easier to write down 13 words than 25. The claimed reduction in security is addressed in a response here https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture essentially the SHA512 hashing step invalidates the proposed attack.
Smooth-Zucchini4923@reddit
If they're going to reduce the size of the seed by 50%, I would like to see some audit attention about whether this choice makes the protocol insecure.
The audit doesn't give me any confidence that this is secure. Session characterizes the audit like this:
I don't believe this characterization of the audit. I think that if the auditor found an vulnerability, then later realized that the vulnerability was not really exploitable, the vulnerability would be removed from the final report.
Instead, the issue is still in the report, which tells me that Session and their auditor weren't able to come to agreement about whether the seed size reduction is a vulnerability. Instead, the auditor included Session's response in the report, neither agreeing or disagreeing with it. This tells me that they either don't agree with Session's position, or their auditors don't have enough familiarity with crypto to evaluate if Session is right. Either one is worrisome.
I also don't place much importance on the Low rating. These ratings are, to some extent, negotiable.
biledemon85@reddit
I understood some of those words... At least the core message is in the title and easy to understand!
TealViR@reddit
They forked a secure app and made it less secure on purpose.
Keejef@reddit
Depends what you're optimising for, Session offers out of the box Onion Routing, requires no phone number to sign up and stores and routes messages over a decentralised network. Yes, Session doesn't implement PFS, but for most users PFS offers minimal advantages, we wrote a blog post about this a few years ago https://getsession.org/session-protocol-technical-information . The claims made by the researcher in the above post are incorrect and/or misleading, there's a full response via the Session blog here https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture
179b5529@reddit
instant ctrl + w
baseketball@reddit
If it distracts you that much, just add this site to Chrome's Security and Privacy settings to not display images. If you're at all interested in cryptography and security, this guy knows what he's talking about.
Halkcyon@reddit
You missed out on quite a good read about cryptography then.
__ark__@reddit
Only those who have mastered their spirit animal can master cryptography