Search
Items tagged with: toxicity
The year 2021 has taught us, if nothing else, that we can be sure that lies, misinformation, and bullshit are post-scarce resources in modern society.
In such an information economy, it should come as no surprise–yet an abundance of disappointment–that ideas like the “Sigma Male” even exist.
What is a Sigma Male?
I’m not going to mince words.
https://twitter.com/LilySimpson1312/status/1353674278722392066
“Sigma Male” is a ploy to recruit insecure young men into the same involuntary celibate (incel) / anti-feminist / pick-up artist trifecta that’s been making the Internet a worse place for everyone since at least 2005, and an evolution of the widely debunked “alpha male” myth.
https://www.youtube.com/watch?v=YTyQgwVvYyc
Trust me on this one, guys: I’m a gay furry. The whole alpha/beta dynamic gets referenced a lot by neophytes to furry/kink culture. Sometimes we entertain it as harmless fun, but practically no one (especially with a canid fursona) takes it remotely seriously.
Why is This Even a Thing?
(Art by Swizz.)
Let me tell you what’s really going on here:
When the career date-rapists and grifters behind the pick-up artist and “alpha male” circle-jerk realized that their audience was becoming disillusioned by the fact that their attempts to act “more alpha” was not resulting in healthy sexual or romantic relationships with women, they decided to invent a totally new concept–divorced of any psychological basis, of course–in order to keep their audience faithful to their bullshit and ensnare additional desperate, insecure young men.
Since trying to act “more alpha” just makes most people total jerks, which results in women running away as fast as they can, they decided to invent a more-hipster alternative for the failures in their revenue base to aspire to: One of silent edginess and marked by deliberate rejection of social structures. Since nothing comes before alpha in Greek, but video game culture places S-Rank above A-Rank, they decided to opt for the label “Sigma”.
Naturally, this results in a litany of book deals, YouTube videos, and public relations to sell their audience the idea that achieving this fictional aspiration is “what women really want”. The proposition here is, “If you know what women really want, you can get what you really want from them.” (i.e. sexual gratification).
It’s not just gross. It’s also a kind of exploitative that begets more exploitative behavior.
The same crowd that invented “Sigma Male” also conceived “negging”.
Here’s an actual list of “qualities” ascribed to a so-called Sigma Male, according to one of the peddlers of this moronic belief, only rearranged to emphasize the contradictions and meaninglessness of this description:
“SIgma Males” are… | …but also apparently…? |
---|---|
10. He’s Incredibly Self-Aware | 14. He Can’t Be Told What To Do When It Comes To Anything |
13. He Could Be an Alpha If He Wanted | 4. He Treats Everyone Around Him The Same Way |
2. He Is a Silent Leader | 9. His Social Skills Could Use Some Work |
6. He Understands the Importance of Silence | 12. It’s Hard To Understand Him |
1. He Loves Being Alone, But He Values Other People | 3. He Knows How To Adapt To Different Situations |
11. He’s the Master of His Own Fate | 8. He Hates Living Life Safely |
5. He Doesn’t Need a Social Circle To Be Himself | 7. He’s Morally Grey, Or Worse |
A lot of words could be written about these contradictory or vacuous statements.
How can you be a leader with inadequate social skills? If he really understands the importance of silence, why is it hard to understand him? Sure sounds like he’s misusing silence to me. Who isn’t a master of their own destiny? Who does need a social circle to be themselves?
The “Sigma Male” con is what happens if you take the tactics of cold reading and apply them in reverse:
Instead of starting general and drilling down to more specific based on your audience’s response, you start specific (“rarest type of male”) and then generalize the definition to become completely meaningless while also maximizing the relatability of the label to catch unaware rubes off-guard.
Just say no to bullshit.
(Art by Khia.)
While we’re on the subject of some of the sleaziest pieces of shit to ever walk the earth, let’s examine some more crimes against culture by these self-aggrandizing embarrassments to the male gender.
The “Friend Zone”
If you want to doom someone to a lifetime of unhealthy relationships, convince them that there’s this tragic place called the “Friend Zone” wherein, if someone you’re attracted to views you as a “friend”, you’re doomed to never have sexual relations with them.
If you’ll notice, I omitted gender in the previous paragraph. This one is so pernicious that I occasionally encounter it in the LGBT community.
For adherents to this particular cognitive distortion, relationships exist in a linear hierarchy:
- Spouse–You want to be here
- Significant Other
- Friends with Benefits / Sexual Partner
- Friend (Platonic)–You don’t want to be here
- Acquaintance
- Stranger
Friendship isn’t valued on its own merits. Instead, it’s a stepping stone; a mere transitional fossil between where you are and where you want things to be. I’ve talked about this before.
When someone adheres to this belief, it shapes the way they interact with people they’re attracted to, and often creates a negative feedback loop. This in turn gives rise to the incel (involuntary celibate) mentality–except now, it’s almost always by men against women.
Failure to become an “alpha” leaves you delegated as a “beta”–or worse, a “cuck”.
Let’s put a pin on that point for a moment.
Interlude: On the Modern Usage of the Word “Cuck”
Right-wingers love to use the word “cuck” to describe someone they dislike.
It became a meme during the 2016 Election in the United States, with some labels (“cuckservative”) being used to demonize Republicans who weren’t reactionary enough.
The origins of the insult began with a term for a sexual fetish called cuckoldry: The enjoyment of watching other people have sex with your significant other.
Most bloggers treat this as a clinical subject and stop there. I am not most bloggers.
An under-reported and unfortunate truth of cuckold fetishists is that there’s often a significant racial component to their fantasy: White couples almost always seek out a black man to be the “bull” (the person whom displaces the cuckold) of the scene. (This is as much a problem within the LGBT community as it is outside of it.)
If you thought the depraved minds of 4chan users wouldn’t pick up on this cue, you haven’t been paying attention to the Internet since 2007.
The insult “cuck” has less to do with the fetish, tangibly, than it does to do with a white supremacist worldview.
To white supremacists, white women are the “property” of white men, and any man who “allows” white women to have sex with a person of color is a cuck.
Thus, there are two kinds of people who use the word “cuck”: Those who know its intent and mean it, and the oblivious masses who mask the dog-whistle. Propagandists call the latter useful idiots.
https://twitter.com/katienotopoulos/status/814635817650028545
In Want of Money and Power
If you want to find the truth behind a person’s actions, you need to first discover their incentives. This is the “follow the money” approach, but generalized: Some people don’t need money, they want power. Political power, specifically.
It should come as no surprise that pick-up artists, anti-feminists, and incels all subscribe vehemently to the “friend zone” mythos. Additionally, incels, in particular, are prone to self-loathing and projection around the “cuck” insult.
This ultimately leads to a very dark place.
The Fascist Event Horizon
Most of us, in our youth, are varying degrees of socially awkward. This leads to anxiety, insecurity, and a sense of listlessness in most young adults.
Typically, we grow out of this by building relationships, learning through a litany of easily avoidable mistakes, and acquire the understanding we lack.
Pick-up artists prey on the rest of us, convincing them that the reason they don’t have a fulfilling sex life is because they’re not adhering to some aggressive social stereotype that gives them superpowers over women.
The ones that “succeed” go on to perpetuate that cycle. The ones that fail become self-loathing incels that stew in their own awkwardness and contempt.
It’s no secret that white nationalism courts Internet nerd culture.
Once you start to head down this path, you’re almost guaranteed to internalize a lot of the beliefs that are espoused:
- “Women want strong alpha males.”
- “Alpha males are dominant, assertive, adhere strongly to evangelical Christian values, and embody tradition.”
- “Women would rather sleep with a jerk than a nice guy.”
- “If you’re friend-zoned, that makes you a cuck to the girl you deserve.”
It’s here that two competing interests will clash.
Incentives Rule Everything Around Me
People who want money and influence are incentivized to find some mental framework that allows a diverse set of personality types to somehow succeed at their relationship goals. This is why they went on to invent the Sigma Male, and insist “they’re equal to alphas, but separate from the hierarchy”.
People who want political power and true believers to perform political violence and stochastic terrorism on their behalf are incentivized to set the bar high and make everyone feel inadequate.
That’s why, immediately after the end of Donald Trump’s presidency and a general shunning of his rabid supporters, the Sigma Male meme is suddenly on a rise in popularity.
Preventing the Poisonous Patriarchy
If you want to prevent a friend or family member from falling into the trappings of abusive con men, white nationalist recruiters, and toxic masculinity, there are a few things you can do to stop them from going down this road.
- Consent is sexy.
Establish good habits. “Yes means Yes” is a better framework than “No means No”, because it implies a negative default in the absence of a specific answer. There’s a lot of literature on BDSM culture and sex work that you can pull inspiration from. - Emphasize healthy friendships.
Fuck the hierarchy worldview; friends are amazing. Whatever it takes, make sure you can appreciate your friends for who they are, not what they might later become.
If you’re struggling to make friends, I recommend reading this article. - The only thing we have to cringe is cringe itself.
Fuck what other people think: If you’re having fun with an activity, who cares if it’s “cringe”? Authentic enjoyment becomes fleeting for many adults once you progress through puberty; and while I’m not sure if that’s nature or nurture, I do know that being shamelessly yourself at all times maximizes your enjoyment. - Abandon tradition, embrace modernity.
Tradition is stupid. It’s literally doing what people have always done because a better idea hasn’t yet come along–even when a better idea does come along!
Instead of relying on traditions, practice creative and imaginative thinking every chance you get. Step out of your comfort zone from time to time. Introspect and plan differently for the next time you’re in a similar situation. That’s how you grow as a person.
If you practiced all of the above and are still bewildered by “what women want” and worried you’ll be alone forever, here’s my final bit of advice: Ask them! Especially if you’re close enough friends that they’ll answer in earnest, because they know that you’re trustworthy and not trying to objectify them.
Literally nobody knows what a given woman is looking for in a partner more than she does. Anyone who claims otherwise is full of shit or dangerously manipulative.
If you ask 100 women what they want in a partner, you’ll get 100 different answers. Gender roles aren’t a symptom of a homogeneous population. People are people.
If anyone is truly your friend, they’re already emotionally invested in seeing you find someone that will make you happy. Trust them more than you’d trust me, or anyone who confidently claims to know “what women want” and then proceeds to totally misunderstand everything women say.
Additionally, everything I said above is also true of men and enbies. People are people, dammit!
(Art by Khia.)
What Do I Do if Someone Calls Themselves a “Sigma Male”?
Reply “Sigma balls“.
Ridicule might not adequately discourage participation (after all, the unscientific Myers-Brigg Type Indicator is still prevalent everywhere), but it’s cathartic.
https://twitter.com/M3rcaptan/status/1355665303540215817
Questions and Answers
Since I first published this article, I’ve received a lot of feedback. I’m going to attempt to respond to some of the questions I’ve received over the past few month in order to save everyone time asking the same questions.
(Art by Scruff.)
Is the Notion of a Sigma Male as Scam or Grift?
Yes! See above for details.
The goal of the “sigma male” idea is to capture more of the “desperate and lonely single man” market segment–in particular, the ones that don’t buy the whole “alpha male” shtick. It’s pure bullshit and it’s bad for you.
Is Sigma Male “Cringe”?
Cringe culture is stupid, but I’m willing to make an exception for the whole “sigma male” meme (but only insofar as we also treat “alpha male” with the same level of earned contempt).
Science has shown that biological sex is not binary. Furthermore, sex isn’t the same thing as gender identity, which can be different from your biological sex and has to do with your role within society. This is what science has to say about the subject; it’s not up for debate.
So, with all that in mind, why do the same crowds of people who insist that sex is binary and assigned at birth (in spite of what science actually suggests) turn around and invent multiple kinds of male that someone can be, only to then arrange them in an imaginary hierarchy?
That’s pretty cringe, bro.
(Art by Khia.)
Why Are You Falsely Equivocating PUAs and Incels?
I’m not, and you have to be acting in bad faith to think listing two groups together is the same as equivocating the two.
Both groups are the consequence of the same harmful and false beliefs about gender, sex, and masculinity. Their beliefs about women are disgusting and they prey on the insecurity of other men to secure book deals and speaking gigs.
Pick-up artists are predators that spread predatory ideas. Incels are the desperate dregs that don’t buy the PUA books but still internalize the same values, usually expressed through self-deprecation. These are clearly not the same thing, but both groups are the consequence of the same delusional bullshit rooted in anti-feminism.
Eww, a furry!
Wow, you sure got me there.
(Art by Khia.)
How will I ever recover from this startling revelation?
Sigmas are REAL! They’re the introverted version of the Alpha. Period.
Nope. Alpha Males aren’t a real thing either.
The person who coined the term “alpha male” in wolf populations spent the rest of their career trying to correct the misconception they accidentally created. I covered all of this in the blog post already.
The people who purport that “being alpha” is a meaningful descriptor of humans rather than incomplete software are either delusional or trying to pull one over on you.
The unproven hypothesis of “sigma male” is predicated on debunked pseudoscience. Why bother believing something whose entire foundation is false?
The science of personality (a discipline of psychology) is extremely complicated. The people peddling the [Greek Letter Here] Male are trying to sell you on the belief that masculinity is a hierarchy of tribes. It’s just as stupid as the Myers-Brigg Type Indicators.
(Art by Khia.)
If you want an actual model for personality based on real cognitive science, look at HEXACO. Notably, your personality scores do not yield a reliable partitioning (“Are you an T or a P?”) nor is a hierarchy proposed.
(Art by Khia.)
Anything that says your entire personality or existence can be summarized as belonging to one of N groups (with N less than 100), or by a ranking in an imaginary social ladder, is bullshit–pure and simple.
Note: The header for this section is from one of the many unapproved comments submitted to this blog post with a fake email address. Comments like this aren’t an expression of introverted personalities. The word you’re looking for is “cowardice”.
Why aren’t you approving my comments on this blog post?
Mandatory reading: My blog isn’t a platform for internet randos.
https://soatok.blog/2021/01/25/no-youre-not-a-sigma-male/
#alphaMale #cuck #Fascism #hateSpeech #Incels #PickupArtists #SigmaMale #Society #toxicity
I rarely think about the labels that describe me.That isn’t because of privilege (I spent many years painfully aware of them), but because my friends are incredibly supportive and we’ve been able to cultivate an environment where I’m not constantly reminded of why I don’t “belong”. (It took many grueling years to achieve that, and I’m still reminded of my weirdness if I leave home for any appreciable length of time. Fortunately, I’m a bit of a homebody.)
The majority of people don’t think about their labels either, but for privileged reasons, until a minority calls it to their attention. Then you get almost-comical indignant hot takes of the “don’t call me cis, that’s a slur!” variety.
At least, they would be comical if they weren’t so stupid and dangerous.
Identity
Identity is a funny thing. I actually find rather insulting the proposition that you can take the vast diversity of the lived experiences of billions of people and compress it into one bit of information.“Are you a YES or a NO?” “Are you X or Y?” “Are you good or evil?”
Labels are a lossy compression algorithm. They’re meant to simplify and convey ideas so they’re more broadly accessible and easily understood. In practice, people are overly reliant on them, and they become a crutch.
Sure, you can think of me as an androsexual, demisexual, cisgender male with a dhole fursona, but do most of us even know what that means?
Most of us just simplify our identities to, “I’m gay”. Art by LindseyVi.
Pride
Pride is a protest against unjust systems. Pride started with a riot in response to police violence and discrimination. You probably didn’t learn about Pride in great detail in history class (if at all).Pride parades in recent years have been co-opted by what some call “rainbow capitalism”.
I wish I knew the original source for this meme.
And this obviously feels really gross, but at the same time, it’s often somehow forgivable that companies use Pride Month (June) to show active support for their LGBTQIA+ employees. (If nothing else, it assures us that we won’t suddenly become unemployed if someone accuses us of falling in love with a person with the “wrong” phenotype, etc.)
There are currently a lot of hard conversations taking place about a different target of police violence and discrimination.
I hope that the protests happening today will result in the change our world needs, so that everyone can live equally without fear or shame for who they are.
This will almost certainly require dismantling racist systems and rebuilding them without the tainted legacy they originated from.
That being said, I’ve never really been fond of the emotion, pride. It feels inherently reckless to me. At the same time, I acknowledge it’s a great foil for the emotions that bigots want us to feel (fear, shame, despair, self-loathing, etc.). If that works for you, I’m happy. Keep on keeping on.
Rather than pride, I’ve always sought contentment and joy in my life.
Authenticity means a lot to me, and being fearlessly and shamelessly me is something I shouldn’t have to work for or feel proud about; nor should anyone else.
Contentment and joy… there used to be another word folks used to encapsulate that genre of emotion: Gay.
It always comes full-circle, doesn’t it?
A Dream To Seek
Art by Khia.Society has numerous institutions and systems that are designed and implemented to ensure discrimination and injustice against people who are different than their architects.
As long as bigoted institutions and systems exist, society will always need movements like Pride and Black Lives Matter to resist atrocity and inspire loud authenticity, in equal measure.
So it might sound odd to say without the above context, but as a strong proponent of human rights and equality, I dream of the day when these movements no longer need to exist; for the day when their job is done and we have moved past the specter of hate that continues to haunt each generation that survives its direct violent influence. I say this knowing that this day will probably never come (at least in my lifetime).
Until bigotry is abolished, and bigotry’s apologists recognize that they’re little more than asymptomatic carriers of that vile psychic pathogen, I will continue to strive to enable everyone I can reach to enjoy the same peace that my friends and I have built at home.
No matter your sex. No matter your gender. No matter the gender(s) you’re attracted to (if any). No matter your race or ethnicity.
The labels people use to describe us shouldn’t condemn anyone to a life of misery and injustice.
The day we cultivate a society that is absent of, and resistant to, the kind of hate and discrimination we’ve seen for centuries will be a day worthy of pride.
And the only way to get there is to acknowledge a simple truth: Black Lives have to Matter in order for the superset (“All Lives”) to Matter.
What Do Your Labels Mean?
This will probably be my only Pride Month post on this blog, so I suppose it makes sense to explain them.I’m a guy, who’s attracted to guys (thus, androsexual)… but I don’t exactly have a “type”. I have to genuinely like a person to find them attractive. That’s the demisexual part.
Most people understand being gay, conceptually. Asexuality might also click readily without a lot of exposition.
Being demi is weird: You spend a lot of time wondering if you’re asexual or not, until you actually develop feelings for someone else for the first time.
Cisgender just means “not transgender”; that is to say, I identify as the same gender I was assigned at birth.
If that’s helpful to know, cool. But you don’t have to think of me in those terms. I’m just Soatok.
https://soatok.blog/2020/06/09/pridemonth/
I get a lot of emails from job recruiters that, even to this day, I’m not qualified for. They often ask for ridiculous requirements, like a Master’s Degree or Ph.D in Computer Science, for what would otherwise be a standard programming job without any particular specializations (e.g. cryptography, which I happen to specialize in).
One time I humored one of these opportunities for a PHP Developer position and was immediately told over the phone that my number of years of experience with PHP was too low, because I didn’t start working with it in 1996 like the rockstar developers on their payroll, but that they’d call me back if they had any “junior” openings in the future. Given that I was born in 1989 and didn’t have access to a computer until about Christmas 1999, I won’t even begin to pretend this is a reasonable ask.
This was my actual reaction after I hung up. (Art by Khia.)
In a lot of ways, I have it easy. I have enough experience with software development and security research under my belt to basically ignore the requirements that HR puts on job listings and still get an interview with most companies. (If you want a sense of what this looks like, look no further than rawr-x3dh or my teardown of security issues in Zed Shaw’s SRP library… which are both things I did somewhat casually for this blog.)
The irony is, I’m probably deeply overqualified for the majority of the jobs that come across my inbox, and I still don’t meet the HR requirements for the roles, and the people who are actually a good fit for it don’t have the same privilege as me.
So if the rules are made up and the points don’t matter, why do companies bother with these pointlessly harrowing job requirements?
(Art by Khia.)
The answer is simple: They’re being toxic gatekeepers, and we’re all worse off for it.
https://twitter.com/IanColdwater/status/1357381321488621569
Toxic Gatekeeping
Gatekeeping is generally defined as “the activity of controlling, and usually limiting, general access to something” (source).
Gatekeeping doesn’t have to be toxic: Keeping children out of adult entertainment venues is certainly an example of gatekeeping, but it’s a damned good idea in that context.
In a similar vein, content moderation is a good thing, but necessarily involves some gatekeeping behaviors.
As with many things in life, toxicity is determined by the dose. I’ve previously posited that any group has a minimum gatekeeping threshold necessary for maintaining group identity (or in the example of keeping kids out of 18+ spaces, avoiding liability).
When the amount of gatekeeping exceeds the minimum, the excess is almost always toxic. To wit:
https://twitter.com/BlackDGamer1/status/1361352840980164609
Toxic Gatekeeping in Tech
The technology industry is filled with entry-level gatekeepers. Sometimes this behavior floats up in the org chart, but it’s most often concentrated at neophytes.
https://twitter.com/fancy_flare/status/1371568476331012101
In practice, toxic gatekeeping often employs arbitrary Purity Tests, stupid job requirements, and questionably legal hazing rituals. Conversations with toxic gatekeepers often–but not always–involve gratuitous use of No True Scotsman fallacies.
But what’s really happening here is actually sinister: Toxic gatekeepers in tech are people with internalized cognitive distortions that either affirm one’s sense of superiority or project their personal insecurities–if not both things.
This is almost always directed towards the end of excluding women, racial or religious minorities, LGBTQIA+ and neurodivergent people, and other vulnerable populations from the possibility at pursuing lucrative career prospects.
If you need a (rather poignant) example of the above, the gatekeeping behaviors against women in tech even apply to the forerunners of computer science:
https://twitter.com/gurlcode/status/1170664258197024768
If you’re still unconvinced, I have my own experiences I can tell you about; like that one time my blog’s domain was banned from the netsec subreddit because of other peoples’ toxicity.
That Time soatok.blog Was Banned from Reddit’s r/netsec Subreddit
Earlier this year, I thought I’d submit my post about encrypting directly with RSA being a bad idea to the network security subreddit–only to discover that my domain name had been banned from r/netsec.
https://twitter.com/SoatokDhole/status/1352140779586805760
Prior to this, I’d had some disagreements with other r/netsec moderators (i.e. @sanitybit, plus whoever answered my Reddit messages) about a lack of communication and transparency about their decisions, but there were no lingering issues.
A lot of the times when something I wrote ended up on their subreddit, I was not the person to submit it there. Usually this omission was intentional: If I didn’t submit it there, I didn’t feel it belonged on r/netsec (usually due to being insufficiently technical).
The comments I received were often hostile non sequitur about me being a furry. This general misconduct isn’t unique to r/netsec; I’ve received similar comments on my Lobste.rs submissions, which forced the sysop’s hand into telling people to stop being dumb and terrible.
https://twitter.com/SoatokDhole/status/1352142604406816771
The hostility was previously severe enough to get noticed by the r/SubredditDrama subreddit (and, despite what you might think of drama-oriented forums, most of the comments there were surprisingly non-shitty towards me or furries in general).
Quick aside: Being a furry isn’t the important bit of this anecdote; people face this kind of behavior for all sorts of reasons. In particular: transgender people face even shittier behavior at every level of society, and a lot of what they endure is much more subtle than the overt yet lazy bigotry lobbed my way.
So was my domain name banned by a r/netsec moderator because other people kept being shitty in the comments whenever someone submitted one of my blog posts there?
It turns out: Yes. This was later confirmed to me by a r/netsec moderator via Twitter DM.
r/netsec moderator @albinowax
I’ve cut out some irrelevant crap.
As I had said publicly on Twitter and reiterated in the DM conversation above: I had already decided I would not return to r/netsec in light of this rogue moderator’s misconduct.
Trust is a funny thing: It’s easy to lose and hard to gain. Once trust has been lost, it’s often impossible to recover it. Security professionals should understand this better than anyone else, given our tendency to deal with matters of risk and trust.
What Could They Have Done Better?
Several things! Many of which are really obvious!
- Communicating with me. If nothing else, they could have told me they were banning my domain name from their subreddit and given a reason why.
- Maybe there was some weird goal in mind?
(E.g. to stop people from submitting posts on my behalf, since I had made it clear that I’d intentionally not share stuff there if I didn’t think it belonged.) - I’ll never know, because nobody told me anything.
- Maybe there was some weird goal in mind?
- Communicating with each other. I mean, this is just a matter of showing respect to your fellow moderators. It’s astonishing that this didn’t happen.
- Taking steps to protect members of vulnerable populations from the kinds of shitheads that make Reddit a miserable experience.
- For example: If someone’s previously been a target of bigotry, have auto-moderator prune all comments not from the OP or Trusted Contributors–and if any TCs violate the mods’ trust, revoke their TC status.
Since then, I’ve been informed that they implemented my suggestion to prevent themselves from having to suffer through a bunch of negative vitriol.
Truthfully, I still haven’t decided if I want to give r/netsec another chance.
On the one paw: The moderators really burned a lot of trust with me and I expect security professionals to fucking know better.
On the other: Representation matters, and removing myself from their community gives the bigots that caused the trouble in the first place a Pyrrhic victory.
Neither choice sits well with me, for totally disparate reasons.
I wish I could put a happy ending on this tale, but life doesn’t work that way most of the time.
If you’re looking for non-toxic subreddits, r/crypto is always a pleasant community. I also contribute a lot to r/furrydiscuss.
When to Be a Gatekeeper
If someone is a threat to the safety or well-being of your group, you should exclude them from your group.
In the furry community, we had a person that owned a widely-used costume making business get outed for a lot of abusive actions. Their response was to try to file a SLAPP suit against some unrelated person that merely linked to the victims’ statements on Twitter.
https://twitter.com/qutens_/status/1357496129659707392
In these corner-case situations, be a gatekeeper!
But generally, it’s not warranted. Gatekeeping compounds systemic harms and makes it harder for newcomers to join a community or industry.
Gatekeeping hurts women. Gatekeeping hurts LGBTQIA+ folks. Gatekeeping hurts non-white people. Gatekeeping hurts the neurodivergent.
But if that’s not enough of a reason to avoid it: Gatekeeping hurts straight white males too!
Newcomers who aren’t narcissists almost always experience some degree of Impostor Syndrome. If you apply the gatekeeping behaviors we’ve discussed previously, you’re going to totally exacerbate the situation.
People will quit. People will burn out.
The only people who stand to gain anything from gatekeeping are the survivors who made it through the gate. If the survivors are insecure or arrogant, the vicious cycle continues.
So why don’t we simply…not perpetuate it?
There’s an old saying that’s popular in punk and anarchist circles: “No gods, no masters.” I think the correct attitude to have regarding gatekeeping is analogous to the spirit of this saying.
Without Gatekeeping, A Deluge?
Sometimes you’ll hear hiring manager defend the weird job requirements that HR departments shit out because every job posting gets flooded with hundreds of applicants. They insist that the incentives of this dynamic are to blame, rather than gatekeeping.
Unfortunately, we’re both right on this one. Economic forces and toxicity often synergize in the worst ways, and gatekeeping behaviors are no exception.
Hiring managers that are forced to sift through a deluge of applications to fill an opening will inevitably rely on their own subconscious biases to select “qualified” candidates (from a pool of people who are actually qualified for the job). Thus, they become gatekeepers moreso than the minimum amount their job requires. This is one reason why tech companies often only employ people that fit the same demographic.
Savvy tech companies will employ work-sample tests in the same way that musicians employ blind auditions to assess candidates, rather than relying on these subconscious biases to drive their decisions. Not all companies are savvy, and we all suffer for it.
Instead, what happens is that the candidates that endure the ritual of whiteboard hazing (which tests for anxiety rather than technical or cognitive ability) will in turn propagate the ritual for the next round of newcomers.
The same behaviors and incentives that maintain these unhealthy traditions overlap heavily with the people who will refuse to train or mentor their junior employees. This refusal isn’t just about frugality; it’s also in service of the ego. Maintaining their power within existing social hierarchies is something that toxic gatekeepers worry about a lot.
What About “Don’t Roll Your Own Crypto”?
There’s a fine line between reinforcing boundaries to maintain safety and inventing stupid rules or requirements for people to be allowed to participate in a community or industry. (Also, I’ve talked about this before.)
Rejection of gatekeeping isn’t the same as rejecting the concept of professional qualifications, and anyone who suggests otherwise isn’t being intellectually honest.
The excellent artwork used in the blog header was made by Wolfool.
https://soatok.blog/2021/03/04/no-gates-no-keepers/
#gatekeepers #gatekeeping #onlineAbuse #rNetsec #Reddit #Society #toxicity #Twitter
Let me say up front, I’m no stranger to negative or ridiculous feedback. It’s incredibly hard to hurt my feelings, especially if you intend to. You don’t openly participate in the furry fandom since 2010 without being accustomed to malevolence and trolling. If this were simply a story of someone being an asshole to me, I would have shrugged and moved on with my life.It’s important that you understand this, because when you call it like you see it, sometimes people dismiss your criticism with “triggered” memes. This isn’t me being offended. I promise.
My recent blog post about crackpot cryptography received a fair bit of attention in the software community. At one point it was on the front page of Hacker News (which is something that pretty much never happens for anything I write).
Unfortunately, that also means I crossed paths with Zed A. Shaw, the author of Learn Python the Hard Way and other books often recommended to neophyte software developers.
As someone who spends a lot of time trying to help newcomers acclimate to the technology industry, there are some behaviors I’ve recognized in technologists over the years that makes it harder for newcomers to overcome anxiety, frustration, and Impostor Syndrome. (Especially if they’re LGBTQIA+, a person of color, or a woman.)
Normally, these are easily correctable behaviors exhibited by people who have good intentions but don’t realize the harm they’re causing–often not by what they’re saying, but by how they say it.
Sadly, I can’t be so generous about… whatever this is:
https://twitter.com/lzsthw/status/1359659091782733827
Having never before encountered a living example of a poorly-written villain towards the work I do to help disadvantaged people thrive in technology careers, I sought to clarify Shaw’s intent.
https://twitter.com/lzsthw/status/1359673331960733696
https://twitter.com/lzsthw/status/1359673714607013905
This is effectively a very weird hybrid of an oddly-specific purity test and a form of hazing ritual.
Let’s step back for a second. Can you even fathom the damage attitudes like this can cause? I can tell you firsthand, because it happened to me.
Interlude: Amplified Impostor Syndrome
In the beginning of my career, I was just a humble web programmer. Due to a long story I don’t want to get into now, I was acquainted with the culture of black-hat hacking that precipitates the DEF CON community.In particular, I was exposed the writings of a malicious group called Zero For 0wned, which made sport of hunting “skiddiez” and preached a very “shut up and stay in your lane” attitude:
Geeks don’t really come to HOPE to be lectured on the application of something simple, with very simple means, by a 15 year old. A combination of all the above could be why your room wasn’t full. Not only was it fairly empty, but it emptied at a rapid rate. I could barely take a seat through the masses pushing me to escape. Then when I thought no more people could possibly leave, they kept going. The room was almost empty when I gave in and left also. Heck, I was only there because we pwned the very resources you were talking about.Zero For 0wned
My first security conference was B-Sides Orlando in 2013. Before the conference, I had been hanging out in the #hackucf IRC channel and had known about the event well in advance (and got along with all the organizers and most of the would-be attendees), and considered applying to their CFP.I ultimately didn’t, solely because I was worried about a ZF0-style reception.
I had no reference frame for other folks’ understanding of cryptography (which is my chosen area of discipline in infosec), and thought things like timing side-channels were “obvious”–even to software developers outside infosec. (Such is the danger of being self-taught!)
“Geeks don’t really come to B-Sides Orlando to be lectured on the application of something simple, with very simple means,” is roughly how I imagined the vitriol would be framed.
If it can happen to me, it can happen to anyone interested in tech. It’s the responsibility of experts and mentors to spare beginners from falling into the trappings of other peoples’ grand-standing.
Pride Before Destruction
With this in mind, let’s return to Shaw. At this point, more clarifying questions came in, this time from Fredrick Brennan.https://twitter.com/lzsthw/status/1359712275666505734
What an arrogant and bombastic thing to say!
At this point, I concluded that I can never again, in good conscience, recommend any of Shaw’s books to a fledgling programmer.
If you’ve ever published book recommendations before, I suggest auditing them to make sure you’re not inadvertently exposing beginners to his harmful attitude and problematic behavior.
But while we’re on the subject of Zed Shaw’s behavior…
https://twitter.com/lzsthw/status/1359714688972582916
If Shaw thinks of himself as a superior cryptography expert, surely he’s published cryptography code online before.
And surely, it will withstand a five-minute code review from a gay furry blogger who never went through Shaw’s prescribed hazing ritual to rediscover specifically the known problems in OpenSSL circa Heartbleed and is therefore not as much of a cryptography expert?
(Art by Khia.)
May I Offer You a Zero-Day in This Trying Time?
One of Zed A. Shaw’s Github projects is an implementation of SRP (Secure Remote Password)–an early Password-Authenticated Key Exchange algorithm often integrated with TLS (to form TLS-SRP).Zed Shaw’s SRP implementation
Without even looking past the directory structure, we can already see that it implements an algorithm called TrueRand, which cryptographer Matt Blaze has this to say:
https://twitter.com/mattblaze/status/438464425566412800
As noted by the README, Shaw stripped out all of the “extraneous” things and doesn’t have all of the previous versions of SRP “since those are known to be vulnerable”.
So given Shaw’s previous behavior, and the removal of vulnerable versions of SRP from his fork of Tom Wu’s libsrp code, it stands to reason that Shaw believes the cryptography code he published would be secure. Otherwise, why would he behave with such arrogance?
SRP in the Grass
Head’s up! If you aren’t cryptographically or mathematically inclined, this section might be a bit dense for your tastes. (Art by Scruff.)When I say SRP, I’m referring to SRP-6a. Earlier versions of the protocol are out of scope; as are proposed variants (e.g. ones that employ SHA-256 instead of SHA-1).
Professor Matthew D. Green of Johns Hopkins University (who incidentally used to proverbially shit on OpenSSL in the way that Shaw expects everyone to, except productively) dislikes SRP but considered the protocol “not obviously broken”.
However, a secure protocol doesn’t mean the implementations are always secure. (Anyone who’s looked at older versions of OpenSSL’s BigNum library after reading my guide to side-channel attacks knows better.)
There are a few ways to implement SRP insecurely:
- Use an insecure random number generator (e.g. TrueRand) for salts or private keys.
- Fail to use a secure set of parameters (q, N, g).
To expand on this, SRP requires q be a Sophie-Germain prime and N be its corresponding Safe Prime. The standard Diffie-Hellman primes (MODP) are not sufficient for SRP.This security requirement exists because SRP requires an algebraic structure called a ring, rather than a cyclic group (as per Diffie-Hellman).
- Fail to perform the critical validation steps as outlined in RFC 5054.
In one way or another, Shaw’s SRP library fails at every step of the way. The first two are trivial:
- We’ve already seen the RNG used by srpmin. TrueRand is not a cryptographically secure pseudo random number generator.
- Zed A. Shaw’s srpmin only supports unsafe primes for SRP (i.e. the ones from RFC 3526, which is for Diffie-Hellman).
The third is more interesting. Let’s talk about the RFC 5054 validation steps in more detail.
Parameter Validation in SRP-6a
Retraction (March 7, 2021): There are two errors in my original analysis.First, I misunderstood the behavior of
SRP_respond()
to involve a network transmission that an attacker could fiddle with. It turns out that this function doesn’t do what its name implies.Additionally, I was using an analysis of SRP3 from 1997 to evaluate code that implements SRP6a.
u
isn’t transmitted, so there’s no attack here.I’ve retracted these claims (but you can find them on an earlier version of this blog post via archive.org). The other SRP security issues still stand; this erroneous analysis only affects the
u
validation issue.Vulnerability Summary and Impact
That’s a lot of detail, but I hope it’s clear to everyone that all of the following are true:
- Zed Shaw’s library’s use of TrueRand fails the requirement to use a secure random source. This weakness affects both the salt and the private keys used throughout SRP.
- The library in question ships support for unsafe parameters (particularly for the prime, N), which according to RFC 5054 can leak the client’s password.
Salts and private keys are predictable and the hard-coded parameters allow passwords to leak.
But yes, OpenSSL is the real problem, right?
(Art by Khia.)Low-Hanging ModExp Fruit
Shaw’s SRP implementation is pluggable and supports multiple back-end implementations: OpenSSL, libgcrypt, and even the (obviously not constant-time) GMP.Even in the OpenSSL case, Shaw doesn’t set the
BN_FLG_CONSTTIME
flag on any of the inputs before callingBN_mod_exp()
(or, failing that, insideBigIntegerFromInt
).As a consequence, this is additionally vulnerable to a local-only timing attack that leaks your private exponent (which is the SHA1 hash of your salt and password). Although the literature on timing attacks against SRP is sparse, this is one of those cases that’s obviously vulnerable.
Exploiting the timing attack against SRP requires the ability to run code on the same hardware as the SRP implementation. Consequently, it’s possible to exploit this SRP ModExp timing side-channel from separate VMs that have access to the same bare-metal hardware (i.e. L1 and L2 caches), unless other protections are employed by the hypervisor.
Leaking the private exponent is equivalent to leaking your password (in terms of user impersonation), and knowing the salt and identifier further allows an attacker to brute force your plaintext password (which is an additional risk for password reuse).
Houston, The Ego Has Landed
Earlier when I mentioned the black hat hacker group Zero For 0wned, and the negative impact their hostile rhetoric, I omitted an important detail: Some of the first words they included in their first ezine.For those of you that look up to the people mentioned, read this zine, realize that everyone makes mistakes, but only the arrogant ones are called on it.
If Zed A. Shaw were a kinder or humbler person, you wouldn’t be reading this page right now. I have a million things I’d rather be doing than exposing the hypocrisy of an arrogant jerk who managed to bullshit his way into the privileged position of educating junior developers through his writing.If I didn’t believe Zed Shaw was toxic and harmful to his very customer base, I certainly wouldn’t have publicly dropped zero-days in the code he published while engaging in shit-slinging at others’ work and publicly shaming others for failing to meet arbitrarily specific purity tests that don’t mean anything to anyone but him.
But as Dan Guido said about Time AI:
https://twitter.com/veorq/status/1159575230970396672
It’s high time we stopped tolerating Zed’s behavior in the technology community.
If you want to mitigate impostor syndrome and help more talented people succeed with their confidence intact, boycott Zed Shaw’s books. Stop buying them, stop stocking them, stop recommending them.
Learn Decency the Hard Way
(Updated on February 12, 2021)One sentiment and question that came up a few times since I originally posted this is, approximately, “Who cares if he’s a jerk and a hypocrite if he’s right?”
But he isn’t. At best, Shaw almost has a point about the technology industry’s over-dependence on OpenSSL.
Shaw’s weird litmus test about whether or not my blog (which is less than a year old) had said anything about OpenSSL during the “20+ years it was obviously flawed” isn’t a salient critique of this problem. Without a time machine, there is no actionable path to improvement.
You can be an inflammatory asshole and still have a salient point. Shaw had neither while demonstrating the worst kind of conduct to expose junior developers to if we want to get ahead of the rampant Impostor Syndrome that plagues us.
This is needlessly destructive to his own audience.
Generally the only people you’ll find who outright like this kind of abusive behavior in the technology industry are the self-proclaimed “neckbeards” that live on the dregs of elitist chan culture and desire for there to be a priestly technologist class within society, and furthermore want to see themselves as part of this exclusive caste–if not at the top of it. I don’t believe these people have anyone else’s best interests at heart.
So let’s talk about OpenSSL.
OpenSSL is the Manifestation of Mediocrity
OpenSSL is everywhere, whether you realize it or not. Any programming language that provides acrypto
module (Erlang, Node.js, Python, Ruby, PHP) binds against OpenSSL libcrypto.OpenSSL kind of sucks. It used to be a lot worse. A lot of people have spent the past 7 years of their careers trying to make it better.
A lot of OpenSSL’s suckage is because it’s written mostly in C, which isn’t memory-safe. (There’s also some Perl scripts to generate Assembly code, and probably some other crazy stuff under the hood I’m not aware of.)
A lot of OpenSSL’s suckage is because it has to be all things to all people that depend on it, because it’s ubiquitous in the technology industry.
But most of OpenSSL’s outstanding suckage is because, like most cryptography projects, its API was badly designed. Sure, it works well enough as a Swiss army knife for experts, but there’s too many sharp edges and unsafe defaults. Further, because so much of the world depends on these legacy APIs, it’s difficult (if not impossible) to improve the code quality without making upgrades a miserable task for most of the software industry.
What Can We Do About OpenSSL?
There are two paths forward.First, you can contribute to the OpenSSL 3.0 project, which has a pretty reasonable design document that almost nobody outside of the OpenSSL team has probably ever read before. This is probably the path of least resistance for most of the world.
Second, you can migrate your code to not use OpenSSL. For example, all of the cryptography code I’ve written for the furry community to use in our projects is backed by libsodium rather than OpenSSL. This is a tougher sell for most programming languages–and, at minimum, requires a major version bump.
Both paths are valid. Improve or replace.
But what’s not valid is pointlessly and needlessly shit-slinging open source projects that you’re not willing to help. So I refuse to do that.
Anyone who thinks that makes me less of a cryptography expert should feel welcome to not just unfollow me on social media, but to block on their way out.
https://soatok.blog/2021/02/11/on-the-toxicity-of-zed-a-shaw/
#author #cryptography #ImpostorSyndrome #PAKE #SecureRemotePasswordProtocol #security #SRP #Technology #toxicity #vuln #ZedAShaw #ZeroDay
Let me say up front, I’m no stranger to negative or ridiculous feedback. It’s incredibly hard to hurt my feelings, especially if you intend to. You don’t openly participate in the furry fandom since 2010 without being accustomed to malevolence and trolling. If this were simply a story of someone being an asshole to me, I would have shrugged and moved on with my life.
It’s important that you understand this, because when you call it like you see it, sometimes people dismiss your criticism with “triggered” memes. This isn’t me being offended. I promise.
My recent blog post about crackpot cryptography received a fair bit of attention in the software community. At one point it was on the front page of Hacker News (which is something that pretty much never happens for anything I write).
Unfortunately, that also means I crossed paths with Zed A. Shaw, the author of Learn Python the Hard Way and other books often recommended to neophyte software developers.
As someone who spends a lot of time trying to help newcomers acclimate to the technology industry, there are some behaviors I’ve recognized in technologists over the years that makes it harder for newcomers to overcome anxiety, frustration, and Impostor Syndrome. (Especially if they’re LGBTQIA+, a person of color, or a woman.)
Normally, these are easily correctable behaviors exhibited by people who have good intentions but don’t realize the harm they’re causing–often not by what they’re saying, but by how they say it.
Sadly, I can’t be so generous about… whatever this is:
https://twitter.com/lzsthw/status/1359659091782733827
Having never before encountered a living example of a poorly-written villain towards the work I do to help disadvantaged people thrive in technology careers, I sought to clarify Shaw’s intent.
https://twitter.com/lzsthw/status/1359673331960733696
https://twitter.com/lzsthw/status/1359673714607013905
This is effectively a very weird hybrid of an oddly-specific purity test and a form of hazing ritual.
Let’s step back for a second. Can you even fathom the damage attitudes like this can cause? I can tell you firsthand, because it happened to me.
Interlude: Amplified Impostor Syndrome
In the beginning of my career, I was just a humble web programmer. Due to a long story I don’t want to get into now, I was acquainted with the culture of black-hat hacking that precipitates the DEF CON community.
In particular, I was exposed the writings of a malicious group called Zero For 0wned, which made sport of hunting “skiddiez” and preached a very “shut up and stay in your lane” attitude:
Geeks don’t really come to HOPE to be lectured on the application of something simple, with very simple means, by a 15 year old. A combination of all the above could be why your room wasn’t full. Not only was it fairly empty, but it emptied at a rapid rate. I could barely take a seat through the masses pushing me to escape. Then when I thought no more people could possibly leave, they kept going. The room was almost empty when I gave in and left also. Heck, I was only there because we pwned the very resources you were talking about.Zero For 0wned
My first security conference was B-Sides Orlando in 2013. Before the conference, I had been hanging out in the #hackucf IRC channel and had known about the event well in advance (and got along with all the organizers and most of the would-be attendees), and considered applying to their CFP.
I ultimately didn’t, solely because I was worried about a ZF0-style reception.
I had no reference frame for other folks’ understanding of cryptography (which is my chosen area of discipline in infosec), and thought things like timing side-channels were “obvious”–even to software developers outside infosec. (Such is the danger of being self-taught!)
“Geeks don’t really come to B-Sides Orlando to be lectured on the application of something simple, with very simple means,” is roughly how I imagined the vitriol would be framed.
If it can happen to me, it can happen to anyone interested in tech. It’s the responsibility of experts and mentors to spare beginners from falling into the trappings of other peoples’ grand-standing.
Pride Before Destruction
With this in mind, let’s return to Shaw. At this point, more clarifying questions came in, this time from Fredrick Brennan.
https://twitter.com/lzsthw/status/1359712275666505734
What an arrogant and bombastic thing to say!
At this point, I concluded that I can never again, in good conscience, recommend any of Shaw’s books to a fledgling programmer.
If you’ve ever published book recommendations before, I suggest auditing them to make sure you’re not inadvertently exposing beginners to his harmful attitude and problematic behavior.
But while we’re on the subject of Zed Shaw’s behavior…
https://twitter.com/lzsthw/status/1359714688972582916
If Shaw thinks of himself as a superior cryptography expert, surely he’s published cryptography code online before.
And surely, it will withstand a five-minute code review from a gay furry blogger who never went through Shaw’s prescribed hazing ritual to rediscover specifically the known problems in OpenSSL circa Heartbleed and is therefore not as much of a cryptography expert?
(Art by Khia.)
May I Offer You a Zero-Day in This Trying Time?
One of Zed A. Shaw’s Github projects is an implementation of SRP (Secure Remote Password)–an early Password-Authenticated Key Exchange algorithm often integrated with TLS (to form TLS-SRP).
Zed Shaw’s SRP implementation
Without even looking past the directory structure, we can already see that it implements an algorithm called TrueRand, which cryptographer Matt Blaze has this to say:
https://twitter.com/mattblaze/status/438464425566412800
As noted by the README, Shaw stripped out all of the “extraneous” things and doesn’t have all of the previous versions of SRP “since those are known to be vulnerable”.
So given Shaw’s previous behavior, and the removal of vulnerable versions of SRP from his fork of Tom Wu’s libsrp code, it stands to reason that Shaw believes the cryptography code he published would be secure. Otherwise, why would he behave with such arrogance?
SRP in the Grass
Head’s up! If you aren’t cryptographically or mathematically inclined, this section might be a bit dense for your tastes. (Art by Scruff.)
When I say SRP, I’m referring to SRP-6a. Earlier versions of the protocol are out of scope; as are proposed variants (e.g. ones that employ SHA-256 instead of SHA-1).
Professor Matthew D. Green of Johns Hopkins University (who incidentally used to proverbially shit on OpenSSL in the way that Shaw expects everyone to, except productively) dislikes SRP but considered the protocol “not obviously broken”.
However, a secure protocol doesn’t mean the implementations are always secure. (Anyone who’s looked at older versions of OpenSSL’s BigNum library after reading my guide to side-channel attacks knows better.)
There are a few ways to implement SRP insecurely:
- Use an insecure random number generator (e.g. TrueRand) for salts or private keys.
- Fail to use a secure set of parameters (q, N, g).
To expand on this, SRP requires q be a Sophie-Germain prime and N be its corresponding Safe Prime. The standard Diffie-Hellman primes (MODP) are not sufficient for SRP.This security requirement exists because SRP requires an algebraic structure called a ring, rather than a cyclic group (as per Diffie-Hellman).
- Fail to perform the critical validation steps as outlined in RFC 5054.
In one way or another, Shaw’s SRP library fails at every step of the way. The first two are trivial:
- We’ve already seen the RNG used by srpmin. TrueRand is not a cryptographically secure pseudo random number generator.
- Zed A. Shaw’s srpmin only supports unsafe primes for SRP (i.e. the ones from RFC 3526, which is for Diffie-Hellman).
The third is more interesting. Let’s talk about the RFC 5054 validation steps in more detail.
Parameter Validation in SRP-6a
Retraction (March 7, 2021): There are two errors in my original analysis.
First, I misunderstood the behavior of SRP_respond()
to involve a network transmission that an attacker could fiddle with. It turns out that this function doesn’t do what its name implies.
Additionally, I was using an analysis of SRP3 from 1997 to evaluate code that implements SRP6a. u
isn’t transmitted, so there’s no attack here.
I’ve retracted these claims (but you can find them on an earlier version of this blog post via archive.org). The other SRP security issues still stand; this erroneous analysis only affects the u
validation issue.
Vulnerability Summary and Impact
That’s a lot of detail, but I hope it’s clear to everyone that all of the following are true:
- Zed Shaw’s library’s use of TrueRand fails the requirement to use a secure random source. This weakness affects both the salt and the private keys used throughout SRP.
- The library in question ships support for unsafe parameters (particularly for the prime, N), which according to RFC 5054 can leak the client’s password.
Salts and private keys are predictable and the hard-coded parameters allow passwords to leak.
But yes, OpenSSL is the real problem, right?
(Art by Khia.)
Low-Hanging ModExp Fruit
Shaw’s SRP implementation is pluggable and supports multiple back-end implementations: OpenSSL, libgcrypt, and even the (obviously not constant-time) GMP.
Even in the OpenSSL case, Shaw doesn’t set the BN_FLG_CONSTTIME
flag on any of the inputs before calling BN_mod_exp()
(or, failing that, inside BigIntegerFromInt
).
As a consequence, this is additionally vulnerable to a local-only timing attack that leaks your private exponent (which is the SHA1 hash of your salt and password). Although the literature on timing attacks against SRP is sparse, this is one of those cases that’s obviously vulnerable.
Exploiting the timing attack against SRP requires the ability to run code on the same hardware as the SRP implementation. Consequently, it’s possible to exploit this SRP ModExp timing side-channel from separate VMs that have access to the same bare-metal hardware (i.e. L1 and L2 caches), unless other protections are employed by the hypervisor.
Leaking the private exponent is equivalent to leaking your password (in terms of user impersonation), and knowing the salt and identifier further allows an attacker to brute force your plaintext password (which is an additional risk for password reuse).
Houston, The Ego Has Landed
Earlier when I mentioned the black hat hacker group Zero For 0wned, and the negative impact their hostile rhetoric, I omitted an important detail: Some of the first words they included in their first ezine.
For those of you that look up to the people mentioned, read this zine, realize that everyone makes mistakes, but only the arrogant ones are called on it.
If Zed A. Shaw were a kinder or humbler person, you wouldn’t be reading this page right now. I have a million things I’d rather be doing than exposing the hypocrisy of an arrogant jerk who managed to bullshit his way into the privileged position of educating junior developers through his writing.
If I didn’t believe Zed Shaw was toxic and harmful to his very customer base, I certainly wouldn’t have publicly dropped zero-days in the code he published while engaging in shit-slinging at others’ work and publicly shaming others for failing to meet arbitrarily specific purity tests that don’t mean anything to anyone but him.
But as Dan Guido said about Time AI:
https://twitter.com/veorq/status/1159575230970396672
It’s high time we stopped tolerating Zed’s behavior in the technology community.
If you want to mitigate impostor syndrome and help more talented people succeed with their confidence intact, boycott Zed Shaw’s books. Stop buying them, stop stocking them, stop recommending them.
Learn Decency the Hard Way
(Updated on February 12, 2021)
One sentiment and question that came up a few times since I originally posted this is, approximately, “Who cares if he’s a jerk and a hypocrite if he’s right?”
But he isn’t. At best, Shaw almost has a point about the technology industry’s over-dependence on OpenSSL.
Shaw’s weird litmus test about whether or not my blog (which is less than a year old) had said anything about OpenSSL during the “20+ years it was obviously flawed” isn’t a salient critique of this problem. Without a time machine, there is no actionable path to improvement.
You can be an inflammatory asshole and still have a salient point. Shaw had neither while demonstrating the worst kind of conduct to expose junior developers to if we want to get ahead of the rampant Impostor Syndrome that plagues us.
This is needlessly destructive to his own audience.
Generally the only people you’ll find who outright like this kind of abusive behavior in the technology industry are the self-proclaimed “neckbeards” that live on the dregs of elitist chan culture and desire for there to be a priestly technologist class within society, and furthermore want to see themselves as part of this exclusive caste–if not at the top of it. I don’t believe these people have anyone else’s best interests at heart.
So let’s talk about OpenSSL.
OpenSSL is the Manifestation of Mediocrity
OpenSSL is everywhere, whether you realize it or not. Any programming language that provides a crypto
module (Erlang, Node.js, Python, Ruby, PHP) binds against OpenSSL libcrypto.
OpenSSL kind of sucks. It used to be a lot worse. A lot of people have spent the past 7 years of their careers trying to make it better.
A lot of OpenSSL’s suckage is because it’s written mostly in C, which isn’t memory-safe. (There’s also some Perl scripts to generate Assembly code, and probably some other crazy stuff under the hood I’m not aware of.)
A lot of OpenSSL’s suckage is because it has to be all things to all people that depend on it, because it’s ubiquitous in the technology industry.
But most of OpenSSL’s outstanding suckage is because, like most cryptography projects, its API was badly designed. Sure, it works well enough as a Swiss army knife for experts, but there’s too many sharp edges and unsafe defaults. Further, because so much of the world depends on these legacy APIs, it’s difficult (if not impossible) to improve the code quality without making upgrades a miserable task for most of the software industry.
What Can We Do About OpenSSL?
There are two paths forward.
First, you can contribute to the OpenSSL 3.0 project, which has a pretty reasonable design document that almost nobody outside of the OpenSSL team has probably ever read before. This is probably the path of least resistance for most of the world.
Second, you can migrate your code to not use OpenSSL. For example, all of the cryptography code I’ve written for the furry community to use in our projects is backed by libsodium rather than OpenSSL. This is a tougher sell for most programming languages–and, at minimum, requires a major version bump.
Both paths are valid. Improve or replace.
But what’s not valid is pointlessly and needlessly shit-slinging open source projects that you’re not willing to help. So I refuse to do that.
Anyone who thinks that makes me less of a cryptography expert should feel welcome to not just unfollow me on social media, but to block on their way out.
https://soatok.blog/2021/02/11/on-the-toxicity-of-zed-a-shaw/
#author #cryptography #ImpostorSyndrome #PAKE #SecureRemotePasswordProtocol #security #SRP #Technology #toxicity #vuln #ZedAShaw #ZeroDay
Sometimes my blog posts end up on social link-sharing websites with a technology focus, such as Lobste.rs or Hacker News.On a good day, this presents an opportunity to share one’s writing with a larger audience and, more importantly, solicit a wider variety of feedback from one’s peers.
However, sometimes you end up with feedback like this, or this:
Apparently my fursona is ugly, and therefore I’m supposed to respect some random person’s preferences and suppress my identity online.
I’m no stranger to gatekeeping in online communities, internet trolls, or bullying in general. This isn’t my first rodeo, and it won’t be my last.
These kinds of comments exist to send a message not just to me, but to anyone else who’s furry or overtly LGBTQIA+: You’re weird and therefore not welcome here.
Of course, the moderators rarely share their views.
https://twitter.com/pushcx/status/1281207233020379137
Because of their toxic nature, there is only one appropriate response to these kinds of comments: Loud and persistent spite.
So here’s some more art I’ve commissioned or been gifted of my fursona over the years that I haven’t yet worked into a blog post:
Art by kazetheblaze
Art by leeohfox
Art by Diffuse MooseIf you hate furries so much, you will be appalled to learn that factoids about my fursona species have landed in LibreSSL’s source code (decoded).
Never underestimate furries, because we make the Internets go.
I will never let these kind of comments discourage me from being open about my hobbies, interests, or personality. And neither should anyone else.
If you don’t like my blog posts because I’m a furry but still find the technical content interesting, know now and forever more that, when you try to push me or anyone else out for being different, I will only increase the fucking thing.
Header art created by @loviesophiee and inspired by floccinaucinihilipilification.
https://soatok.blog/2020/07/09/a-word-on-anti-furry-sentiments-in-the-tech-community/
#antiFurryBullying #cyberculture #furry #HackerNews #LobsteRs #Reddit