Not sure how fucked a project is? Want a security nerd to give it a quick once over?
Critiques by Soatok
For a flat rate of US$300, you can have an Internet furry with over a decade of application security, software development, and applied cryptography experience review your project.
(Special discounts are available entirely at Soatok's discretion, especially for friends.)
Projects can be anything from software projects to systems diagrams for a service to a novel cryptographic protocol.
Objectives
My primary objective with any project I critique this way is to estimate how much work would be needed to ensure its security and reliability.
If there are any proverbial low-hanging fruit in the security or cryptography domains, I will also let you know.
Deliverables
The deliverable of each engagement can be any of the following:
- Slack thread
- Tediously long Discord message
- Google Doc
- Ticket on a bug tracker (e.g., GitHub issues)
Really, whatever works best for you!
Interested in a Critique?
Get in touch via email, or via the Fediverse.
Questions & Answers
Q: "What exactly would I be paying for?"
Up to one hour of my time and expertise.
Critiques are not a replacement for a penetration test or other types of, more formal, consulting engagement.
Q: "How do I know your time or expertise is worth the flat rate?"
If you're unsure, I invite you to read my blog posts covering security topics. Here's a brief sample:
-
Database Cryptography Fur The Rest Of Us
The intersection of database software and cryptography is surprisingly fertile ground for implementation error and poor design choices. This post explores some of the basics of using cryptography to secure relational (SQL) databases, as well as schema-free (NoSQL) databases. -
What We Do in the /etc/shadow – Cryptography with Passwords
A deep dive into password-based cryptography. -
Introducing Alacrity to Federated Cryptography
A proposal for ensuring that a federated communications service can be reliably kept up-to-date. I coined the term, "Cryptographic Alacrity," to describe protocols that prevent stagnation.
Additionally, any blog posts I've written that are tagged with Vulnerability should serve as evidence that I know this space extremely well.
Q: "What if I want more than just a quick critique?"
I'm happy to refer you to consulting firms that specialize in this sort of engagement.
The main reason I'm not offering that sort of boutique service directly is that I'm simply not interested in competing with my friends and colleagues in the security industry.
Rather, critiques are the sort of advice I used to give away for free during social media and/or message board arguments, but with a shifted focus onto clarity and actionable recommendations rather than winning an impromptu debate.
Q: "What payment methods do you accept?"
I prefer to send a PayPal invoice, which should allow you to pay with any payment card method even if you do not use PayPal.
Other payment methods can be discussed if that's not an option. I'm flexible.
Q: "Can you help with marketing our privacy tool?"
Probably not! I'm not a marketing or advertising guy.
What I can offer you is a list of things I would brutally criticize if I saw your marketing copy in the wild.
For example, if you describe an encryption tool as "zero knowledge" anywhere. Zero knowledge is a property of types of mathematical proofs. It's not appropriate for encryption technology. The marketers who adopted this term to describe encryption need to be hit in the face with several rotten tomatoes.