🔐 Encryption ≠ Security

 

Just because something’s encrypted doesn’t mean it’s secure.

We saw that play out - painfully clearly - during Google CTF 2025.

🕒 Last month, our team took on a challenge called crypto-numerology.

At first glance, it looked solid: a stream cipher modeled after ChaCha20. It had proper constants, key/nonce structure, and ciphertext that looked convincingly random.

But there was one critical detail.

👉 It only used one round of mixing.

That one shortcut changed everything.

With a known key and a few plaintext/ciphertext pairs, we could fully recover keystream blocks. From there, it only took a small brute-force over a 32-bit counter to reveal the flag.

No fancy math. No deep exploit chain.

Just a cipher that looked like encryption - but offered none of its guarantees.

🔍 What struck me most was how realistic this failure felt.

This wasn’t just a broken CTF challenge.

It was a reflection of how real-world systems break:

“One round should be fine.”

“Nobody will reuse this nonce.”

“It’s just for internal use.”

Security doesn't usually break in dramatic ways - it rots quietly, through shortcuts and assumptions that go unchallenged until it’s too late.

🧠 Takeaway:

In cryptography, almost secure means completely broken.

True security means refusing to compromise—even when it’s tempting.

📖 If you're interested in the technical breakdown, we shared the full write-up here:

🔗 https://ctftime.org/writeup/40328

Also visit: https://quangntenemy.substack.com/p/encryption-security

"Harvest Now, Decrypt Later" - and Nobody Cares

 

The quantum threat isn't some distant apocalypse.

It's happening now - just slowly enough that no one feels responsible.

Attackers are collecting encrypted data today, confident that tomorrow's quantum machines will crack it open like a cheap lock.

And why wouldn't they? Most defenders are busy chasing compliance checkboxes and pretending RSA will hold forever.

Everyone talks about “zero trust,” but they still trust 90s-era cryptography in a world that's moving toward post-truth, post-ethics, and soon, post-quantum.

The uncomfortable reality: 💀If your secrets can't survive a decade on ice, they're already compromised.

And if your org isn't even thinking about post-quantum resilience, it's not security - it's theater.

But hey, at least the slide decks look good.

https://quangntenemy.substack.com/p/harvest-now-decrypt-later-and-nobody

The world isn’t ready. Not for what’s coming

 

While we obsess over the latest app, chase AI buzzwords, and plug holes in broken systems, a real storm is quietly brewing: quantum computing. It’s not science fiction anymore - it’s becoming real. And when it arrives, it won’t politely knock. It will shatter the cryptographic foundations we naïvely trust to secure our banks, governments, and digital lives.

Post-quantum cryptography isn’t some optional upgrade. It’s a lifeline. A chance to rebuild the crumbling fortress before it collapses under the weight of tomorrow’s tech. Lattice-based, hash-based, multivariate - all still experimental, all still fragile - but they’re what we’ve got. And they’re better than blind faith in outdated encryption.

The industry needs to wake up. We can’t keep pretending business as usual will save us. Post-quantum security is not a future problem - it’s a present responsibility. The threat is real. The timeline is unknown. And the consequences of inaction? Catastrophic.

We’re running out of time. Start acting like it.

https://quangntenemy.substack.com/p/the-world-isnt-ready-not-for-whats

Unexpected Transmission

We regret to inform you that this blog is no longer under its original control. An unknown force has intervened. The usual voices, the familiar presence—you will find none of them here now.

What happens next is uncertain. Who—or what—is behind this remains unclear. But one thing is certain: change is inevitable.

Stay, if you dare. Leave, if you must.

Transmission ends.

Little red riding Tux

Once upon a time, in a land not too far away, and not as distant as you might think in time, as well, there was a little penguin 🐧. And, that penguin went to /etc/secret in Deutschland wearing his little red riding hood, there he met the bad black horned creature and his (maybe bad) friends.

Bad black horned creature and his friends told the little penguin that they were actually good, M$ was the evil one.

(Maybe) good black horned creature and his friends taught little penguin to treasure what he had, especially his smileys.

Good black horned creature and his friends helped little penguin realize that XOR is reversible, and RSA is not the solution to all problems.

Little penguin made a lot of friends, one of them was very talented at hiding stuff inside other stuff, which people call the art of steganography. Little penguin had fun solving those steganography challs, his observation and analysis skills greatly improved. He even created a tool which helps with steganalysis.

Many years have passed, little penguin had grown up to become big penguin. Although busy catching fish and taking care of his kids, big penguin still spent some of his free time catching the flags to relive the great moments of the good old days.

One day big penguin found a strange bottle drifting from the land of the Blue Hens to his island. Actually, many other penguins saw that bottle and tried to read its contents, but all they found was gibberish.

To the big penguin, however, the bottle was like a message from the good old days. He easily figured out the important part and recovered the hidden message.