An Interview With Soatok Dreamseeker #

12/3/2020

Whenever I’m asked, I usually say something to the effect of, “I’m a security engineer with a dhole fursona that sometimes writes about cryptography on my furry blog.”

There’s actually a lot more to the story than that, but comical understatement is somewhat an unspoken tradition among my technical friends. (I can’t tell if it’s humility or impostor syndrome with them.)

Outside my fandom persona, I’ve written the code that helps to secure a double digit percentage of the websites on the Internet. I work on a cryptography team at an unspecified technology company. I’m very deeply immersed in this stuff, for the good of the Internet, and even if I didn’t set out to talk about cryptography topics, it would leak out (as it often does with my dumb Twitter jokes).

My favorite project is usually whatever I’m working on at a given moment.

In the past, I’ve implemented a full suite of constant-time JavaScript algorithms, only to discover Thomas Pornin already did something similar for C.

My current project involves creating a series of open source libraries to make it easier for JavaScript developers to implement end-to-end encryption in their own applications.

Cryptographers have an orthodoxy that loosely follows the same battle lines as infosec opinions on programming languages: PHP bad, JavaScript harmful.

I think the intent is, if they neglect these languages, they can exert some sort of bastard lovechild of market pressure and darwinism to coerce developers onto programming languages that are more suitable to secure cryptography than the ones they’re already using.

In practice, this just means that the programming languages that most of us use are less safe than they could be, and the ivory tower academics and infosec thought leaders just hold their nose up to the thought of meeting them halfway. This makes the Internet less secure for us all.

I love the furry fandom and I’m deeply fascinated by security topics, so it’s an obvious cross-over for me. But there is more to it than just that!

I mentored a few folks over the years, and tried to nudge many more towards supportive, accepting, and uplifting venues. Almost everyone involved in that was deathly terrified of, for example, hiring managers finding out about their fandom participation.

We both know this, but a lot of business people do not: The furry fandom is widely regarded as a LGBT subculture. Discriminating against people who participate in our community is a good way to undermine your own diversity and inclusion initiatives.

Being openly and shamelessly my furry self is an easy opportunity for me to normalize our community to companies that hire security analysts, programmers, or cryptographers. This has a few effects:

1. Hiring managers are more exposed to furries in tech, which makes them less likely to react badly if someone discloses their hobbies during an interview (whether or not they intended to).
2. Neophytes get to see someone with a lot of experience in the industry be openly weird, so they will be a little more comfortable in their own fur.
3. Queerphobes that use anti-furry hate as a dog-whistle out themselves on social media in droves, which helps identify which companies should be avoided.
4. The rarest consequence, but has happened to me about a half-dozen times in my career: More tech people that were incidentally furry become open about it when they see no significant ill befall me.

I hope it’s clear that the end result is a net positive, even if the prospect of doing what I do is a little scary to a lot of people.

Nope! Game Theory says it’s the optimal strategy.

The US government should really stop trying to give the Department of Justice a backdoor.

Like, I get it: Their bottoms still need a regular powdering after Edward Snowden revealed the NSA was literally spying on everyone. They wanted to keep abusing their power with impunity and secrecy, and now they can’t. Boo hoo.

But if they’re really as interested in “protecting the children” as they like to claim, they’d invest more in end-to-end encryption and tougher privacy protections; especially but not exclusively for kids!

Cryptocurrency is a mixed bag, and it’s hard to give a succinct answer.

On one paw, it’s one of the most reliable revenue sources for advancements in cryptography. A lot of the work on practical zero-knowledge proofs happening today is the result of Zcash and Ethereum developers trading recipes and not being preoccupied with Line of Business development work at their dayjob.

On the other, it’s a magnet for unscrupulous hacks and ancap tech bros. You know the type: They hate the state and want governments to get off their back, but they love the hierarchies of capitalism and the privileges of private property and systemic state violence that serves the interests of the wealthy? If you see “Bitcoin maximalist” in someone’s Twitter bio, 99 times out of 100, you’re dealing with that beast.

Public messages (e.g. tweets) should have slightly more granular access controls than the current all-or-nothing approach (Is your account public or private?).

Public messages should be editable (with a public changelog). Replies should be clearly marked if they were directed at a previous version, and the option to view them in context should be available.

Private messages should be end-to-end encrypted, using keys that the platforms cannot access.

I would have encrypted every packet from day one, rather than slowly bolting it on years later. For example: Email encryption is still opportunistic in 2020. We’ve only started addressing DNS privacy. (Note: DNS privacy is a good problem to solve; DNSSEC is stupid.)

Assuming they’re being even mildly honest about anything (which I don’t really believe), Silicon Valley needs to get over their fear of the perception of having anti-conservative bias. This fear leads to them tolerating hate speech and rallying cries for racist and transphobic violence.

Facebook is unsalvageable.

I previously touched on defeating coordinated inauthentic behavior at scale in my Medium writing days.

(My Medium writing days ended because I got tired of their constant pressure to monetize my writing. I’m happy to pay for the privilege of publishing my ideas, ad-free, without a paywall.)

No.

What’s the failure mode for a hacked election? You can’t just roll back a political career advancement.

The threat model for elections is incompatible with the BYOB mental model of consumer electronics (which is what people imply when they talk about electronic voting).

Paper ballots. You need an audit trail that technology cannot tamper with.

The RIAA is a blight upon the Internet and needs to be dismantled, but only after we tear down JSTOR and Elsevier. Remember Aaron Swartz.

The EFF does a lot of good work to oppose tyrants like the RIAA.

DRM is diametrically opposed to endpoint security, transparency, and trustworthy computing. Only corporate shills that sold their soul to the intellectual property machine ever think DRM is a good idea for consumer devices.

That being said, the notion of using DRM to run code in “the cloud” that the cloud service providers cannot understand or tamper with is very attractive. But that’s an inversion of the normal power dynamic.

I think it’s mildly positive. It’d be significantly more positive if tech companies took coordinated inauthentic behavior, misinformation, and propaganda more seriously 10 years ago.

There’s a lot to hate. But I wouldn’t have known about the furry fandom–let alone ever participated in it–if it weren’t for the Internet and social media.

People don’t need a graduate course in number theory and CS101 descriptions of RSA, which is what the cryptography orthodoxy pawned off on the public.

I wrote a guide to learning cryptography as a programmer earlier this year.

We as an industry need to spend some time talking to the UX experts, technical writers, and science communicators of the world and devise a concise and coherent public education strategy. Until that happens, we’ll continue to flounder around in the dark but some of us will make better and easier-to-use tools, so things won’t be so bad.

There’s a lot of academic formality that I missed out on, including:

• How to write a whitepaper for a scientific journal. In \( \LaTeX \) .
• Familiarity with the mathematician jargon (especially lambda calculus) that obfuscates intuition.
• How to not be a filthy degenerate (or so my detractors say).

It depends what I’m doing.

Most of my open source security work over the years involved a web browser with GitHub.com on one monitor, and Notepad++ in the other. Nothing too fancy.

If I’m reverse engineering (e.g. Android apps), I’ll boot up a Virtualbox machine and fullscreen it on one of the monitors.

I do find good background music indespensible to deep analytic work. Time I by Wintersun and Malcom Robinson’s Chrono Trigger Orchestral Selections are two playlists you’ll hear emit from my bedroom all day long.

I’ve worked from home for most of my career, and for the entire past 6 years, so my home computer setup is pretty sweet.

Not particularly. There’s no such thing as useless knowledge; only stuff you don’t want to use, or don’t know how.

Active listening. Hands down.

The most stressful problems you will ever encounter in almost any profession is either, at its core, a communication problem, or the consequence of one.

That being said, I didn’t entirely teach it to myself. My close friends (a.k.a. chosen family) were all deeply involved in those lessons. :3

I frequently play co-op video games with my chosen family. We’re currently experiencing Final Fantaxy XIV together, and looking forward to Corepunk when it comes out.

(Sometimes we even stream our gameplay, but usually on this channel.)

One time I was migrating a PostgreSQL cluster at night, and I accidentally typed the rm command into the wrong terminal.

I called my boss and then we discovered the backup software had been failing for nearly a month. (I did have a manual snapshot from a week ago, but that was a week of data lost.)

Not a fun year.

There are too many people to list. I feel like I’d do everyone a disservice if I tried. Too many artists, too many musicians, too many videographers, too many photographers, too many dancers.

Maybe if I could Ctrl+A, Ctrl+C the furry fandom (sans the alt-right), that’d be closer to the comprehensive list.

Outside of the fandom, my best friend of 12+ years recently made a fursona.

I’m very fortunate to count @SwiftOnSecurity among my friends too.

Best (all from my best friend over the years):

• Just because you can doesn’t mean you should.
• The truest measure of a person is what they do when they think no one is watchng.
• Power is temporary; what you do with it when you have it is what counts.

Worst:

• You need to find God – annoying person in my high school

At this point, it’s a habit for me. But early on, I was motivated largely by spite.

I got my start in tech by playing with a program called RPG Maker, and I decided to make a website for my personal projects. The indie game community back then was super toxic, so people in the community kept hacking my website. (My early PHP wasn’t very good.) I got angry and decided I would learn about web application security to stop them from breaking in.

Years later, one of the perpetrators admitted to me what they were doing. By then, I was long over it.

I have absolutely no musical talent. I’m getting a fursuit soon. Therefore, I figured learning to dance would be pretty cool :3