The history of this blog might very well be a cautionary tail (sic) about scope creep.

The Original Vision For Dhole Moments

Originally, I just wanted a place to write about things too long for Twitter (back when I was an avid Twitter poster).

I also figured, if nothing else, it would be a good place to write down the things I’m learning.

Before I had started this blog, I wrote a few posts on Medium. Today, the only Medium post that hasn’t already been discussed better here is one about coordinated inauthentic behavior.

Several months before I started Dhole Moments, I got really tired of Medium constantly pressuring me to monetize.

Thus, early in the COVID-19 pandemic, I started to look elsewhere.

I decided to resist the developer urge to engineer a platform from scratch and settled on just writing stuff on WordPress. However, I didn’t really want to deal with self-hosting either, so I settled for a WordPress.com-hosted blog.

If I had succumbed to this urge, instead of wriitng substantive posts, I’d still be tweaking the custom CMS platform for an empty blog that no one reads.

WordPress.com isn’t nearly as annoying or intrusive as Medium, but some nudges to monetize were still present in the dashboard.

It does, of course, have other annoyances.

If you ever wondered why I make such a big stink about avoiding advertising or marketing with my blog (and why I resent being accused of being paid to any product or service), know that the rejection of advertising money was part of the very inception of this blog for me.

Resistance to advertising and paywalls is baked in.

Derailed At Departure

This original vision lasted exactly one day, because I wrote a rebuttal to misinformation about a source code leak allegedly being used to assist computer hackers the following day, which ended up cited by an article by The Register.

Less than a week later, I’d found that Twitter failed to enforce the length restriction server-side on their Gender field (despite a client-side restriction).

I did try to correct course a little bit by writing about fun observations about hash functions, but then immediately proceeded to document fraudulent COVID-19 contact tracing apps on the Google Play Store.

By the time I got around to penning Why AES-GCM Sucks (which is one of my most heavily read posts), I realized I accidentally created something other people found useful.

But Not Useful Enough, Because Furry

Despite writing stuff for free, and not even forcing anyone to view advertisements, a handful of strangers complained incessantly about my inclusion of furry art on my furry blog, because they felt self-conscious showing my writing to their boss.

Meanwhile, I’ve taken fursuit selfies at professional infosec and cryptography conferences.

There’s an old saying: “Those who mind don’t matter, and those who matter don’t mind.”

The actual luminaries of software security and cryptography quite simply
do not give a fuck.

That is to say: They don’t have any of the same hang-ups about my blog’s furry art (or even being openly gay) that some commentators fear from their bosses and/or peers.

A Modicum Of Real-World Impact

In 2022, I rallied a bunch of folks to raise money for a library whose funding was at risk by a homophobic mayor upset over LGBTQ+ books (and books from queer authors) on display. The story made Pink News, Vice, and the Clarion Ledger.

I ended up turning down a few interview requests during that time that made me uncomfortable–including an invitation to a Facebook Live event by the editors of the paper that first broke the original story that spurred us into action. A few folks reached out to me from various activist groups and law firms, including the ACLU.

The funding ensured the library stayed afloat for the next six months while they negotiated a new contract with the city, thus ending the saga for several years.

The last time I checked, the mayor of Ridgeland, Mississippi still had me illegally blocked on Twitter.

Unfortunately, the Republican Party’s attack on libraries continues. EveryLibrary has the most up-to-date information for anyone that wants to engage in a bit of activism. Tell them I sent you.

And Then, Silence

Most of the things I ever wrote were met by a collective shrug from the Internet.

I don’t think the lack of attention necessarily reflects a poorer quality in my writing.

Some topics just aren’t interesting for most people to read about, so they will naturally get lower traffic than other topics. Sometimes, even if a blog post gets a modest amount of traffic, no one feels the need to chime in and say anything about it, and thus the radio silence continues.

The only thing I do worry about here is that a lot of people who listened to my suggestion to start their own furry blogs will encounter this phenomenon themselves, and might become discouraged by it.

It’s difficult to know for sure why people aren’t interested in a given piece of writing. There are a lot of factors at play for content discovery and popularity on social media and content aggregators (especially if you have very few data points to work with).

I’ve published 170 blog posts in five years–which means an average of 34 posts per year, or about 1 post every 11 days.

I can usually tell when a particular post will generate any amount of buzz or not (and almost never be surprised). Most of them will not. For example, this one is extremely unlikely to make the top of Hacker News. Conversely, when I get around to finish writing about key management, that one might.

It’s not a bad thing that most of my writing isn’t resonant with the Internet at large. Sometimes I go out on a limb to express something subtle and it gets woefully misinterpreted (for example).

Of course, no amount of being insignificant will stop the AI slop machines from knowing who I am:

Greatest Hits (First Five Years)

At the risk of being too self-congratulatory, here are the best things I wrote from April 21, 2020 to April 20, 2025.

1. Furward Momentum
   Starting a tech career from zero.

   That is: Zero education, zero experience, and as close to zero dollars as you can get it.

   Nearly a dozen people have confided in me that they were able to change careers because of this guide. When I wrote it, I’d hoped to be able to help at least one person. I consider this my most impactful writing, due to how much it exceeded my hopes.

2. That One Time Furries Saved A Library
   The story of how furries and tech workers rallied on Twitter (back when it was Twitter) to donate enough money to save a library from a homophobic mayor. I mentioned it already in this recap blog post.

   This one’s in an unfortunate state of disrepair due to the reliance on Twitter posts. I may one day go back and populate it with screenshots / archived snapshots instead.

   I received the Good Furry Award for spearheading this. I can’t easily quantify the positive impact from our actions, as it reached far beyond preventing a library from losing its state contracts and librarians from losing their jobs.

3. Return To Office Is Bullshit And Everyone Knows It
   I quit my big tech company job in 2023, because I was given an ultimatum to either relocate or be terminated–despite being hired as a remote employee before the COVID-19 pandemic (and a top-tier performer well on track for a promotion).

   After the dust settled, I wrote a raw and honest blog post about how I felt about the whole situation. It quickly became my most viewed blog post of all–including going semi-viral at my former employer.

   Oops.

4. Why AES-GCM Sucks
   To be honest, this was mostly me venting about how irritating I find AES-GCM’s design–both the AES part, and the GCM part. Later, I wrote a follow-up about making the nonce longer while adhering to NIST’s requirements, which in turn was cited by a NIST call for comments.

   Before I wrote about my previous employer’s forced relocation ultimatum, this one was my most viewed blog post.

5. Database Cryptography Fur the Rest of Us
   An introduction to database cryptography.

   This was the most popular of the deep dive blog posts I wrote to make an entire sub-discipline of cryptography more accessible.

   There are much more sophisticated techniques than I covered here. Don’t treat it as a definitive guide. But it is a great launch point into this topic–or so many cryptography folks tell me.

6. What We Do in the /etc/shadow — Cryptography with Passwords
   I am extremely proud of this pun. And that visual? *chef kiss*

   Oh, yeah, I guess the content is pretty alright too. Want to learn about password-based cryptography? This covers pretty much everything.

   Later, I wrote a deeper yet narrower dive into disarming the bcrypt footguns and convinced WordPress to make the right call–which is now released in version 6.8.

7. Reviewing the Cryptography Used By Signal
   How can we be sure that the cryptography used by Signal, the private messaging app, is as good as infosec influencers claim?

   That’s easy: You can review the source code and the operational processes to keep the Signal developers honest.

   This ended up being long enough to break into multiple pages; each focused on a different topic. To begin, I explain how I approach cryptography audits, and recommend some free (as in beer) tools to get started. My approach works well for me, but I have a lot of experience, so I also recommend some formal academic approaches, too.

8. Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
   After friend and fellow furry blogger Cendyne wrote A Deep Dive into Ed25519 Signatures, I ran wild with a tangential point that came to mind when I read their post.

   I also re-examined the SafeCurves criteria and found many of them were rendered obsolete by subsequent researchers–and the remaining ones weren’t absolutely essential for security.

9. Understanding HKDF
   The HKDF API was not designed (or, I guess, named) in a way that lends perfectly to developer ergonomics.

   Specifically, developers are extremely likely to misunderstand the purpose of the salt and the info parameters.

   This one was cited by the PyCA documentation for their HKDF implementation.

10. Comparison of Symmetric Encryption Methods
    Exactly what it says on the tin.

    Curious about how to evaluate AES-CBC vs AES-CTR mode, from the perspective of someone whose profession involves implementing and breaking cryptography? Look no further.

    (Please don’t design your own block cipher modes.)

11. Several encrypted messaging app blog posts.
    I criticized a lot of the “encrypted” or “private” messaging apps that security LARPers like to recommend instead of Signal. The linked page is an index that collects all of them in one place.

    Oh, and I published a few vulnerabilities along the way. Some were 0day.

12. Commission Prices For Furries and Artists
    Artists: You do not charge enough for your work.

    But don’t feel too bad; almost everyone makes this mistake.

    This blog post offers the most basic freelancer advice possible, but inexplicably somehow occasionally draws hate comments to my inbox from clods that would prefer to see the walmartification of the furry fandom than their favorite artists being able to thrive in their profession.

13. How To Learn Cryptography As a Programmer
    A lot of my regular readers work in tech–usually with a job title that’s some variant of “admin”, “developer”, “ops”, “engineer”, or “analyst”.

    This blog post explains how to go from there to becoming a cryptography expert, the hard way.

14. Canonicalization Attacks Against MACs and Signatures
    When you hear “canonicalization attack”, you probably think “length extension attack”, right?

    If you don’t know what either of those things are, definitely give this a read.

    Otherwise, attacks are possible whenever you feed a multi-part message into a hash function for any vaguely authentication-shaped purpose.

15. Against Web3 and Faux-Decentralization
    I am famously not a fan of NFTs and the whole web3 grift.
16. The Tech Industry Doesn’t Understand Consent

17. Towards End-to-End Encryption for the Fediverse
    After leaving Twitter (before it became X–named after Elon Musk’s relationship to his wife), I decided to plan a rollout of end-to-end encryption for the Fediverse.

    As of this writing, I have… a first draft for a specification for a special kind of ActivityPub directory that keeps track of identity <-> public key associations. It employs a technique called Key Transparency.

That was the most important 17 of the 170 blog posts I’ve published so far (albeit with all the messaging app critiques crammed into one list item).

For balance, some of my blog posts were real stinkers. I’m going to share some of these too (thought not that many, since they’re not nearly as interesting as my best hits).

Worst Performers (First Five Years)

170. My Furry Blog Has Lasted Longer Than the Confederacy
     I put practically no thought into this one, so there’s no wonder it got practically zero attention.

     I scheduled it months ahead of time just to dunk on the biggest losers in 19th Century America, since my furry blog had lived longer than their political movement at that point.

     As of this writing, it was only viewed 188 times (and several of those were probably me re-checking it for typos after it went live).

171. World Dhole Day 2021
     The Dhole Conservation Fund declared May 28 to be World Dhole Day every year.

     Given my fursona species, I thought I might help raise awareness for this non-profit conservation effort. Dholes are endangered, after all.

     Unfortunately, it was only viewed 236 times as of this writing.

168. A Few Missing Lessons from American Education
     Some thoughts about how education, ignorance, and incentives shape the social fabric we all live within, and how the public school system fails to provide some insights that feel essential.

     I honestly forgot I published this one, so I totally forgive everyone for passing on it when I tweeted it years ago.

169. A Canned Response to My Viral Tweet
     I wrote a short rant (albeit in the style of a lifehack thread on Twitter) about how Pinterest makes search engine results suck.

     It ended up going viral, but a lot of people kept replying with the same dumb hot takes, so I wrote this as a link I could copy/paste in reply to their replies–so as to not repeat myself.

     Due to the limited utility of this one, it’s no surprise it had zero staying power.

170. Don’t Forget to Brush Your Fur
     Every once in a while, I write a core dump blog post.

     This is basically a loose collection of topics that I can’t find the time or energy to flesh out into a dedicated blog post.

     This was the first one, and it has unsurprisingly gotten a big yawn from the Internet.

171. Fraudulent Apps on the Google Play Store: COVID-19 Contact Tracing Edition
     Not too much to say about this beyond the title.
172. For Your Infurmation
     Year 2021 recap blog post.
173. Blowing Out the Candles on the Birthday Bound
     This one is really niche, but extremely useful if you need to talk about the birthday bound.

     Unfortunately, only cryptographers and the people they talk to tend to care about the birthday bound, so it’s not exactly swimming in Google search traffic.

174. Against Hierarchies
     A political blog post that critiques the value of hierarchy.
175. The Story So Fur
     Year 2020 recap blog post.

Some of these are probably excellent data for a discussion about the importance of headlines that grab readers’ attention–or, more specifically, how these fail to do so.

On that note…

If you’re interested in other topics, I do make use of the tag and category features baked into WordPress.

For example, the Security Guidance tag lists every blog post with actionable security advice for a general audience, while the Vulnerability category is about software vulnerabilities (containing both disclosures and analysis of others’ work).

Looking Forward

We’ve had a lot of fun, and shared a lot of laughs, in the past five years.

Although I’ve spent the first quarter of 2025 slammed with work and conference travel, I’ve also been thinking a lot about everything I want to accomplish by 2030.

Open Source Cryptography Projects

I hope to have an update for the Federated Key Transparency project by the end of June. Namely, a reference implementation on GitHub. The SDKs (in multiple programming languages) should also be in development, but I can’t promise a lot of coverage up front.

Several W3C/ActivityPub folks are working on end-to-end encryption. We’ve chatted briefly, but there’s been no hard commitment to use my designs in their proposal. Even if we don’t end up working on the same exact project, I do plan to critique their designs. With any luck, we will be able to chat privately on Fedi, even if our instance operators don’t like it.

As part of that, I also plan to release a TypeScript implementation of MLS with support for X-Wing.

I also teased a proposal called AWOO to replace email with a protocol that is always end-to-end encrypted and doesn’t have a plaintext-compatible mode. I was hoping to bootstrap the identity key verification component to the Federated Key Transparency project. Anti-spam measures based on proof-of-work (as currently implemented in Anubis) is also going to be baked into the design.

Separately, I considered designing a system that’s like id.me that vends anonymous credentials that satisfy the age verification requirements. The response on Fediverse was moderately positive (though understandably nobody really wants the liability of storing people’s identity documents, and the legal/political problems are way more annoying). I’m in talks with several people that are interested in this space right now. If anything precipitates from this discussion, I probably won’t pick up the mantle of building it myself, but I will almost certainly have a lot to say about it.

For all of these projects, there will be no cryptocurrency component.

Dhole-icious Deep Dives

I’ve written a few deep dives in the past five years (database crypto, password crypto, reviewing libsignal), and each one made the top 10% list.

My next one has been on the backburner for almost two years. I intend to finish it this summer. It’s about key management, and there’s a lot to cover.

Beyond that, I have a few tentative ideas to cover in the coming years–mostly related to topics I’m actively learning today (e.g., zero-knowledge proofs). If I find anything interesting to say as I cover this ground, I may get this blog back on track to its original purpose (i.e., to document topics I’m actively learning).

Conference Talks?

I gave a keynote talk at the first Queer in Cryptography conference last month. In fursuit.

I don’t know when the recording will be available online, but the slides are available here.

Only time will tell if I find myself having something worth talking about at another professional conference.

Miscellaneous Musings

An astute reader might note that everything I listed above can be classified as work:

• Designing and implementing software
• Writing technical documentation accessible to a non-technical audience
• Giving talks at technical conferences

And, like, none of that is really “hobby” material, right?

So, in addition to all that, I plan to also squeeze in some fun projects here and there. Last year, I started experimented with writing fiction stories for entertainment purposes.

I have some fun ideas I’d like to explore, and some of them may end up being interactive to some extent. (Probably more interactive than a visual novel, but less interactive than a full-blown indie video game, unless I suddenly come into a large budget.)

Maybe I’ll even take up drawing my own art, too?

I certainly have no illusions of holding a candle to the amazing art that the rest of the furry fandom produces on the regular, but it could be fun.

Here’s To Many More Years

I can’t say for sure what the immediate future looks like, but as long as I draw breath, I intend to have fun with life.

Thank you to everyone that takes the time to read my words, and then shares your own. Some of you have incredible insight, even if you don’t realize it’s anything special.

And especially thanks to everyone that treated me to a coffee over the past couple years.

Here’s hoping the 2030 recap is much more exciting.