As you may have seen elsewhere, I’m joining AspirePress as a security advisor and project contributor. As I write this, tensions are running high in the WordPress community after Matt Mullenweg hijacked ACF. The fallout for Automattic’s behavior is felt by the rest of the community: anxiety, cancelled contracts with prospective clients, and an unclear […]| Semantically Secure
Previously, I wrote about how code-signing and threshold signatures could allow the WordPress community (whether they continue to support WordPress or decide to hard-fork the project onto something else) to mitigate the risk of another Mullenweg tantrum (which are in surplus this season) leading to another successful violation of community trust. One reason why the […]| Semantically Secure
As I write this, the most recent big move by Matt Mullenweg in his ongoing dispute with WP Engine was to abuse his position to seize control of a WP Engine owned plugin, justifying this act with a …| Semantically Secure
Musing about Password-Based Cryptography for the Government What would a modern NIST standard for password-based cryptography look like? Obviously, we have PBKDF2–which, if used with a FIPS-a…| Semantically Secure
Head’s up: This is a blog post about applied cryptography, with a focus on web and cloud applications that encrypt data at rest in a database or filesystem. While the lessons can be broadly a…| Semantically Secure
If you’ve never heard of NIST SP 800-108 before, or NIST Special Publications in general, here’s a quick primer: Special Publications are a type of publication issued by NIST. Specifica…| Semantically Secure
Here’s a “fun” challenge: Try to articulate valid criticism of some bullshit artist business executive high in the org chart that has no real technical chops, which unfortunately …| Semantically Secure
I didn’t want to add my voice to the cacophony of hot takes about the xz backdoor incident because I’m sure many people are already sick of hearing about it. However, there is something…| Semantically Secure
In June 2023, Amazon Web Services launched a developer preview of the new Database Encryption SDK in Java for DynamoDB (DB-ESDK for short). The DB-ESDK is the successor to the DynamoDB Encryption C…| Semantically Secure
I am famously not a fan of JSON Web Tokens (JWT). Like most cryptography and security experts familiar with JWT, I would much rather you use something else if you can. I even proposed a secure alte…| Semantically Secure
This isn’t (necessarily) a security vulnerability; merely an observation that I don’t think has been articulated adequately within the cryptography community. I thought it would be wort…| Semantically Secure
