Thomas Ptacek
@sockpuppet.org
📤 2847
📥 219
📝 1048
Full of passionate intensity.
pinned post!
about 1 year ago
0
6
1
It finally happened. We finally got @lcamtuf to hang out with us for an hour, to discuss bugnarok, a.k.a. bugsment day, f.k.a. the bugpocalypse.
securitycryptographywhatever.com/2026/06/14/f...
loading . . .
Facing the Vulnpocalypse With lcamtuf
We talk to Michał Zalewski (lcamtuf) about the vulnpocalypse and if we even need fuzzers anymore. This episode may be export controlled at a future date. Th...
https://securitycryptographywhatever.com/2026/06/14/facing-the-vulnpocalypse-with-lcamtuf/
23 days ago
0
14
1
What in the everloving fuck are these people thinking? A fucking car has a 16 year age floor.
about 1 month ago
3
11
0
If I was participating in a cryptography standards group and said something that caused an academic cryptographer to vocally question their support of formal methods, I would immediately take a 3 year sabbatical from computers and go work at Whole Foods or something.
about 1 month ago
0
18
0
So this is perfect.
connections.audio
loading . . .
Audio Connections
https://connections.audio/
about 1 month ago
0
2
0
Blake Colquitt claims Hacker News is hospitable to "race realism" (because of Curtis Yarvin). We share most of an opinion about Yarvin, but he is making up that claim about HN. HN is distinctively INHOSPITABLE to that stuff, far more so than Bsky.
www.dontbeasucker.blog/p/the-butter...
loading . . .
The Butterflies in Your Stomach Are Planning a Coup
It only took 250 years for American elites to forget why they hated monarchy
https://www.dontbeasucker.blog/p/the-butterflies-in-your-stomach
about 2 months ago
1
5
0
People meeting up at around 7PM at Kaiser Tiger on Ogden/Randolph for ChiSec, if you're bored and want to drink with nerds. No RSVPs, just show up.
about 2 months ago
0
2
0
Very much enjoying watching nerds attempt to cancel Olga Tokarczuk for acknowledging she used LLMs in her brainstorming process. Nobelslop!
about 2 months ago
0
5
0
reposted by
Thomas Ptacek
llimllib
about 2 months ago
(good article, I wish I could have clicked on the images to view them full size) I also made a markdown renderer that works exactly like I want, because I was unhappy with glow:
github.com/llimllib/mdr...
loading . . .
GitHub - llimllib/mdriver: A streaming markdown printer
A streaming markdown printer. Contribute to llimllib/mdriver development by creating an account on GitHub.
https://github.com/llimllib/mdriver
1
2
1
I wrote a thing. This is not a love letter to Emacs, which is one of my more toxic and codependent relationships.
sockpuppet.org/blog/2026/05...
loading . . .
The Emacsification of Software
https://sockpuppet.org/blog/2026/05/12/emacsification/
about 2 months ago
3
38
7
Oh, ChiSec is tonight, bunch of security nerds hanging around at a bar, Kaiser Tiger on Randolph/Ogden, 7PM. No RSVPs, just show up, look for the table of nerds. Has been pretty well attended lately.
3 months ago
0
4
0
Skyr is the king of all dairy products, that is all.
3 months ago
0
8
1
Alex Gaynor on the "sufficiently smart compiler" of software security, the mythical actually-effective static analyzer:
alexgaynor.net/2026/apr/13/...
loading . . .
If it could have, why didn't it? · Alex Gaynor
https://alexgaynor.net/2026/apr/13/why-didnt-it/
3 months ago
0
13
4
This is a fucking incredibly great bug. Ask Claude to demonstrate it for you; it'll one-shot it. For ECC signatures (at least), WolfSSL thinks a 1-byte SHA2 hash is just as good as a 32-byte hash.
3 months ago
1
53
2
I wrote something:
sockpuppet.org/blog/2026/03...
loading . . .
Vulnerability Research Is Cooked
https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/
3 months ago
7
95
46
reposted by
Thomas Ptacek
Deirdre Connolly¹ ²
3 months ago
2
11
1
Yeah, so, I'm going to have more to say about this later, but, for now... yeah.
securitycryptographywhatever.com/2026/03/25/a...
loading . . .
AI Finds Vulns You Can
Returning champion Nicholas Carlini comes back to talk about using Claude for vulnerability research, and the current vulnpocalypse. It’s all very high-brow ...
https://securitycryptographywhatever.com/2026/03/25/ai-bug-finding/
3 months ago
2
13
5
Extremely psyched about two upcoming SCW guests, one of them this week. We've got very crunch vulnerability research and cryptography stuff coming.
4 months ago
0
24
3
Y'all, I've seen some shit, but I've never seen someone want *both* DNSSEC ceremonies *and* the CA/B Forum before.
4 months ago
3
14
0
Nicholas Carlini at [un]prompted. If you know Carlini, you know this is a startling claim.
4 months ago
1
34
5
None of you are giving me enough credit for not participating on the TLS working group mailing list. You're welcome. Everything I don't do, I don't do it for you.
4 months ago
2
26
2
Annals of things people have actually written down for other people to read: "No one trusts NIST. But people do trust the IETF."
4 months ago
0
5
0
People who hope to apply Daniel Bernstein's rules-lawyering tactics at IETF, which were honed in the DNS WGs (where he was probably in the right), would do well to remember that those tactics have consistently failed. They've merely won him standing to complain about the IETF.
4 months ago
0
3
0
There's only one correct way forward for handling the introduction of MLKEM into TLS, and, indeed, all future tls-wg cryptography debates, and it's this proposal:
snkth.com/add-crypto/
loading . . .
Additive Cryptography for TLS
This document defines Additive Cryptography for TLS, a transition framework in which algorithms are never replaced and only accreted. Implementations MUST NOT negotiate a single key exchange algorithm...
https://snkth.com/add-crypto/
4 months ago
1
20
2
Given how i am only a) a beneficiary of air travel (thanks for all the miles so far) b) A non-avionics-expert reader of the EUROCAE WG-128 RTCA/DO-254 drafts c) A spectator usually attending this type of debate with popcorn I hope my comments are useful...
5 months ago
0
4
0
"Auchentoshan" is inarguably the best distillery name.
5 months ago
0
4
1
Very fun: if you have the dictionary of embeddings Semantle uses, solving it is a trivial linear algebra problem: they're giving you the cosine similarity back on every guess, so you can filter out most of the vocabulary on a single guess.
victoriaritvo.com/blog/semantl...
loading . . .
A Solver for Semantle
https://victoriaritvo.com/blog/semantle-solver/
5 months ago
1
11
0
For a lot of years I was in the habit of criticizing cryptography designs that used asymmetric constructions because RSA is much more complicated and hard to get right than symmetric crypto. But the real problem is that it's against the law to authenticate an RSA key.
5 months ago
2
8
1
reposted by
Thomas Ptacek
Coda
5 months ago
Seriously, every paper with Backendal as an author is a banger
2
5
1
"presenting a cornucopia of practical attacks". These are my favorite words ever to have occurred in a cryptography paper.
5 months ago
3
54
11
reposted by
Thomas Ptacek
Chris Gale
5 months ago
I think even calling it Chess is being charitable; many days I think it's closer to the board game Concentration.
0
1
1
Of all the possible LLM applications to be skeptical about, vulnerability research seems like it has to be the dumbest. Of course it works. If you think it can't, I'll assume you've never once billed an hour looking for vulnerabilities.
5 months ago
4
26
2
JAMC sounds absolutely nothing like Echo & The Bunnymen. That is all.
5 months ago
0
2
0
Peak vertical video food content. I am officially wearing an onion around my belt. It is the fashion of my time.
loading . . .
5 months ago
0
2
0
Just recorded the premiere episode of Season VIII of Security Cryptography & W/evs, this time with Alex Gaynor and Paul Kehrer, who have a momentous announcement about pyca/cryptography and OpenSSL.
5 months ago
2
24
4
This is a perfect piece of technical writing.
alexharri.com/blog/ascii-r...
loading . . .
ASCII characters are not pixels: a deep dive into ASCII rendering
A look at how I used shape vectors to achieve sharp, high-quality ASCII rendering.
https://alexharri.com/blog/ascii-rendering
6 months ago
2
147
52
Quick reminder that ChiSec is tonight, it's at Kaiser Tiger now (on Ogden in West Loop), starts at 7PM, no RSVPs just show up, I'll probably make it by around 8PM.
6 months ago
0
2
0
I wrote a thing.
fly.io/blog/design-...
loading . . .
The Design & Implementation of Sprites
So that we may educate as well as horrify: the internals of our new Sprites execution platform.
https://fly.io/blog/design-and-implementation/
6 months ago
0
9
2
Final SCW of 2025! We had Matt Bernhard on to talk about cryptographic voting systems, in the wake of the IACR election. (Everybody I voted for in the new election won! Woo!)
add a skeleton here at some point
6 months ago
0
9
3
Rust people should be embarrassed by the people trying to argue that Rust is the only truly memory-safe mainstream language. Far and away the cringiest RESF trope.
6 months ago
4
11
1
They should use Vince Guaraldi's instrumenal Joe Cool diagnostically. If you can hear it and not at some point grin, something's clearly wrong.
7 months ago
0
4
0
Quick reminder that ChiSec is tonight at 7PM. It's at Kaiser Tiger, at Randolph and Ogden (just down the street from where Twisted Spoke was).
8 months ago
0
1
0
No he didn't. He said other bad shit, which isn't reported here because it's not as exciting as the made-up shit. Shun accounts that do this.
add a skeleton here at some point
8 months ago
0
5
0
Three dumb ideas that recur constantly in discussions among nerds about intelligence: (1) IQ tests are illegal in hiring. (2) There exist national average IQ numbers. (3) Intelligence research is suppressed.
8 months ago
5
20
3
I wrote a thing, about a project you should knock out when you get 45 minutes free.
fly.io/blog/everyon...
loading . . .
You Should Write An Agent
They're like riding a bike: easy, and you don't get it until you try.
https://fly.io/blog/everyone-write-an-agent/
8 months ago
0
23
4
@oakparknerd.bsky.social
Mask off for Stopeck, I guess.
9 months ago
1
6
0
Have you moved to the district yet?
add a skeleton here at some point
9 months ago
2
3
0
Simon calls out this Dan Abramov comment about how ATproto is qualitatively different from ActivityPub. Maybe he's right. But I look at ActivityPub/Mastodon as a midpoint between blog/RSS and Twitter, and I don't remember the blogosphere being ineffective.
simonwillison.net/2025/Sep/27/...
loading . . .
A quote from Dan Abramov
Conceptually, Mastodon is a bunch of copies of the same webapp emailing each other. There is no realtime global aggregation across the network so it can only offer a fragmented …
https://simonwillison.net/2025/Sep/27/dan-abramov/
9 months ago
1
7
0
New Neko is fine. Good. The music has gotten more interesting. This is better than the last album with all the cigarettes on it. Still not clear how you can ever outdo Fox Confessor.
9 months ago
1
1
1
Called this.
www.galois.com/articles/cla...
loading . . .
Claude Can (Sometimes) Prove It
https://www.galois.com/articles/claude-can-sometimes-prove-it
10 months ago
1
8
2
Good Morning Spider is an underrated album.
10 months ago
0
1
0
Load more
feeds!
log in