California's biggest flex

13 Nov 2023

I think the crummy shape of California’s symbols is the clearest sign of its strength. This may seem like a contradiction, but over time I’ve come to think of it as the greatest possible flex.

It’s a phenomenon that I believe is best exemplified by two places: the old Apple campus, and the Hollywood Walk Of Fame. These places represent the projections of California’s power from the north and south. They are (or were) perhaps the two most significant symbols of what California represents to the world. And both places are absolutely, completely, and overwhelmingly… crummy. But so – I contend – all the more powerful.


My first impressions of web3

07 Jan 2022

Despite considering myself a cryptographer, I have not found myself particularly drawn to “crypto.” I don’t think I’ve ever actually said the words “get off my lawn,” but I’m much more likely to click on Pepperidge Farm Remembers flavored memes about how “crypto” used to mean “cryptography” than I am the latest NFT drop.

Also – cards on the table here – I don’t share the same generational excitement for moving all aspects of life into an instrumented economy.

Even strictly on the technological level, though, I haven’t yet managed to become a believer. So given all of the recent attention into what is now being called web3, I decided to explore some of what has been happening in that space more thoroughly to see what I may be missing.


GPG And Me

24 Feb 2015

I receive a fair amount of email from strangers. My email address is public, which doesn’t seem to be a popular choice these days, but I’ve received enough inspiring correspondence over the years to leave it be.

When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don’t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and – with a faint glimmer of hope – am typically disappointed.


A Saudi Arabia Telecom's Surveillance Pitch

13 May 2013

Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.


Career Advice

07 Jan 2013

To my great surprise, young people now somewhat frequently contact me in order to solicit career advice. They are usually in college or highschool, and want to know what the best next steps are for a career in security or software development.

This is, honestly, a really complicated question, mostly because I’m usually concerned that the question itself might be the wrong one to be asking. What I want to say, more often than not, is something along the lines of don’t do it; when I got out of highschool and focused on the answer to that same question, it was very nearly one of the biggest mistakes of my life.

Since I get these inquiries fairly regularly, I thought I’d write something here that I can use as a sort of canonical starting point for a response.


The Worst

27 Nov 2012

I don’t really know who Dustin Curtis is, but he blogs a lot, and those blog entries often end up on Hacker News. Not too long ago, he wrote a blog post titled “The Best,” in which he explains that he has nice stuff. That in fact, everything he owns is actually the very best of its kind.

Dustin’s blog post culminates in the triumph of his quest for the perfect set of flatware. Apparently, this is what the perfect collection of forks, knives, and spoons looks like, which we can assume Dustin Curtis has in his kitchen drawer at this very moment:


The Cryptographic Doom Principle

13 Dec 2011

When it comes to designing secure protocols, I have a principle that goes like this: if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom.


SSL And The Future Of Authenticity

11 Apr 2011

In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It’s amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We’ve definitely learned a lot since then, though, but the thing about protocols and APIs is that there’s very little going back.


© 2012 Moxie Marlinspike