Anyway I was on the east side of Manhattan and I was shocked that Brooklyn also has am identical Domino Sugar factory but I checked and theirs is full of knowledge workers using ChatGPT like a normal American city.
I teach cryptography at Johns Hopkins. https://blog.cryptographyengineering.com
17,394 followers 401 following 1,590 posts
view profile on Bluesky
Anyway I was on the east side of Manhattan and I was shocked that Brooklyn also has am identical Domino Sugar factory but I checked and theirs is full of knowledge workers using ChatGPT like a normal American city.
It’s not evident today but there’s even a cute little smokestack that pumps white smoke out into the tourist areas of the city, but it’s ok because we pretend it’s sugar and not a toxic blend of CO2 and PCBs.
In any other city this waterfront property would be an office space/condo. What I love about Baltimore is they’re actually making sugar in there.
New: I looked at 90 porn sites to test the new age-verification law rewriting the web. The ones following the rules, and scanning visitors' faces, are crumbling, while the lawbreakers are doubling or tripling their traffic. One of many unintended consequences for an experimental tech wapo.st/47QuttW
I did and I tried to quote tweet but it was disabled :)
There are three price categories of rental car at the airport. They all rent basically the same cars, but one is seriously understaffed, one is majorly understaffed, and one is five separate rental companies operated by a single guy who also runs a Subway.
Yesterday I posted something I got from a friend about an Apple hardware vuln. I was offline for a bit but some folks pointed out that it looked like slop. Deleted the post but apologies if it was.
I thought by now we’d have all the corn syrup and additives taken out of our food, instead of optional vaccines being banned. Oh well I guess maybe let’s give it another year.
Why not?
We lost crypto years ago.
The important point being that, as someone who agrees with the severity of all that’s going on, I read my BlueSky timeline the way nuclear scientists expose themselves to major sources of radiation. And that’s not great.
In fairness sometimes the people on X are excited about Cracker Barrel logos or Sidney Sweeney so it’s not all crypto.
I’m not sure what’s better. To be on BlueSky and be aware of what’s happening and totally depressed all the time, or be on X and convinced that crypto matters.
Evan I generally appreciate your commentary but please put this in a format that a slightly uninspired, tired person can understand because right now it reads like a Zen koan.
arstechnica.com/information-...
I asked ChatGPT to typeset it and it now looks 8000% better. Even if it wouldn’t use the real JHU logo.
I’m not kidding. They had an entire task force, and nobody thought to use anything but the Windows default font.
Imagine convening a committee on academic freedom and at the end up it you just dash off something in Arial.
Pretty funny that anything you don’t like can be dealt with using culture war. I hate olives. Woke olives.
It’s a good statement! You’d think they could have used a nicer font though.
And for a lot of older people in small towns it still means that.
My university just sent out its yearly “please don’t protest on our campus” email, with a link to the Statement of Principles on Academic Freedom. And it reminded me that we only have this statement because some idiots tried to shut down my blog in 2013.
Phone numbers are one of our last two multi-platform identifiers. 50 years from now we’ll still have them but nobody will remember what a phone call was.
But phone numbers are our last unique identifier!
Yup. I’ve read Matt Y for years and sure he sometimes had bad takes and was a bit of a contrarian but he was definitely a liberal. Now his audience makes GWB look liberal and his writing is terrible.
It’s weird reading the blog of a “prominent liberal pundit” and every single poster is a frothing conservative that would make the Bush cabinet look like liberals.
The readers on @mattyglesias.bsky.social’s are trying to decide if the leftists want to “destroy all capitalism” or merely embark on a more Marxist/Leninist program to collectivize the US. I am so glad I never moved to Substack.
Is there any upside to answering the phone anymore? The scam rate used to hover around 75% and now it seems to be consistently close to 100%.
But it was so essential to your life that your phone immediately needed to inject it right into the most vulnerable bits of its brain.
And email. And ugh.
Ugh I was like “wait is this going through iMessage” and then I remembered also there’s Airdrop.
The answer is “everyone”. Everyone could have predicted this. Why in the world are phones accepting JPEG lossless compression used inside of “DNG” files. My phone should only accept ASCII art.
Sorry here’s the PoC. github.com/b1n4r1b01/n-...
Oh look, the iOS vulnerability is yet another weird subcase of image decompression, who could possibly have predicted.
And what have we learned from this exercise in being concerned with labels instead of substance?
Oh boy I’m looking forward to winning lots of political arguments with LLMs on this one.
We’re still having discussions about how Zohran Mamdani is a “socialist” because he wants to open one state-run grocery store, meanwhile the US government now controls 10% of Intel. I find this super amusing.
Three different Intel CEOs have tried everything to compete with TSMC and I promise you government control of the company is not going to work any better
Lady professors are the only reason I got my hair cut from age 2-18.
Fast Car is a really good cover, by the way. No disrespect to Luke.
The best thing about being a professor (or country singer) is that people will compliment you when you get too busy to trim your beard for a month or so, instead of (correctly) telling you that you look like Luke Combs.
Sorry this thread is a mess of typos. I woke up at 5:30am and apparently it’s gonna be typos all day.
Maybe I’m being too glib about this. If someone unlocks your car and steals something, that really sucks. I understand the desire to blame some hardware tool. But the tools are too easy to build now, there’s no putting that genie back in the bottle. Manufacturers *can* make cars resistant to them.
For fancy RF stuff, various industries have been able to get away with kindergarten security protocols because “nobody will ever figure out how to intercept a radio broadcast!!!!” Turns out that’s not true and now those security protocols have to be brought into the 21st century. That’s good!
The last thought is that tools like the Flipper Zero are really good and healthy for industries like this. Encryption for the web and stuff used to be basically non-existent just a few years ago: now it’s everywhere. That’s because people built and distributed (software) tools like Firesheep.
But that is 100% on the car manufacturers. If you’re shipping cars without basic inexpensive anti-theft technology we’ve had since the 2000s, that’s malpractice. Insurance companies should be throwing the (premium) book at those companies.
Second thought is that there seems to be a lot of variance in digital car security, and in this attack. It sounds like Kia cars (up until recently) weren’t using basic immobilized tech from 2003. So some of these attacks may actually be much more serious and let you steal cars!
(By which I mean, congratulations, someone got your car open by lurking around to steal your key code and didn’t just smash a window or use a slim-jim and possibly trash the door lock hardware. Don’t leave stuff in your car!)
Ok I have three thoughts. The first is that most of these attacks seem like door unlocking attacks, and it looks like a lot of them are just some form of replay where you first have to capture the code from someone who has the real key. Doesn’t seem like a really terrible attack.
I don’t understand how this represents a problem with the Flipper Zero rather than a stringing indictment of the car security industry. www.404media.co/inside-the-u...
Another iOS 0-day. www.theregister.com/2025/08/21/a...
It’s a loop of 6x running the whole mess through AES. I think the boxes represent each invocation.
This is about private encrypted text messages not social media. Social media is public and readable and if you want to take up liability questions with X and Meta be my guest.
The 17 y/o asked me today if I knew Europe was planning to spy on kids’ text messages and I had to correct him: no, the EU has plans to spy on *everyone’s* text messages. But I guess this means the word is getting out.
Yes, once I have a few chapters somewhat complete (maybe this fall?) I’m definitely going to start posting them. Bugs and all.
Yes but then I have to cover everything before we get to modes of operation which I hate.
So now I have to rethink the order of everything. It’s circular because everything depends on everything else. Ciphers want to go first and then hash functions but you can’t do that before you do encryption can you?
My original plan was to write one giant chapter on symmetric cryptography, covering everything from ciphers to modes to hash functions and MACs and even detouring into commitments and universal hashing. At 46 pages and still unfinished I’m realizing that doesn’t work.
Every now and then I’ll find one stuck in the sleeve of a coat and they’ve been patiently waiting for someone to let them out of the “tunnel” they got stuck in.
So the problem with dachshunds is…
I now know everything there is to know about polynomial hash functions and the universe is free to stop existing. Sorry everyone, that’s just the way it is.
The “agreement” Justin Sun says should prevent Bloomberg from publishing the amounts and types of crypto assets he holds seem extremely shaky to me (caveat: not a lawyer, some images are missing). “Nobody at Bloomberg agreed to the terms sent by Justin, weeks after the data was shared with us.”
Rowhammer is alive again, this time on DDR4 servers with ECC memory. ecc.fail
Also, geez I remember the day I learned that Bork was part of the Nixon administration. I was just a kid then and Nixon seemed like some ancient embarrassing thing. To find out there was continuity of criminality across administrations was a big wake up call for me.
The willingness to shelter and promote criminals and their enablers was always going to beget someone like Trump. If conservatives had wanted to keep their party (as opposed to being cast into the wilderness) they should have fought that part of their party. They didn’t, and now they’re lost.
Baltimore is currently experiencing its lowest homicide rate in 50 years, and it’s not because they iNVeStEd iN pOLiCe, it’s because they invested in community programs to facilitate conflict resolution, address mental health, address poverty, and give kids fun and meaningful things to do
I’m not sure how functional NIST is right now, but I’ve seen it pop up in workshop talks.
They could have done so many things that don’t involve like six passes.
I said people should use GCM-SIV. Does that count? ;)
Here’s what I’ve got. With a warning that it’s probably full of bugs.
But if you have ECB you can do better than key wrap.
This combines my interests and my 17 y/o’s interests.
NIST has this key wrapping scheme called KW and it honestly looks like it was created on a dare.
Back to book writing. Today I felt compelled to write about “key wrapping.” Then I decided key wrapping schemes were dumb. Anyone want to argue with me on this?
This little dialog box that pops up on Macs is the most suspicious thing ever. I’m 90% certain it’s a real system dialog, but still think a smart website could fake it with a pop-up window.
AI propaganda is here, and this is only the beginning. Exactly as I predict in my book. A Chinese (apparent) subcontractor, is reportedly using AI combined with massive data collection and analysis to run targeted influence operations. www.nytimes.com/2025/08/06/u...
That’s exactly what they want. Project 2025 explicitly calls for shutting down foreign social media like WeChat and TikTok. (Trump’s implementation is more of an attempt to force their sale than a shutdown.) There is a strategic goal aimed at political stability; it’ll just be their politics.
The Heritage Foundation does hate LGBTQ. But they also have a document that talks about amassing power and crushing every opposing power center in the United States. These two things aren’t mutually exclusive. www.brookings.edu/articles/pro...
I think there’s a vanguard of people who really just hate porn. I think the reason they’re getting so much deep support is because other more thoughtful people behind them see the implications of an unchecked Internet as bad, and view this as one (legislative and technical) tool to end it.
so the stupid canadian age verification bill is back in parliament so call your local MPs and tell them it’s bad and why it’s bad and don’t be ashamed to pander to them based on if they’re a tory or grit or otherwise - if you frame it in a way that mirrors their ideology, they might remember better
I admit it sounds a little looney tunes when I write it down that way and yet, we live in a looney tunes time.
For the ninth time I’m going to repeat my personal conspiracy theory that every democracy is fighting a battle to control its Internet against foreign influence, and “age verification” is not being pushed so hard because kids, but is actually one weapon being deployed for that fight.
The Halo 3C is a smoke/vape detector that Motorola sells for use in school bathrooms. It also has microphones inside. A teen hacker found them at his school, and with another security researcher has now shown they could be hacked for audio surveillance. www.wired.com/story/school...
Just sitting here with an unfinished algorithm for solving MLWE all I need is that one missing piece.
OpenAI continues to deny me GPT-5 presumably because it knows I’ve got a list of prompts that will break all cryptography if it’s 8% as good as Sam Altman says.
I’m saying this because I had to switch back from book writing (fun! easy! still harder than many things I’ve done) to research paper writing, and it’s so much slower and more intricate. And I’m not even the lead author doing the hard stuff.
And a lot of the time the difference between “good” and “bad” science is the kind of laziness that’s just Tuesday in software development.
You’ve got a field that basically involves obsessive people doing obsessive work for relatively terrible pay and then you’re like “I, as an expert in JavaScript development, demand that every result be replicated.” I mean ok that would be cool, but how and with what resources.
Anyway, I just want to be clear that I’m not patting anyone on the back. I’m just saying that this is absurdly more work than most other things people could be doing, for such a relatively small result. I think about this when people criticize science (often rightly) for lack of replication etc.
One of the things that amazes me about scientific research is how much work goes into it. It’s just crazy. I mean all things require work, but it’s just so far above anything else (writing, software development.) I understand all the complaints about replication, what’s missing is the labor.
Jury deadlocks on money laundering charge against founder of crypto 'mixer' Tornado Cash reut.rs/45t4KVJ
Yes we did some work on this. It’s great, but then you need to make sure the LLM cover traffic isn’t weird. meteorfrom.space
Yes but it’s really easy to have AI generate stuff that “looks good” if you’re using the wrong definition of “looks good”, but might be really easily detectable. I guess maybe the real recommendation is that defenders need to think like censors, too.
I agree that scale is going to be an issue for them, I don’t think you’ll have a transformer processing every packet. I do think you could build an architecture that’s heavily adaptive and uses filtering rules developed by gen AI.
"How the Great Firewall of China detects and blocks fully encrypted traffic." is IMO the first glimpse into what this looks like, though. The thresholds in Ex1 smell like something written by a decision tree and then adapted by humans.
Yes. It illustrates that (1) they care, (2) they’re happy to automate, (3) they’re operating at like .001% of the potential capability they could implement.
It also doesn’t help that DOGE cancelled a bunch of NSF grants working on censorship-evasion tech because they contained the keyword “censorship.”
