Simon Fell's Avatar

Simon Fell

@superfell.bsky.social

https://github.com/superfell https://hachyderm.io/@superfell

15 Followers  |  13 Following  |  3 Posts  |  Joined: 06.06.2025  |  1.547

Latest posts by superfell.bsky.social on Bluesky

Preview
X is now offering me end-to-end encrypted chat โ€” you probably shouldn't trust it yet | TechCrunch X's new encrypted messaging feature, XChat, has some red flags.

techcrunch.com/2025/09/05/x... shouldn't surprise anyone but quotes me so it's obviously good

05.09.2025 16:53 โ€” ๐Ÿ‘ 20    ๐Ÿ” 4    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
2 images from hackers as characters converse. "I've got a record. I was Zero Cool." "Zero Cool crashed 1.507 systems in one day, biggest crash in history. Front page New York Times August 10, 1988"

2 images from hackers as characters converse. "I've got a record. I was Zero Cool." "Zero Cool crashed 1.507 systems in one day, biggest crash in history. Front page New York Times August 10, 1988"

Never forget today, when, on this day in 1988, Zero Cool crashed 1,507 systems in one day.

10.08.2025 15:28 โ€” ๐Ÿ‘ 1007    ๐Ÿ” 378    ๐Ÿ’ฌ 9    ๐Ÿ“Œ 47
Preview
Acclaimed Colorado sci-fi author: Future stupider than I imagined Paonia writer Paolo Bacigalupi reflects on 10 years since the publication of his climate thriller โ€œThe Water Knife.โ€

For once, a very good headline, and of course @paolobacigalupi.bsky.social is not wrong here

www.cpr.org/2025/07/12/i...

13.07.2025 17:05 โ€” ๐Ÿ‘ 1130    ๐Ÿ” 176    ๐Ÿ’ฌ 30    ๐Ÿ“Œ 9

So yesterday on X someone from X engineering tweeted at me that X does, in fact, use HSMs and the key ceremonies are โ€œcoming soon.โ€ Iโ€™ve updated the post but Iโ€™ll be honest this whole thing doesnโ€™t fill me with good feelings.

10.06.2025 13:29 โ€” ๐Ÿ‘ 21    ๐Ÿ” 1    ๐Ÿ’ฌ 5    ๐Ÿ“Œ 0

Regardless of how good or bad their Juicebox deployment is, at the end of the day, the client code has access to the unencrypted text and/or private key and can do whatever it wants with it.

10.06.2025 15:39 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

And as you mention without an independently verified key ceremony, there's no way to know if the realm is running on commodity hardware, a poorly configured HSM that can leak keys, or a correctly configured HSM.

09.06.2025 21:27 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
A bit more on Twitter/Xโ€™s new encrypted messaging Matthew Garrett has a nice post about Twitter (uh, X)โ€™s new end-to-end encryption messaging protocol, which is now called XChat. The TL;DR of Matthewโ€™s post is that from a cryptographicโ€ฆ

I wrote a bit more about Xโ€™s new encrypted DMs and the Juicebox protocol. blog.cryptographyengineering.com/2025/06/09/a...

09.06.2025 18:46 โ€” ๐Ÿ‘ 71    ๐Ÿ” 27    ๐Ÿ’ฌ 6    ๐Ÿ“Œ 0

Juicebox had 2 realms running on real entrust HSMs managing billions of (test) keys. The impl is complete. That said Iโ€™m not aware of any deployments of it outside the ones Juicebox ran.

09.06.2025 20:00 โ€” ๐Ÿ‘ 5    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
Donโ€™t Put All Your Juice in One Box At Juicebox, we believe key recovery should be secure, user friendly, and actuallyโ€ฆ work. That means it has to be more than cryptographic theater. It has to reflect the real world, where systems get h...

If your DMs are โ€œencryptedโ€ but one org holds all the keys, you havenโ€™t distributed trust โ€“ youโ€™ve built a backdoor.

Juicebox only works when boundaries are real. Separation isnโ€™t optional.

Replication != distribution.

06.06.2025 13:43 โ€” ๐Ÿ‘ 72    ๐Ÿ” 19    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 3

@superfell is following 13 prominent accounts