Ah, the Matrix guy decided to chime in on the Hacker News thread about my blog.
https://news.ycombinator.com/item?id=46979742#46982871
Of course his comment is bullshit.
Discussion
Loading...
@soatok Matrix bros vibe choading
Like, the issues I found aren't even particularly difficult to mitigate. I provided some sample code in my Matrix disclosure blog post and pointed to a bitsliced AES implementation (BearSSL) for systems that can't do AES-NI.
Hell, you could probably get a fucking LLM to do it. Trail of Bits published a Claude skill for detecting whether a compiler has undermined the intent for code to be constant-time. But the heavy-lifting is done by a Python script.
Shipping cryptography without side-channels was table-stakes for being taken seriously.
The Matrix guy is incentivized to control the narrative here. No surprise there.
But I implore anyone paying attention to critically evaluate the facts and what he said then as well as what he's saying now.
There are more pathetic comments on the Hacker News thread.
For example:
(Would you believe this guy has -18 karma?)
The crucial thing Arathorn hasn't figured out is he's his own worst enemy when it comes to public relations.
Several folks have told me they stopped trusting Matrix. But not because of my write-up. They stopped trusting Matrix because of how Matrix responded to my write-up.
They couldn't just said something banal like, "Thanks for contributing to the security of Matrix," and done less damage to their own reputation.
@soatok a good amount of my own judgement on a company is how they recover from an attack or treat a security researcher.
hostility? not purchasing.
owning up to it with public whitepaper / lessons learned? awesome.