
We’re proud to reveal our LIFC 2025: Retro Arcade exclusive T-Shirt design, made by our Guest of Honour @cyanroll
We’re proud to reveal our LIFC 2025: Retro Arcade exclusive T-Shirt design, made by our Guest of Honour @cyanroll
The history of this blog might very well be a cautionary tail (sic) about scope creep.
Originally, I just wanted a place to write about things too long for Twitter (back when I was an avid Twitter poster).
I also figured, if nothing else, it would be a good place to write down the things I’m learning.
Before I had started this blog, I wrote a few posts on Medium. Today, the only Medium post that hasn’t already been discussed better here is one about coordinated inauthentic behavior.
Several months before I started Dhole Moments, I got really tired of Medium constantly pressuring me to monetize.
Thus, early in the COVID-19 pandemic, I started to look elsewhere.
I decided to resist the developer urge to engineer a platform from scratch and settled on just writing stuff on WordPress. However, I didn’t really want to deal with self-hosting either, so I settled for a WordPress.com-hosted blog.
If I had succumbed to this urge, instead of wriitng substantive posts, I’d still be tweaking the custom CMS platform for an empty blog that no one reads.
WordPress.com isn’t nearly as annoying or intrusive as Medium, but some nudges to monetize were still present in the dashboard.
It does, of course, have other annoyances.
If you ever wondered why I make such a big stink about avoiding advertising or marketing with my blog (and why I resent being accused of being paid to any product or service), know that the rejection of advertising money was part of the very inception of this blog for me.
Resistance to advertising and paywalls is baked in.
This original vision lasted exactly one day, because I wrote a rebuttal to misinformation about a source code leak allegedly being used to assist computer hackers the following day, which ended up cited by an article by The Register.
Less than a week later, I’d found that Twitter failed to enforce the length restriction server-side on their Gender field (despite a client-side restriction).
I did try to correct course a little bit by writing about fun observations about hash functions, but then immediately proceeded to document fraudulent COVID-19 contact tracing apps on the Google Play Store.
By the time I got around to penning Why AES-GCM Sucks (which is one of my most heavily read posts), I realized I accidentally created something other people found useful.
Despite writing stuff for free, and not even forcing anyone to view advertisements, a handful of strangers complained incessantly about my inclusion of furry art on my furry blog, because they felt self-conscious showing my writing to their boss.
Meanwhile, I’ve taken fursuit selfies at professional infosec and cryptography conferences.
There’s an old saying: “Those who mind don’t matter, and those who matter don’t mind.”
The actual luminaries of software security and cryptography quite simply
do not give a fuck.
That is to say: They don’t have any of the same hang-ups about my blog’s furry art (or even being openly gay) that some commentators fear from their bosses and/or peers.
In 2022, I rallied a bunch of folks to raise money for a library whose funding was at risk by a homophobic mayor upset over LGBTQ+ books (and books from queer authors) on display. The story made Pink News, Vice, and the Clarion Ledger.
I ended up turning down a few interview requests during that time that made me uncomfortable–including an invitation to a Facebook Live event by the editors of the paper that first broke the original story that spurred us into action. A few folks reached out to me from various activist groups and law firms, including the ACLU.
The funding ensured the library stayed afloat for the next six months while they negotiated a new contract with the city, thus ending the saga for several years.
The last time I checked, the mayor of Ridgeland, Mississippi still had me illegally blocked on Twitter.
Unfortunately, the Republican Party’s attack on libraries continues. EveryLibrary has the most up-to-date information for anyone that wants to engage in a bit of activism. Tell them I sent you.
Most of the things I ever wrote were met by a collective shrug from the Internet.
Art: CMYKat
I don’t think the lack of attention necessarily reflects a poorer quality in my writing.
Some topics just aren’t interesting for most people to read about, so they will naturally get lower traffic than other topics. Sometimes, even if a blog post gets a modest amount of traffic, no one feels the need to chime in and say anything about it, and thus the radio silence continues.
The only thing I do worry about here is that a lot of people who listened to my suggestion to start their own furry blogs will encounter this phenomenon themselves, and might become discouraged by it.
It’s difficult to know for sure why people aren’t interested in a given piece of writing. There are a lot of factors at play for content discovery and popularity on social media and content aggregators (especially if you have very few data points to work with).
I’ve published 170 blog posts in five years–which means an average of 34 posts per year, or about 1 post every 11 days.
I can usually tell when a particular post will generate any amount of buzz or not (and almost never be surprised). Most of them will not. For example, this one is extremely unlikely to make the top of Hacker News. Conversely, when I get around to finish writing about key management, that one might.
It’s not a bad thing that most of my writing isn’t resonant with the Internet at large. Sometimes I go out on a limb to express something subtle and it gets woefully misinterpreted (for example).
Of course, no amount of being insignificant will stop the AI slop machines from knowing who I am:
At the risk of being too self-congratulatory, here are the best things I wrote from April 21, 2020 to April 20, 2025.
That is: Zero education, zero experience, and as close to zero dollars as you can get it.
Nearly a dozen people have confided in me that they were able to change careers because of this guide. When I wrote it, I’d hoped to be able to help at least one person. I consider this my most impactful writing, due to how much it exceeded my hopes.
This one’s in an unfortunate state of disrepair due to the reliance on Twitter posts. I may one day go back and populate it with screenshots / archived snapshots instead.
I received the Good Furry Award for spearheading this. I can’t easily quantify the positive impact from our actions, as it reached far beyond preventing a library from losing its state contracts and librarians from losing their jobs.
After the dust settled, I wrote a raw and honest blog post about how I felt about the whole situation. It quickly became my most viewed blog post of all–including going semi-viral at my former employer.
Oops.
Before I wrote about my previous employer’s forced relocation ultimatum, this one was my most viewed blog post.
This was the most popular of the deep dive blog posts I wrote to make an entire sub-discipline of cryptography more accessible.
There are much more sophisticated techniques than I covered here. Don’t treat it as a definitive guide. But it is a great launch point into this topic–or so many cryptography folks tell me.
Oh, yeah, I guess the content is pretty alright too. Want to learn about password-based cryptography? This covers pretty much everything.
Later, I wrote a deeper yet narrower dive into disarming the bcrypt footguns and convinced WordPress to make the right call–which is now released in version 6.8.
That’s easy: You can review the source code and the operational processes to keep the Signal developers honest.
This ended up being long enough to break into multiple pages; each focused on a different topic. To begin, I explain how I approach cryptography audits, and recommend some free (as in beer) tools to get started. My approach works well for me, but I have a lot of experience, so I also recommend some formal academic approaches, too.
I also re-examined the SafeCurves criteria and found many of them were rendered obsolete by subsequent researchers–and the remaining ones weren’t absolutely essential for security.
Specifically, developers are extremely likely to misunderstand the purpose of the salt and the info parameters.
This one was cited by the PyCA documentation for their HKDF implementation.
Curious about how to evaluate AES-CBC vs AES-CTR mode, from the perspective of someone whose profession involves implementing and breaking cryptography? Look no further.
(Please don’t design your own block cipher modes.)
Oh, and I published a few vulnerabilities along the way. Some were 0day.
But don’t feel too bad; almost everyone makes this mistake.
This blog post offers the most basic freelancer advice possible, but inexplicably somehow occasionally draws hate comments to my inbox from clods that would prefer to see the walmartification of the furry fandom than their favorite artists being able to thrive in their profession.
This blog post explains how to go from there to becoming a cryptography expert, the hard way.
If you don’t know what either of those things are, definitely give this a read.
Otherwise, attacks are possible whenever you feed a multi-part message into a hash function for any vaguely authentication-shaped purpose.
As of this writing, I have… a first draft for a specification for a special kind of ActivityPub directory that keeps track of identity <-> public key associations. It employs a technique called Key Transparency.
That was the most important 17 of the 170 blog posts I’ve published so far (albeit with all the messaging app critiques crammed into one list item).
For balance, some of my blog posts were real stinkers. I’m going to share some of these too (thought not that many, since they’re not nearly as interesting as my best hits).
I scheduled it months ahead of time just to dunk on the biggest losers in 19th Century America, since my furry blog had lived longer than their political movement at that point.
As of this writing, it was only viewed 188 times (and several of those were probably me re-checking it for typos after it went live).
Given my fursona species, I thought I might help raise awareness for this non-profit conservation effort. Dholes are endangered, after all.
Unfortunately, it was only viewed 236 times as of this writing.
I honestly forgot I published this one, so I totally forgive everyone for passing on it when I tweeted it years ago.
It ended up going viral, but a lot of people kept replying with the same dumb hot takes, so I wrote this as a link I could copy/paste in reply to their replies–so as to not repeat myself.
Due to the limited utility of this one, it’s no surprise it had zero staying power.
This is basically a loose collection of topics that I can’t find the time or energy to flesh out into a dedicated blog post.
This was the first one, and it has unsurprisingly gotten a big yawn from the Internet.
Unfortunately, only cryptographers and the people they talk to tend to care about the birthday bound, so it’s not exactly swimming in Google search traffic.
Some of these are probably excellent data for a discussion about the importance of headlines that grab readers’ attention–or, more specifically, how these fail to do so.
If you’re interested in other topics, I do make use of the tag and category features baked into WordPress.
For example, the Security Guidance tag lists every blog post with actionable security advice for a general audience, while the Vulnerability category is about software vulnerabilities (containing both disclosures and analysis of others’ work).
We’ve had a lot of fun, and shared a lot of laughs, in the past five years.
Although I’ve spent the first quarter of 2025 slammed with work and conference travel, I’ve also been thinking a lot about everything I want to accomplish by 2030.
I hope to have an update for the Federated Key Transparency project by the end of June. Namely, a reference implementation on GitHub. The SDKs (in multiple programming languages) should also be in development, but I can’t promise a lot of coverage up front.
Several W3C/ActivityPub folks are working on end-to-end encryption. We’ve chatted briefly, but there’s been no hard commitment to use my designs in their proposal. Even if we don’t end up working on the same exact project, I do plan to critique their designs. With any luck, we will be able to chat privately on Fedi, even if our instance operators don’t like it.
As part of that, I also plan to release a TypeScript implementation of MLS with support for X-Wing.
I also teased a proposal called AWOO to replace email with a protocol that is always end-to-end encrypted and doesn’t have a plaintext-compatible mode. I was hoping to bootstrap the identity key verification component to the Federated Key Transparency project. Anti-spam measures based on proof-of-work (as currently implemented in Anubis) is also going to be baked into the design.
Separately, I considered designing a system that’s like id.me that vends anonymous credentials that satisfy the age verification requirements. The response on Fediverse was moderately positive (though understandably nobody really wants the liability of storing people’s identity documents, and the legal/political problems are way more annoying). I’m in talks with several people that are interested in this space right now. If anything precipitates from this discussion, I probably won’t pick up the mantle of building it myself, but I will almost certainly have a lot to say about it.
For all of these projects, there will be no cryptocurrency component.
I’ve written a few deep dives in the past five years (database crypto, password crypto, reviewing libsignal), and each one made the top 10% list.
My next one has been on the backburner for almost two years. I intend to finish it this summer. It’s about key management, and there’s a lot to cover.
Beyond that, I have a few tentative ideas to cover in the coming years–mostly related to topics I’m actively learning today (e.g., zero-knowledge proofs). If I find anything interesting to say as I cover this ground, I may get this blog back on track to its original purpose (i.e., to document topics I’m actively learning).
I gave a keynote talk at the first Queer in Cryptography conference last month. In fursuit.
I don’t know when the recording will be available online, but the slides are available here.
Only time will tell if I find myself having something worth talking about at another professional conference.
An astute reader might note that everything I listed above can be classified as work:
And, like, none of that is really “hobby” material, right?
So, in addition to all that, I plan to also squeeze in some fun projects here and there. Last year, I started experimented with writing fiction stories for entertainment purposes.
I have some fun ideas I’d like to explore, and some of them may end up being interactive to some extent. (Probably more interactive than a visual novel, but less interactive than a full-blown indie video game, unless I suddenly come into a large budget.)
Maybe I’ll even take up drawing my own art, too?
I certainly have no illusions of holding a candle to the amazing art that the rest of the furry fandom produces on the regular, but it could be fun.
I can’t say for sure what the immediate future looks like, but as long as I draw breath, I intend to have fun with life.
Thank you to everyone that takes the time to read my words, and then shares your own. Some of you have incredible insight, even if you don’t realize it’s anything special.
And especially thanks to everyone that treated me to a coffee over the past couple years.
Here’s hoping the 2030 recap is much more exciting.
Hear ye, hear ye! FurGIV would like to announce that the theme for FurGIV 2025 has been approved by Lam and the team themselves!
With its root as a Vietnamese furry event, one of our goals is to bring the beauty and culture of Vietnamese people to others. And what would be more aligned with it than our distinctive urban street culture?
A motorbike, a helmet, a few loose change in your pockets, and a friend or two sipping on a cold cup of coffee on a bustling sidewalk are enough for many to feel the the distinct charm of our beautiful country.
So why not join us for another wonderful time at Hanoi in September this year?
The event will take place on September 20, 2025.
Location: Complex 01 Hanoi – 29/31/167 Tay Son street, Quang Trung ward, Dong Da district, Ha Noi.
Follow FurGIV on our social media pages to keep yourself up to date on the latest
Forget about bad grades this back-to-school season! At Pawercon, we believe in making a difference and are proud to announce Burrolandia as this year's charity.Donkeys have never been so recognized!
Burrolandia is a donkey sanctuary located in Otumba, the birthplace of the donkey! Since 2006, it has dedicated its important work to the rescue, protection, and preservation of donkeys in Mexico.
Stay tuned for our upcoming posts to learn how you can help Burrolandia continue its incredible work!