What the work teaches, distilled. The patterns we see across every board: cryptography, covert infrastructure, and offense.
No client names. No engagement specifics. Everything here is general doctrine. Our clients sign NDAs, and we keep them. These are the principles, not the files.
Harvest-now-decrypt-later is not a forecast. It's an active collection posture. Traffic you protect today with classic RSA or ECDH is being archived for a machine that isn't switched on yet. Migration is a deadline, not a backlog item.
Almost no onion service is unmasked by breaking Tor. It's a server timestamp, a clearnet asset loaded by accident, a reused favicon hash, an SSH banner. Anonymity is an operational discipline long before it's a cryptographic one.
Not of your source. A helpful compiler will happily reintroduce the branch you carefully removed. If you haven't read the emitted assembly, you don't have constant-time. You have an intention.
Not a wall. We've never met one that survived contact with a determined operator. It buys you log lines and minutes, not safety. Fix the application; don't rent a filter to stand in front of it.
Not in the code you wrote, but in the assumptions between two systems that each behaved "correctly." Trust boundaries, not functions, are where real audits earn their fee.
A key one person can extract is a key one subpoena, one bribe, or one bad night can extract. Threshold it across parties and hardware, or be honest that "we alone hold the keys" is a sentence for the pitch deck.
The application-layer request that triggers an unindexed join is the signal. Most outages we're called in for weren't bandwidth. They were one expensive endpoint, hit cheaply, a few hundred times a second.
Holding funds was never the hard part. Adjudicating a dispute between two anonymous parties who both hold proof is. Escrow without dispute logic is just a slower way to lose the money.
Your dependency tree is your real attack surface. You audited what you wrote and bundled everything you didn't. The breach rarely knocks on the front door anymore. It arrives as a minor version bump.
Doctrine is cheap; execution is the firm. If one of these maps to a problem you actually have, that's a conversation.
[email protected]