Search

1000 results for “Meat_Bucket”

Self-Indulgent Twaddle @[email protected] · 2024-04-01 · 17:39 UTC

We’ve all been there. You are walking down the street, minding your own business, and a clinically cheerful chugger with a bolt-on grin moves to block your path asking for “just a moment of your time”. If you are lucky, your averted gaze and mumbled “no thank you” sees them seeking out their next victim. If you are unlucky, you end up taking away a leaflet, or worse.
I tend to be very good at fending off unwanted interaction. Usually, the wife is equally effective at walking on by without engaging. That is until last week. She claims she was distracted. Out walking with the baby in the pram, she claims she did not registered being accosted until it was too late.
Regardless of how it happened, in the end she left clutching a leaflet in hand. On this occasion, the Jehovah’s Witnesses had been the ones trying to get her attention.
The leaflet she came home with is titled How do you view the future? and includes a drawing of a young girl holding a handful of soil with a seedling growing out of it. Below the picture, the leaflet asks Will our world… stay the same? get worse? get better?
The pedant in me wants to point out it must be one of the three options, providing we can agree by what metric we are judging ‘better’, but I’m not here to just point out the obvious. Slightly less obvious, there is nothing on the front cover to identify where the leaflet came from, or the real purpose of handing them out.
Open up the leaflet and those questions are quickly answered. It is full of bible verses which are purported to answer the questions on the front cover. Finally, when you turn to the back of the leaflet, you discover the authors and are invited to find out more about the religion by requesting further information, or heaven offend (pun very much intended) a visit from church members.
I have spoken before about my lack of belief in any kind of deity. I certainly do not subscribe to any particular religion. When I first saw the leaflet on the kitchen counter and heard the story I was tempted to go through the details inside the leaflet and give my thoughts on why they are (probably) wrong. Having paused for a moment to think about it, I realise there are much more informed people out there who can critique the content.
I thought instead, I would tackle the question at the heart of the pamphlet. Set aside the religious elements for now. How do I view the future? Do I think it will get better, worse or stay the same?
I should make clear I am not looking to make specific or short-term predictions about the future. Invariably, they will be wrong. Just look at the likes of Back to the Future Part II predicting the world of 2015 back in 1989 (where is my hoverboard?). I’m also not going to be making really long term predictions. Ironically, the further we look into the future (and we’re talking millions and billions of years here) the better the predictions get. Scientists have a pretty good idea for example how our planet will meet its end, and roughly when. What I am aiming for is the sweet spot in between too soon and specific, and too far away and easy.
The planet
The leaflet the wife was given leant heavily on environmental imagery as part of its visual appeal, so let’s start with the planet, or more specifically the environment including the climate. How do I see the future for the only planet we call home?
In short, bad, really bad and then probably good.
In not quite as short, I’m sadly a realist when it comes to the environment. There are glimmers of hope for the natural world here and there with genuine positive change to lessen humanity’s impact upon it, but overall the current trend is business as usual. And by business as usual, I of course mean biodiversity loss, over-exploitation of limited resources and the release of greenhouse gases into the atmosphere. The planet will get warmer, animals will go extinct, and everything including humans will suffer as a result.
The planet’s climate is already showing signs of instability, but as it gets worse, and particularly as sea levels rise displacing a lot of people, we are going to see a huge surge of climate refugees moving across the planet. I’m going to talk about politics below, but for this section it is enough to guess there will be conflict. If we are lucky, it will be no more than passionate debate and legal cases. If we are unlucky, well…
This is all a bit doom and gloomy, and unfortunately I think we have reached a point where it will be, at least temporarily. But there is hope. Because almost without exception, when humanity stops being entitled fools and gives nature the chance to regrow, it does. Countless examples exist of woodlands and meadows and lakes which have been left to their own devices after industrial processes have ceased, and they are beautiful landscapes (albeit not exactly how things would have appeared originally).
This will happen for the planet as a whole, and I can say this with confidence as two options will occur; either humanity will see the error of their ways and start to ease up on nature (dare I say work in harmony with it?), or option two humanity will die out because of our hubris and the planet will be left to heal and go on its merry way. Either option leads to a better, greener, healthier world. I just hope we go for option one to make sure our descendants are around to enjoy it.
Not the planet
I love the idea of space and space travel. As a child this would be Star Wars and Star Trek, as an adult the Foundation and Dune novels. If someone asks me what I have on my bucket list, I only half-jokingly say go into space. I would like to say here that I envisage an interplanetary future for humanity in the medium term, but more and more I think it is neither an option nor desirable. I’ve given my thoughts here and here about space exploration and stand by my conclusions (if anything I have become a more staunch ProGaian) so here I will stick to what I actually think will happen in space in the medium term.
In short, nothing much. There are those out there advocating for colonies on Mars and mining asteroids and the like by the middle of the century, but I have been persuaded this is something we neither should nor could achieve. I am currently reading A City on Mars, a fantastic book by Kelly and Zach Weinersmith which explores just this topic, and it is clear the odds of actually getting functioning colonies on other planets in even the next century or two are slim. As I have said in my posts linked above, I think we should keep exploring space, with bigger and bigger space telescopes and robotic missions across the solar system likely options, but short of occasional trips to the moon and possibly non-permanent trips to Mars, I do not envisage humanity reaching for the stars any time soon.
Politics, politics, politics
I have a post which I started several years ago titled Independence, Together. If you are frantically searching through my blog to give it a read you will not find it because I never actually finished it, and probably never will. In it, I wrote about my support of Scottish independence (which failed) and my opposition to Brexit (which did not, clearly political punditry is not in my future…), and attempted to square the circle of the seeming contradiction in those two points of view. This post here is not an attempt to complete that blog post, so you will just have to accept it was brilliantly argued and was persuasive…
Why I bring this up is I still feel the position I hold (despite short-term failures) is the future for the global politic sphere, namely a move towards greater localism and also a more connected supranational cooperative framework. Think globally, act locally is the political position I hold most dearly, and I think it is likely to be one humanity moves closer towards in the next couple of centuries.
This might sound utopian, and obviously I hope it will be, but both positions come with risks. The more fragmented political systems are, the greater the risk of local conflicts which can then escalate to bigger conflicts through the implementation of alliances, while equally the more monolithic a political system, the greater the risk the individual person is lost in it and suffers as a result. Both of these actions could happen as a result of local globalism. Like with the environment I will have to hope humanity picks the utopian option instead before it is too late.
It’s the economy stupid
When I was at school, I was taught there are three* broad levels to the economy. Primary economical activity is things like farming, fishing and mining, gathering stuff. Secondary activities include building and manufacturing and food production, making stuff. Tertiary economic activities are the provision of services like restaurants, healthcare and transport, selling stuff. The more advanced an economy becomes, the more it moves along the path from mostly primary to mostly tertiary activities. When crusty old politicians moan about a country not making things anymore, they are moaning about what is supposed to be a good thing and a sign of progress.
The general trend of economies moving from primary to tertiary has been going on for a couple of hundred years now, and I can see this starting to reverse in the next couple of hundred. No, I am not imagining we will all resort to subsistence farming as we abandon industrial processes, but rather as people become more and more concerned about the provenance of the stuff they are buying, the more people will shift into farming and the like to provide the higher quality products people want. Today we, often snidely, call these artisanal products, but I think this trend is something which will continue. Couple this with the general trend towards more vegetarians and vegans living on the planet, and particularly those who produce non-meat foods will have a bonanza.
For those in the secondary industry business, I can see this desire for higher quality affecting them too, particularly the right to repair movement. Mass producing cheap but easily breakable tat is going to become less and less acceptable (if it ever was), and people are going to demand higher quality products with the ability to be fixed or upgraded when they break or are worn out. In short, I see the current levels of consumerism damping down in the coming years, and for the planet (see above) it cannot come a moment too soon,
(*I think I would add two more levels** to this schema; quaternary activity where people with too much money trade that money with other people with too much money and then use it to buy tertiary businesses, hoarding stuff, and quinary activity where tech bros invent digital tech they think everyone will want a part of but in the end this becomes a badge of idiocy when the bubble bursts, imagining stuff.)
(**yes, I know additional levels of the economy already exist, shush…)
The end is science
As a lover of and applier of science, I could not finish a post about the future without considering some of the advances science may well make in the no too distant future (and contrary to some people’s views, even if science has an end point, I don’t think we are anywhere near there yet).
Understanding the mind and consciousness is the big question I would like to see answered. My personal expectation, they are both an emergent property, an inevitable result of such a complex system as the brain, but what that means at a fundamental level would be fantastic to see elucidated.
After this, abiogenesis, or the origins of life, would be an excellent second prize. I am resigned to the fact we will probably never conclusively demonstrate how life on Earth began, but a plausible theoretical model would be the next best thing.
The third big discovery I see us making in the medium term is related to the space bit above, extraterrestrial life. I’m not expecting little green men and flying saucers, but with the likes of JWST and future telescope projects, I think the idea of confirming biosignatures on other planets is just a matter of time.
And there we have it, a blog post about the future which manages to avoid mentioning AI (wait a minute… dammit!).
OK, OK, I’ll talk about it, but only for one paragraph***. Do we have AI at the moment, no. Not by any stretch of the imagination (and don’t come at me with large language models. Excessively wasteful, inaccurate algorithms don’t count). But will we reach a point when we have proper AI, often called artificial general intelligence? Also no. The reason I see it like this is partly because of my comments above on emergent properties and consciousness. The brain is really complicated, and while computers can be made exceptionally complex, they are essentially binary decision makers, yes or no, on or off. The ion channels at the heart of neuronal function can be considered binary, open or closed, but how they get to that state can include inputs which can fully open or close them, partially open or close them, block them or otherwise do the exact opposite action to that which you would imagine. The brain is not a binary thinking machine, it is far more complicated than that, so expecting we can ever reach a point where we will create an artificial general intelligence, at least in the medium term, seems too much of a stretch for me.
(*** yes I know it’s a long one, but it’s just the one paragraph so it counts!)
To the future and beyond
So there you have it. How do I see the future? Fair to say a mixed bag. From the moment I publish this blog I am going to leave it up as is without amendments, typos and all. Assuming Twaddle lasts a few hundred years (…) it will be interesting to see how close I get.
What do you think about my predictions? Do you have any ideas of your own about the future? Drop them below in the comments and let’s see who is closer to the mark.
https://twaddle.blog/2024/04/01/care-to-take-a-leaflet/
#AI #Future #Futurology #Idealist #Politics #Positivity #Pragmatist #Predictions #Prophecy #Religion #Science #Space #TheEconomy #TheEnvironment

#ai #future #futurology #idealist #politics #positivity
Self-Indulgent Twaddle @[email protected] · 2024-02-23 · 19:03 UTC

We’ve all been there. You are walking down the street, minding your own business, and a clinically cheerful chugger with a bolt-on grin moves to block your path asking for “just a moment of your time”. If you are lucky, your averted gaze and mumbled “no thank you” sees them seeking out their next victim. If you are unlucky, you end up taking away a leaflet, or worse.
I tend to be very good at fending off unwanted interaction. Usually, the wife is equally effective at walking on by without engaging. That is until last week. She claims she was distracted. Out walking with the baby in the pram, she claims she did not registered being accosted until it was too late.
Regardless of how it happened, in the end she left clutching a leaflet in hand. On this occasion, the Jehovah’s Witnesses had been the ones trying to get her attention.
The leaflet she came home with is titled How do you view the future? and includes a drawing of a young girl holding a handful of soil with a seedling growing out of it. Below the picture, the leaflet asks Will our world… stay the same? get worse? get better?
The pedant in me wants to point out it must be one of the three options, providing we can agree by what metric we are judging ‘better’, but I’m not here to just point out the obvious. Slightly less obvious, there is nothing on the front cover to identify where the leaflet came from, or the real purpose of handing them out.
Open up the leaflet and those questions are quickly answered. It is full of bible verses which are purported to answer the questions on the front cover. Finally, when you turn to the back of the leaflet, you discover the authors and are invited to find out more about the religion by requesting further information, or heaven offend (pun very much intended) a visit from church members.
I have spoken before about my lack of belief in any kind of deity. I certainly do not subscribe to any particular religion. When I first saw the leaflet on the kitchen counter and heard the story I was tempted to go through the details inside the leaflet and give my thoughts on why they are (probably) wrong. Having paused for a moment to think about it, I realise there are much more informed people out there who can critique the content.
I thought instead, I would tackle the question at the heart of the pamphlet. Set aside the religious elements for now. How do I view the future? Do I think it will get better, worse or stay the same?
I should make clear I am not looking to make specific or short-term predictions about the future. Invariably, they will be wrong. Just look at the likes of Back to the Future Part II predicting the world of 2015 back in 1989 (where is my hoverboard?). I’m also not going to be making really long term predictions. Ironically, the further we look into the future (and we’re talking millions and billions of years here) the better the predictions get. Scientists have a pretty good idea for example how our planet will meet its end, and roughly when. What I am aiming for is the sweet spot in between too soon and specific, and too far away and easy.
The planet
The leaflet the wife was given leant heavily on environmental imagery as part of its visual appeal, so let’s start with the planet, or more specifically the environment including the climate. How do I see the future for the only planet we call home?
In short, bad, really bad and then probably good.
In not quite as short, I’m sadly a realist when it comes to the environment. There are glimmers of hope for the natural world here and there with genuine positive change to lessen humanity’s impact upon it, but overall the current trend is business as usual. And by business as usual, I of course mean biodiversity loss, over-exploitation of limited resources and the release of greenhouse gases into the atmosphere. The planet will get warmer, animals will go extinct, and everything including humans will suffer as a result.
The planet’s climate is already showing signs of instability, but as it gets worse, and particularly as sea levels rise displacing a lot of people, we are going to see a huge surge of climate refugees moving across the planet. I’m going to talk about politics below, but for this section it is enough to guess there will be conflict. If we are lucky, it will be no more than passionate debate and legal cases. If we are unlucky, well…
This is all a bit doom and gloomy, and unfortunately I think we have reached a point where it will be, at least temporarily. But there is hope. Because almost without exception, when humanity stops being entitled fools and gives nature the chance to regrow, it does. Countless examples exist of woodlands and meadows and lakes which have been left to their own devices after industrial processes have ceased, and they are beautiful landscapes (albeit not exactly how things would have appeared originally).
This will happen for the planet as a whole, and I can say this with confidence as two options will occur; either humanity will see the error of their ways and start to ease up on nature (dare I say work in harmony with it?), or option two humanity will die out because of our hubris and the planet will be left to heal and go on its merry way. Either option leads to a better, greener, healthier world. I just hope we go for option one to make sure our descendants are around to enjoy it.
Not the planet
I love the idea of space and space travel. As a child this would be Star Wars and Star Trek, as an adult the Foundation and Dune novels. If someone asks me what I have on my bucket list, I only half-jokingly say go into space. I would like to say here that I envisage an interplanetary future for humanity in the medium term, but more and more I think it is neither an option nor desirable. I’ve given my thoughts here and here about space exploration and stand by my conclusions (if anything I have become a more staunch ProGaian) so here I will stick to what I actually think will happen in space in the medium term.
In short, nothing much. There are those out there advocating for colonies on Mars and mining asteroids and the like by the middle of the century, but I have been persuaded this is something we neither should nor could achieve. I am currently reading A City on Mars, a fantastic book by Kelly and Zach Weinersmith which explores just this topic, and it is clear the odds of actually getting functioning colonies on other planets in even the next century or two are slim. As I have said in my posts linked above, I think we should keep exploring space, with bigger and bigger space telescopes and robotic missions across the solar system likely options, but short of occasional trips to the moon and possibly non-permanent trips to Mars, I do not envisage humanity reaching for the stars any time soon.
Politics, politics, politics
I have a post which I started several years ago titled Independence, Together. If you are frantically searching through my blog to give it a read you will not find it because I never actually finished it, and probably never will. In it, I wrote about my support of Scottish independence (which failed) and my opposition to Brexit (which did not, clearly political punditry is not in my future…), and attempted to square the circle of the seeming contradiction in those two points of view. This post here is not an attempt to complete that blog post, so you will just have to accept it was brilliantly argued and was persuasive…
Why I bring this up is I still feel the position I hold (despite short-term failures) is the future for the global politic sphere, namely a move towards greater localism and also a more connected supranational cooperative framework. Think globally, act locally is the political position I hold most dearly, and I think it is likely to be one humanity moves closer towards in the next couple of centuries.
This might sound utopian, and obviously I hope it will be, but both positions come with risks. The more fragmented political systems are, the greater the risk of local conflicts which can then escalate to bigger conflicts through the implementation of alliances, while equally the more monolithic a political system, the greater the risk the individual person is lost in it and suffers as a result. Both of these actions could happen as a result of local globalism. Like with the environment I will have to hope humanity picks the utopian option instead before it is too late.
It’s the economy stupid
When I was at school, I was taught there are three* broad levels to the economy. Primary economical activity is things like farming, fishing and mining, gathering stuff. Secondary activities include building and manufacturing and food production, making stuff. Tertiary economic activities are the provision of services like restaurants, healthcare and transport, selling stuff. The more advanced an economy becomes, the more it moves along the path from mostly primary to mostly tertiary activities. When crusty old politicians moan about a country not making things anymore, they are moaning about what is supposed to be a good thing and a sign of progress.
The general trend of economies moving from primary to tertiary has been going on for a couple of hundred years now, and I can see this starting to reverse in the next couple of hundred. No, I am not imagining we will all resort to subsistence farming as we abandon industrial processes, but rather as people become more and more concerned about the provenance of the stuff they are buying, the more people will shift into farming and the like to provide the higher quality products people want. Today we, often snidely, call these artisanal products, but I think this trend is something which will continue. Couple this with the general trend towards more vegetarians and vegans living on the planet, and particularly those who produce non-meat foods will have a bonanza.
For those in the secondary industry business, I can see this desire for higher quality affecting them too, particularly the right to repair movement. Mass producing cheap but easily breakable tat is going to become less and less acceptable (if it ever was), and people are going to demand higher quality products with the ability to be fixed or upgraded when they break or are worn out. In short, I see the current levels of consumerism damping down in the coming years, and for the planet (see above) it cannot come a moment too soon,
(*I think I would add two more levels** to this schema; quaternary activity where people with too much money trade that money with other people with too much money and then use it to buy tertiary businesses, hoarding stuff, and quinary activity where tech bros invent digital tech they think everyone will want a part of but in the end this becomes a badge of idiocy when the bubble bursts, imagining stuff.)
(**yes, I know additional levels of the economy already exist, shush…)
The end is science
As a lover of and applier of science, I could not finish a post about the future without considering some of the advances science may well make in the no too distant future (and contrary to some people’s views, even if science has an end point, I don’t think we are anywhere near there yet).
Understanding the mind and consciousness is the big question I would like to see answered. My personal expectation, they are both an emergent property, an inevitable result of such a complex system as the brain, but what that means at a fundamental level would be fantastic to see elucidated.
After this, abiogenesis, or the origins of life, would be an excellent second prize. I am resigned to the fact we will probably never conclusively demonstrate how life on Earth began, but a plausible theoretical model would be the next best thing.
The third big discovery I see us making in the medium term is related to the space bit above, extraterrestrial life. I’m not expecting little green men and flying saucers, but with the likes of JWST and future telescope projects, I think the idea of confirming biosignatures on other planets is just a matter of time.
And there we have it, a blog post about the future which manages to avoid mentioning AI (wait a minute… dammit!).
OK, OK, I’ll talk about it, but only for one paragraph***. Do we have AI at the moment, no. Not by any stretch of the imagination (and don’t come at me with large language models. Excessively wasteful, inaccurate algorithms don’t count). But will we reach a point when we have proper AI, often called artificial general intelligence? Also no. The reason I see it like this is partly because of my comments above on emergent properties and consciousness. The brain is really complicated, and while computers can be made exceptionally complex, they are essentially binary decision makers, yes or no, on or off. The ion channels at the heart of neuronal function can be considered binary, open or closed, but how they get to that state can include inputs which can fully open or close them, partially open or close them, block them or otherwise do the exact opposite action to that which you would imagine. The brain is not a binary thinking machine, it is far more complicated than that, so expecting we can ever reach a point where we will create an artificial general intelligence, at least in the medium term, seems too much of a stretch for me.
(*** yes I know it’s a long one, but it’s just the one paragraph so it counts!)
To the future and beyond
So there you have it. How do I see the future? Fair to say a mixed bag. From the moment I publish this blog I am going to leave it up as is without amendments, typos and all. Assuming Twaddle lasts a few hundred years (…) it will be interesting to see how close I get.
What do you think about my predictions? Do you have any ideas of your own about the future? Drop them below in the comments and let’s see who is closer to the mark.
https://twaddle.blog/2024/02/23/care-to-take-a-leaflet/
#AI #Future #Futurology #Idealist #Politics #Positivity #Pragmatist #Predictions #Prophecy #Religion #Science #Space #TheEconomy #TheEnvironment

#theenvironment #theeconomy #space #science #religion #prophecy
Self-Indulgent Twaddle @[email protected] · 2024-02-23 · 19:03 UTC

We’ve all been there. You are walking down the street, minding your own business, and a clinically cheerful chugger with a bolt-on grin moves to block your path asking for “just a moment of your time”. If you are lucky, your averted gaze and mumbled “no thank you” sees them seeking out their next victim. If you are unlucky, you end up taking away a leaflet, or worse.
I tend to be very good at fending off unwanted interaction. Usually, the wife is equally effective at walking on by without engaging. That is until last week. She claims she was distracted. Out walking with the baby in the pram, she claims she did not registered being accosted until it was too late.
Regardless of how it happened, in the end she left clutching a leaflet in hand. On this occasion, the Jehovah’s Witnesses had been the ones trying to get her attention.
The leaflet she came home with is titled How do you view the future? and includes a drawing of a young girl holding a handful of soil with a seedling growing out of it. Below the picture, the leaflet asks Will our world… stay the same? get worse? get better?
The pedant in me wants to point out it must be one of the three options, providing we can agree by what metric we are judging ‘better’, but I’m not here to just point out the obvious. Slightly less obvious, there is nothing on the front cover to identify where the leaflet came from, or the real purpose of handing them out.
Open up the leaflet and those questions are quickly answered. It is full of bible verses which are purported to answer the questions on the front cover. Finally, when you turn to the back of the leaflet, you discover the authors and are invited to find out more about the religion by requesting further information, or heaven offend (pun very much intended) a visit from church members.
I have spoken before about my lack of belief in any kind of deity. I certainly do not subscribe to any particular religion. When I first saw the leaflet on the kitchen counter and heard the story I was tempted to go through the details inside the leaflet and give my thoughts on why they are (probably) wrong. Having paused for a moment to think about it, I realise there are much more informed people out there who can critique the content.
I thought instead, I would tackle the question at the heart of the pamphlet. Set aside the religious elements for now. How do I view the future? Do I think it will get better, worse or stay the same?
I should make clear I am not looking to make specific or short-term predictions about the future. Invariably, they will be wrong. Just look at the likes of Back to the Future Part II predicting the world of 2015 back in 1989 (where is my hoverboard?). I’m also not going to be making really long term predictions. Ironically, the further we look into the future (and we’re talking millions and billions of years here) the better the predictions get. Scientists have a pretty good idea for example how our planet will meet its end, and roughly when. What I am aiming for is the sweet spot in between too soon and specific, and too far away and easy.
The planet
The leaflet the wife was given leant heavily on environmental imagery as part of its visual appeal, so let’s start with the planet, or more specifically the environment including the climate. How do I see the future for the only planet we call home?
In short, bad, really bad and then probably good.
In not quite as short, I’m sadly a realist when it comes to the environment. There are glimmers of hope for the natural world here and there with genuine positive change to lessen humanity’s impact upon it, but overall the current trend is business as usual. And by business as usual, I of course mean biodiversity loss, over-exploitation of limited resources and the release of greenhouse gases into the atmosphere. The planet will get warmer, animals will go extinct, and everything including humans will suffer as a result.
The planet’s climate is already showing signs of instability, but as it gets worse, and particularly as sea levels rise displacing a lot of people, we are going to see a huge surge of climate refugees moving across the planet. I’m going to talk about politics below, but for this section it is enough to guess there will be conflict. If we are lucky, it will be no more than passionate debate and legal cases. If we are unlucky, well…
This is all a bit doom and gloomy, and unfortunately I think we have reached a point where it will be, at least temporarily. But there is hope. Because almost without exception, when humanity stops being entitled fools and gives nature the chance to regrow, it does. Countless examples exist of woodlands and meadows and lakes which have been left to their own devices after industrial processes have ceased, and they are beautiful landscapes (albeit not exactly how things would have appeared originally).
This will happen for the planet as a whole, and I can say this with confidence as two options will occur; either humanity will see the error of their ways and start to ease up on nature (dare I say work in harmony with it?), or option two humanity will die out because of our hubris and the planet will be left to heal and go on its merry way. Either option leads to a better, greener, healthier world. I just hope we go for option one to make sure our descendants are around to enjoy it.
Not the planet
I love the idea of space and space travel. As a child this would be Star Wars and Star Trek, as an adult the Foundation and Dune novels. If someone asks me what I have on my bucket list, I only half-jokingly say go into space. I would like to say here that I envisage an interplanetary future for humanity in the medium term, but more and more I think it is neither an option nor desirable. I’ve given my thoughts here and here about space exploration and stand by my conclusions (if anything I have become a more staunch ProGaian) so here I will stick to what I actually think will happen in space in the medium term.
In short, nothing much. There are those out there advocating for colonies on Mars and mining asteroids and the like by the middle of the century, but I have been persuaded this is something we neither should nor could achieve. I am currently reading A City on Mars, a fantastic book by Kelly and Zach Weinersmith which explores just this topic, and it is clear the odds of actually getting functioning colonies on other planets in even the next century or two are slim. As I have said in my posts linked above, I think we should keep exploring space, with bigger and bigger space telescopes and robotic missions across the solar system likely options, but short of occasional trips to the moon and possibly non-permanent trips to Mars, I do not envisage humanity reaching for the stars any time soon.
Politics, politics, politics
I have a post which I started several years ago titled Independence, Together. If you are frantically searching through my blog to give it a read you will not find it because I never actually finished it, and probably never will. In it, I wrote about my support of Scottish independence (which failed) and my opposition to Brexit (which did not, clearly political punditry is not in my future…), and attempted to square the circle of the seeming contradiction in those two points of view. This post here is not an attempt to complete that blog post, so you will just have to accept it was brilliantly argued and was persuasive…
Why I bring this up is I still feel the position I hold (despite short-term failures) is the future for the global politic sphere, namely a move towards greater localism and also a more connected supranational cooperative framework. Think globally, act locally is the political position I hold most dearly, and I think it is likely to be one humanity moves closer towards in the next couple of centuries.
This might sound utopian, and obviously I hope it will be, but both positions come with risks. The more fragmented political systems are, the greater the risk of local conflicts which can then escalate to bigger conflicts through the implementation of alliances, while equally the more monolithic a political system, the greater the risk the individual person is lost in it and suffers as a result. Both of these actions could happen as a result of local globalism. Like with the environment I will have to hope humanity picks the utopian option instead before it is too late.
It’s the economy stupid
When I was at school, I was taught there are three* broad levels to the economy. Primary economical activity is things like farming, fishing and mining, gathering stuff. Secondary activities include building and manufacturing and food production, making stuff. Tertiary economic activities are the provision of services like restaurants, healthcare and transport, selling stuff. The more advanced an economy becomes, the more it moves along the path from mostly primary to mostly tertiary activities. When crusty old politicians moan about a country not making things anymore, they are moaning about what is supposed to be a good thing and a sign of progress.
The general trend of economies moving from primary to tertiary has been going on for a couple of hundred years now, and I can see this starting to reverse in the next couple of hundred. No, I am not imagining we will all resort to subsistence farming as we abandon industrial processes, but rather as people become more and more concerned about the provenance of the stuff they are buying, the more people will shift into farming and the like to provide the higher quality products people want. Today we, often snidely, call these artisanal products, but I think this trend is something which will continue. Couple this with the general trend towards more vegetarians and vegans living on the planet, and particularly those who produce non-meat foods will have a bonanza.
For those in the secondary industry business, I can see this desire for higher quality affecting them too, particularly the right to repair movement. Mass producing cheap but easily breakable tat is going to become less and less acceptable (if it ever was), and people are going to demand higher quality products with the ability to be fixed or upgraded when they break or are worn out. In short, I see the current levels of consumerism damping down in the coming years, and for the planet (see above) it cannot come a moment too soon,
(*I think I would add two more levels** to this schema; quaternary activity where people with too much money trade that money with other people with too much money and then use it to buy tertiary businesses, hoarding stuff, and quinary activity where tech bros invent digital tech they think everyone will want a part of but in the end this becomes a badge of idiocy when the bubble bursts, imagining stuff.)
(**yes, I know additional levels of the economy already exist, shush…)
The end is science
As a lover of and applier of science, I could not finish a post about the future without considering some of the advances science may well make in the no too distant future (and contrary to some people’s views, even if science has an end point, I don’t think we are anywhere near there yet).
Understanding the mind and consciousness is the big question I would like to see answered. My personal expectation, they are both an emergent property, an inevitable result of such a complex system as the brain, but what that means at a fundamental level would be fantastic to see elucidated.
After this, abiogenesis, or the origins of life, would be an excellent second prize. I am resigned to the fact we will probably never conclusively demonstrate how life on Earth began, but a plausible theoretical model would be the next best thing.
The third big discovery I see us making in the medium term is related to the space bit above, extraterrestrial life. I’m not expecting little green men and flying saucers, but with the likes of JWST and future telescope projects, I think the idea of confirming biosignatures on other planets is just a matter of time.
And there we have it, a blog post about the future which manages to avoid mentioning AI (wait a minute… dammit!).
OK, OK, I’ll talk about it, but only for one paragraph***. Do we have AI at the moment, no. Not by any stretch of the imagination (and don’t come at me with large language models. Excessively wasteful, inaccurate algorithms don’t count). But will we reach a point when we have proper AI, often called artificial general intelligence? Also no. The reason I see it like this is partly because of my comments above on emergent properties and consciousness. The brain is really complicated, and while computers can be made exceptionally complex, they are essentially binary decision makers, yes or no, on or off. The ion channels at the heart of neuronal function can be considered binary, open or closed, but how they get to that state can include inputs which can fully open or close them, partially open or close them, block them or otherwise do the exact opposite action to that which you would imagine. The brain is not a binary thinking machine, it is far more complicated than that, so expecting we can ever reach a point where we will create an artificial general intelligence, at least in the medium term, seems too much of a stretch for me.
(*** yes I know it’s a long one, but it’s just the one paragraph so it counts!)
To the future and beyond
So there you have it. How do I see the future? Fair to say a mixed bag. From the moment I publish this blog I am going to leave it up as is without amendments, typos and all. Assuming Twaddle lasts a few hundred years (…) it will be interesting to see how close I get.
What do you think about my predictions? Do you have any ideas of your own about the future? Drop them below in the comments and let’s see who is closer to the mark.
https://twaddle.blog/2024/02/23/care-to-take-a-leaflet/
#AI #Future #Futurology #Idealist #Politics #Positivity #Pragmatist #Predictions #Prophecy #Religion #Science #Space #TheEconomy #TheEnvironment

#ai #future #futurology #idealist #politics #positivity
Soatok @[email protected] · 2023-03-01 · 08:01 UTC
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.
If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.

Contents
- Database Cryptography?
- Cryptography for Relational Databases
  The Perils of Built-in Encryption Functions
  Application-Layer Relational Database Cryptography
  Confused Deputies
  Canonicalization Attacks
  Multi-Tenancy
- Cryptography for NoSQL Databases
  NoSQL is Built Different
  Record Authentication
  Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
  Order-{Preserving, Revealing} Encryption
  Deterministic Encryption
  Homomorphic Encryption
  Searchable Symmetric Encryption (SSE)
  You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
  MongoCrypt: The Good
  How is Queryable Encryption Implemented?
  MongoCrypt: The Bad
  MongoCrypt: The Ugly
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluff
The sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.

So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
1. What database software is being used? Is it up to date?
2. What data is being stored in which database software?
3. How are databases oriented in the network of the overall system?
  Is your database properly firewalled from the public Internet?
4. How does data flow throughout the network, and when do these data flows intersect with the database?
  Which applications talk to the database? What languages are they written in? Which APIs do they use?
5. How will cryptography secrets be managed?
  Is there one key for everyone, one key per tenant, etc.?
  How are keys rotated?
  Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
1. On one axis, we have the type of database.
  Flat-file
  Relational
  Schema-free
2. On another, we have the basic confidentiality requirements of the data.
  Field encryption
  Row encryption
  Column encryption
  Unstructured record encryption
  Encrypting entire collections of records
3. Finally, we have the integrity requirements of the data.
  Field authentication
  Row/column authentication
  Unstructured record authentication
  Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: Harubaki
If you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with AES_Encrypt() calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)
Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases

Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECB
The problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECB
CBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECB
They’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB
— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also, SHOW processlist; leaks your encryption keys. Oops.
Credit: CMYKatt
Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki
“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?
“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?
“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!
Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKatt
Let’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345
…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
```
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+     $tableName,+     $columnName,+     $primaryKey+ ]);
```
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.
First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
```
function dumbCanonicalize(    string $tableName,    string $columnName,    string|int $primaryKey): string {    return $tableName . '_' . $columnName . '#' . $primaryKey;}
```
Consider these two inputs to this function:
1. dumbCanonicalize('customers', 'last_order_uuid', 123);
2. dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
1. Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
2. Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
1. Encrypt one message under a specific key and nonce.
2. Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKat
We’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases

Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
```
{  "encrypted-data-key": "<blob>",  "name": "<ciphertext>",  "address": [    "<ciphertext>",    "<ciphertext>"  ],  "social-security": "<ciphertext>",  "zip-code": "<ciphertext>"}
```
If this record is decrypted with code that looks something like this:
```
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) {    try {        $decrypted['address'][$i] = $this->decrypt($addrLine);    } catch (Throwable $ex) {        // You'd never deliberately do this, but it's for illustration        $this->doSomethingAnOracleCanObserve($i);                // This is more believable, of course:        $this->logDecryptionError($ex, $addrLine);        $decrypted['address'][$i] = '';    }}
```
Then you can keep appending rows to the "address" field to reduce the number of writes needed to exploit a padding oracle attack against any of the <ciphertext> fields.
Art: Harubaki
This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.
Art: CMYKat

Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: Harubaki
Okay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
1. A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this meta-auth.
2. A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in meta-auth and meta-enc.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-enc */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false  /* example.superfluous.rewards-member */  ]),  "signature": /* -- snip -- */}
```
When you go to append data to an existing record, you’ll need to update meta-auth to include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.
When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in meta-auth (and meta-enc will grow)
- Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think meta-auth gives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true,  /* meta-enc */    true   /* meta-version */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-version */  ]),  "meta-version": 0x01000000,  "signature": /* -- snip -- */}
```
If an attacker tries to use the meta-auth field to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).
Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKat
Okay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: Sophie
So whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
1. Encrypting the data, to protect it from unauthorized disclosure, but render it useless
2. Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.
To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECB
Order preserving
Semantic security?
Only in your dreams
Haiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the AES_{De,En}crypt() functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.
```
 SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');
```
However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.
That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: Harubaki
Homomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.
Art: CMYKat

Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKat
That’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
1. The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
2. Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
3. Insufficient marketing and developer advocacy.
  SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
1. Encrypt your data, securely, using symmetric cryptography.
  (Hopefully your encryption addresses the considerations outlined in the relevant sections above.)
2. Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!
However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!
Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this: 04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1ae
Art: CMYKat\
If you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.
Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
1. Distinguish between two encrypted records with the same short HMAC tag.
2. Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
Art: CMYKat\
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: Harubaki
Conversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.
A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
MongoDB Queryable Encryption Announcement
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to do_encrypt() includes at most the Key ID (but typically NULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.
However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
```
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat (  &to_hmac, intermediates, num_intermediates)) {   CLIENT_ERR ("failed to allocate buffer");   goto done;}if (hmac == HMAC_SHA_512_256) {   uint8_t storage[64];   _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)};   if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) {      goto done;   }   // Truncate sha512 to first 256 bits.   memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else {   BSON_ASSERT (hmac == HMAC_SHA_256);   if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) {      goto done;   }}
```
The implementation of _mongocrypt_buffer_concat() can be found here.
If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a uint64_t to make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.
Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
MongoDB documentation
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKat
https://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
#appliedcryptography #blockciphermodes #cryptography #databasecryptography #databases #encryptedsearch
Soatok @[email protected] · 2023-03-01 · 08:01 UTC
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.
If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.

Contents
- Database Cryptography?
- Cryptography for Relational Databases
  The Perils of Built-in Encryption Functions
  Application-Layer Relational Database Cryptography
  Confused Deputies
  Canonicalization Attacks
  Multi-Tenancy
- Cryptography for NoSQL Databases
  NoSQL is Built Different
  Record Authentication
  Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
  Order-{Preserving, Revealing} Encryption
  Deterministic Encryption
  Homomorphic Encryption
  Searchable Symmetric Encryption (SSE)
  You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
  MongoCrypt: The Good
  How is Queryable Encryption Implemented?
  MongoCrypt: The Bad
  MongoCrypt: The Ugly
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluff
The sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.

So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
1. What database software is being used? Is it up to date?
2. What data is being stored in which database software?
3. How are databases oriented in the network of the overall system?
  Is your database properly firewalled from the public Internet?
4. How does data flow throughout the network, and when do these data flows intersect with the database?
  Which applications talk to the database? What languages are they written in? Which APIs do they use?
5. How will cryptography secrets be managed?
  Is there one key for everyone, one key per tenant, etc.?
  How are keys rotated?
  Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
1. On one axis, we have the type of database.
  Flat-file
  Relational
  Schema-free
2. On another, we have the basic confidentiality requirements of the data.
  Field encryption
  Row encryption
  Column encryption
  Unstructured record encryption
  Encrypting entire collections of records
3. Finally, we have the integrity requirements of the data.
  Field authentication
  Row/column authentication
  Unstructured record authentication
  Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: Harubaki
If you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with AES_Encrypt() calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)
Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases

Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECB
The problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECB
CBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECB
They’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB
— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also, SHOW processlist; leaks your encryption keys. Oops.
Credit: CMYKatt
Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki
“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?
“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?
“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!
Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKatt
Let’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345
…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
```
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+     $tableName,+     $columnName,+     $primaryKey+ ]);
```
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.
First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
```
function dumbCanonicalize(    string $tableName,    string $columnName,    string|int $primaryKey): string {    return $tableName . '_' . $columnName . '#' . $primaryKey;}
```
Consider these two inputs to this function:
1. dumbCanonicalize('customers', 'last_order_uuid', 123);
2. dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
1. Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
2. Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
1. Encrypt one message under a specific key and nonce.
2. Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKat
We’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases

Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
```
{  "encrypted-data-key": "<blob>",  "name": "<ciphertext>",  "address": [    "<ciphertext>",    "<ciphertext>"  ],  "social-security": "<ciphertext>",  "zip-code": "<ciphertext>"}
```
If this record is decrypted with code that looks something like this:
```
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) {    try {        $decrypted['address'][$i] = $this->decrypt($addrLine);    } catch (Throwable $ex) {        // You'd never deliberately do this, but it's for illustration        $this->doSomethingAnOracleCanObserve($i);                // This is more believable, of course:        $this->logDecryptionError($ex, $addrLine);        $decrypted['address'][$i] = '';    }}
```
Then you can keep appending rows to the "address" field to reduce the number of writes needed to exploit a padding oracle attack against any of the <ciphertext> fields.
Art: Harubaki
This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.
Art: CMYKat

Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: Harubaki
Okay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
1. A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this meta-auth.
2. A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in meta-auth and meta-enc.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-enc */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false  /* example.superfluous.rewards-member */  ]),  "signature": /* -- snip -- */}
```
When you go to append data to an existing record, you’ll need to update meta-auth to include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.
When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in meta-auth (and meta-enc will grow)
- Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think meta-auth gives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true,  /* meta-enc */    true   /* meta-version */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-version */  ]),  "meta-version": 0x01000000,  "signature": /* -- snip -- */}
```
If an attacker tries to use the meta-auth field to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).
Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKat
Okay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: Sophie
So whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
1. Encrypting the data, to protect it from unauthorized disclosure, but render it useless
2. Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.
To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECB
Order preserving
Semantic security?
Only in your dreams
Haiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the AES_{De,En}crypt() functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.
```
 SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');
```
However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.
That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: Harubaki
Homomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.
Art: CMYKat

Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKat
That’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
1. The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
2. Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
3. Insufficient marketing and developer advocacy.
  SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
1. Encrypt your data, securely, using symmetric cryptography.
  (Hopefully your encryption addresses the considerations outlined in the relevant sections above.)
2. Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!
However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!
Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this: 04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1ae
Art: CMYKat\
If you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.
Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
1. Distinguish between two encrypted records with the same short HMAC tag.
2. Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
Art: CMYKat\
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: Harubaki
Conversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.
A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
MongoDB Queryable Encryption Announcement
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to do_encrypt() includes at most the Key ID (but typically NULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.
However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
```
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat (  &to_hmac, intermediates, num_intermediates)) {   CLIENT_ERR ("failed to allocate buffer");   goto done;}if (hmac == HMAC_SHA_512_256) {   uint8_t storage[64];   _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)};   if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) {      goto done;   }   // Truncate sha512 to first 256 bits.   memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else {   BSON_ASSERT (hmac == HMAC_SHA_256);   if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) {      goto done;   }}
```
The implementation of _mongocrypt_buffer_concat() can be found here.
If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a uint64_t to make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.
Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
MongoDB documentation
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKat
https://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
#appliedcryptography #blockciphermodes #cryptography #databasecryptography #databases #encryptedsearch
Soatok @[email protected] · 2023-03-01 · 08:01 UTC
Earlier this year, Cendyne wrote a blog post covering the use of HKDF, building partially upon my own blog post about HKDF and the KDF security definition, but moreso inspired by a cryptographic issue they identified in another company’s product (dubbed AnonCo).
At the bottom they teased:
Database cryptography is hard. The above sketch is not complete and does not address several threats! This article is quite long, so I will not be sharing the fixes.
Cendyne
If you read Cendyne’s post, you may have nodded along with that remark and not appreciate the degree to which our naga friend was putting it mildly. So I thought I’d share some of my knowledge about real-world database cryptography in an accessible and fun format in the hopes that it might serve as an introduction to the specialization.
Note: I’m also not going to fix Cendyne’s sketch of AnonCo’s software here–partly because I don’t want to get in the habit of assigning homework or required reading, but mostly because it’s kind of obvious once you’ve learned the basics.
I’m including art of my fursona in this post… as is tradition for furry blogs.
If you don’t like furries, please feel free to leave this blog and read about this topic elsewhere.
Thanks to CMYKat for the awesome stickers.

Contents
- Database Cryptography?
- Cryptography for Relational Databases
  The Perils of Built-in Encryption Functions
  Application-Layer Relational Database Cryptography
  Confused Deputies
  Canonicalization Attacks
  Multi-Tenancy
- Cryptography for NoSQL Databases
  NoSQL is Built Different
  Record Authentication
  Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
- Searchable Encryption
  Order-{Preserving, Revealing} Encryption
  Deterministic Encryption
  Homomorphic Encryption
  Searchable Symmetric Encryption (SSE)
  You Can Have Little a HMAC, As a Treat
- Intermission
- Case Study: MongoDB Client-Side Encryption
  MongoCrypt: The Good
  How is Queryable Encryption Implemented?
  MongoCrypt: The Bad
  MongoCrypt: The Ugly
- Wrapping Up
Database Cryptography?
The premise of database cryptography is deceptively simple: You have a database, of some sort, and you want to store sensitive data in said database.
The consequences of this simple premise are anything but simple. Let me explain.
Art: ScruffKerfluff
The sensitive data you want to store may need to remain confidential, or you may need to provide some sort of integrity guarantees throughout your entire system, or sometimes both. Sometimes all of your data is sensitive, sometimes only some of it is. Sometimes the confidentiality requirements of your data extends to where within a dataset the record you want actually lives. Sometimes that’s true of some data, but not others, so your cryptography has to be flexible to support multiple types of workloads.
Other times, you just want your disks encrypted at rest so if they grow legs and walk out of the data center, the data cannot be comprehended by an attacker. And you can’t be bothered to work on this problem any deeper. This is usually what compliance requirements cover. Boxes get checked, executives feel safer about their operation, and the whole time nobody has really analyzed the risks they’re facing.
But we’re not settling for mere compliance on this blog. Furries have standards, after all.

So the first thing you need to do before diving into database cryptography is threat modelling. The first step in any good threat model is taking inventory; especially of assumptions, requirements, and desired outcomes. A few good starter questions:
1. What database software is being used? Is it up to date?
2. What data is being stored in which database software?
3. How are databases oriented in the network of the overall system?
  Is your database properly firewalled from the public Internet?
4. How does data flow throughout the network, and when do these data flows intersect with the database?
  Which applications talk to the database? What languages are they written in? Which APIs do they use?
5. How will cryptography secrets be managed?
  Is there one key for everyone, one key per tenant, etc.?
  How are keys rotated?
  Do you use envelope encryption with an HSM, or vend the raw materials to your end devices?
The first two questions are paramount for deciding how to write software for database cryptography, before you even get to thinking about the cryptography itself.
(This is not a comprehensive set of questions to ask, either. A formal threat model is much deeper in the weeds.)
The kind of cryptography protocol you need for, say, storing encrypted CSV files an S3 bucket is vastly different from relational (SQL) databases, which in turn will be significantly different from schema-free (NoSQL) databases.
Furthermore, when you get to the point that you can start to think about the cryptography, you’ll often need to tackle confidentiality and integrity separately.
If that’s unclear, think of a scenario like, “I need to encrypt PII, but I also need to digitally sign the lab results so I know it wasn’t tampered with at rest.”
My point is, right off the bat, we’ve got a three-dimensional matrix of complexity to contend with:
1. On one axis, we have the type of database.
  Flat-file
  Relational
  Schema-free
2. On another, we have the basic confidentiality requirements of the data.
  Field encryption
  Row encryption
  Column encryption
  Unstructured record encryption
  Encrypting entire collections of records
3. Finally, we have the integrity requirements of the data.
  Field authentication
  Row/column authentication
  Unstructured record authentication
  Collection authentication (based on e.g. Sparse Merkle Trees)
And then you have a fourth dimension that often falls out of operational requirements for databases: Searchability.
Why store data in a database if you have no way to index or search the data for fast retrieval?
Credit: Harubaki
If you’re starting to feel overwhelmed, you’re not alone. A lot of developers drastically underestimate the difficulty of the undertaking, until they run head-first into the complexity.
Some just phone it in with AES_Encrypt() calls in their MySQL queries. (Too bad ECB mode doesn’t provide semantic security!)
Which brings us to the meat of this blog post: The actual cryptography part.
Cryptography is the art of transforming information security problems into key management problems.
Former coworker
Note: In the interest of time, I’m skipping over flat files and focusing instead on actual database technologies.
Cryptography for Relational Databases

Encrypting data in an SQL database seems simple enough, even if you’ve managed to shake off the complexity I teased from the introduction.
You’ve got data, you’ve got a column on a table. Just encrypt the data and shove it in a cell on that column and call it a day, right?
But, alas, this is a trap. There are so many gotchas that I can’t weave a coherent, easy-to-follow narrative between them all.
So let’s start with a simple question: where and how are you performing your encryption?
The Perils of Built-in Encryption Functions
MySQL provides functions called AES_Encrypt and AES_Decrypt, which many developers have unfortunately decided to rely on in the past.
It’s unfortunate because these functions implement ECB mode. To illustrate why ECB mode is bad, I encrypted one of my art commissions with AES in ECB mode:
Art by Riley, encrypted with AES-ECB
The problems with ECB mode aren’t exactly “you can see the image through it,” because ECB-encrypting a compressed image won’t have redundancy (and thus can make you feel safer than you are).
ECB art is a good visual for the actual issue you should care about, however: A lack of semantic security.
A cryptosystem is considered semantically secure if observing the ciphertext doesn’t reveal information about the plaintext (except, perhaps, the length; which all cryptosystems leak to some extent). More information here.
ECB art isn’t to be confused with ECB poetry, which looks like this:
Oh little one, you’re growing up
You’ll soon be writing C
You’ll treat your ints as pointers
You’ll nest the ternary
You’ll cut and paste from github
And try cryptography
But even in your darkest hour
Do not use ECB
CBC’s BEASTly when padding’s abused
And CTR’s fine til a nonce is reused
Some say it’s a CRIME to compress then encrypt
Or store keys in the browser (or use javascript)
Diffie Hellman will collapse if hackers choose your g
And RSA is full of traps when e is set to 3
Whiten! Blind! In constant time! Don’t write an RNG!
But failing all, and listen well: Do not use ECB
They’ll say “It’s like a one-time-pad!
The data’s short, it’s not so bad
the keys are long–they’re iron clad
I have a PhD!”
And then you’re front page Hacker News
Your passwords cracked–Adobe Blues.
Don’t leave your penguins showing through,
Do not use ECB
— Ben Nagy, PoC||GTFO 0x04:13
Most people reading this probably know better than to use ECB mode already, and don’t need any of these reminders, but there is still a lot of code that inadvertently uses ECB mode to encrypt data in the database.
Also, SHOW processlist; leaks your encryption keys. Oops.
Credit: CMYKatt
Application-layer Relational Database Cryptography
Whether burned by ECB or just cautious about not giving your secrets to the system that stores all the ciphertext protected by said secret, a common next step for developers is to simply encrypt in their server-side application code.
And, yes, that’s part of the answer. But how you encrypt is important.
Credit: Harubaki
“I’ll encrypt with CBC mode.”
If you don’t authenticate your ciphertext, you’ll be sorry. Maybe try again?
“Okay, fine, I’ll use an authenticated mode like GCM.”
Did you remember to make the table and column name part of your AAD? What about the primary key of the record?
“What on Earth are you talking about, Soatok?”
Welcome to the first footgun of database cryptography!
Confused Deputies
Encrypting your sensitive data is necessary, but not sufficient. You need to also bind your ciphertexts to the specific context in which they are stored.
To understand why, let’s take a step back: What specific threat does encrypting your database records protect against?
We’ve already established that “your disks walk out of the datacenter” is a “full disk encryption” problem, so if you’re using application-layer cryptography to encrypt data in a relational database, your threat model probably involves unauthorized access to the database server.
What, then, stops an attacker from copying ciphertexts around?
Credit: CMYKatt
Let’s say I have a legitimate user account with an ID 12345, and I want to read your street address, but it’s encrypted in the database. But because I’m a clever hacker, I have unfettered access to your relational database server.
All I would need to do is simply…
UPDATE table SET addr_encrypted = 'your-ciphertext' WHERE id = 12345
…and then access the application through my legitimate access. Bam, data leaked. As an attacker, I can probably even copy fields from other columns and it will just decrypt. Even if you’re using an authenticated mode.
We call this a confused deputy attack, because the deputy (the component of the system that has been delegated some authority or privilege) has become confused by the attacker, and thus undermined an intended security goal.
The fix is to use the AAD parameter from the authenticated mode to bind the data to a given context. (AAD = Additional Authenticated Data.)
```
- $addr = aes_gcm_encrypt($addr, $key);+ $addr = aes_gcm_encrypt($addr, $key, canonicalize([+     $tableName,+     $columnName,+     $primaryKey+ ]);
```
Now if I start cutting and pasting ciphertexts around, I get a decryption failure instead of silently decrypting plaintext.
This may sound like a specific vulnerability, but it’s more of a failure to understand an important general lesson with database cryptography:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
Canonicalization Attacks
In the previous section, I introduced a pseudocode called canonicalize(). This isn’t a pasto from some reference code; it’s an important design detail that I will elaborate on now.
First, consider you didn’t do anything to canonicalize your data, and you just joined strings together and called it a day…
```
function dumbCanonicalize(    string $tableName,    string $columnName,    string|int $primaryKey): string {    return $tableName . '_' . $columnName . '#' . $primaryKey;}
```
Consider these two inputs to this function:
1. dumbCanonicalize('customers', 'last_order_uuid', 123);
2. dumbCanonicalize('customers_last_order', 'uuid', 123);
In this case, your AAD would be the same, and therefore, your deputy can still be confused (albeit in a narrower use case).
In Cendyne’s article, AnonCo did something more subtle: The canonicalization bug created a collision on the inputs to HKDF, which resulted in an unintentional key reuse.
Up until this point, their mistake isn’t relevant to us, because we haven’t even explored key management at all. But the same design flaw can re-emerge in multiple locations, with drastically different consequence.
Multi-Tenancy
Once you’ve implemented a mitigation against Confused Deputies, you may think your job is done. And it very well could be.
Often times, however, software developers are tasked with building support for Bring Your Own Key (BYOK).
This is often spawned from a specific compliance requirement (such as cryptographic shredding; i.e. if you erase the key, you can no longer recover the plaintext, so it may as well be deleted).
Other times, this is driven by a need to cut costs: Storing different users’ data in the same database server, but encrypting it such that they can only encrypt their own records.
Two things can happen when you introduce multi-tenancy into your database cryptography designs:
1. Invisible Salamanders becomes a risk, due to multiple keys being possible for any given encrypted record.
2. Failure to address the risk of Invisible Salamanders can undermine your protection against Confused Deputies, thereby returning you to a state before you properly used the AAD.
So now you have to revisit your designs and ensure you’re using a key-committing authenticated mode, rather than just a regular authenticated mode.
Isn’t cryptography fun?
“What Are Invisible Salamanders?”
This refers to a fun property of AEAD modes based on Polynomical MACs. Basically, if you:
1. Encrypt one message under a specific key and nonce.
2. Encrypt another message under a separate key and nonce.
…Then you can get the same exact ciphertext and authentication tag. Performing this attack requires you to control the keys for both encryption operations.
This was first demonstrated in an attack against encrypted messaging applications, where a picture of a salamander was hidden from the abuse reporting feature because another attached file had the same authentication tag and ciphertext, and you could trick the system if you disclosed the second key instead of the first. Thus, the salamander is invisible to attackers.
Art: CMYKat
We’re not quite done with relational databases yet, but we should talk about NoSQL databases for a bit. The final topic in scope applies equally to both, after all.
Cryptography for NoSQL Databases

Most of the topics from relational databases also apply to NoSQL databases, so I shall refrain from duplicating them here. This article is already sufficiently long to read, after all, and I dislike redundancy.
NoSQL is Built Different
The main thing that NoSQL databases offer in the service of making cryptographers lose sleep at night is the schema-free nature of NoSQL designs.
What this means is that, if you’re using a client-side encryption library for a NoSQL database, the previous concerns about confused deputy attacks are amplified by the malleability of the document structure.
Additionally, the previously discussed cryptographic attacks against the encryption mode may be less expensive for an attacker to pull off.
Consider the following record structure, which stores a bunch of data stored with AES in CBC mode:
```
{  "encrypted-data-key": "<blob>",  "name": "<ciphertext>",  "address": [    "<ciphertext>",    "<ciphertext>"  ],  "social-security": "<ciphertext>",  "zip-code": "<ciphertext>"}
```
If this record is decrypted with code that looks something like this:
```
$decrypted = [];// ... snip ...foreach ($record['address'] as $i => $addrLine) {    try {        $decrypted['address'][$i] = $this->decrypt($addrLine);    } catch (Throwable $ex) {        // You'd never deliberately do this, but it's for illustration        $this->doSomethingAnOracleCanObserve($i);                // This is more believable, of course:        $this->logDecryptionError($ex, $addrLine);        $decrypted['address'][$i] = '';    }}
```
Then you can keep appending rows to the "address" field to reduce the number of writes needed to exploit a padding oracle attack against any of the <ciphertext> fields.
Art: Harubaki
This isn’t to say that NoSQL is less secure than SQL, from the context of client-side encryption. However, the powerful feature sets that NoSQL users are accustomed to may also give attackers a more versatile toolkit to work with.
Record Authentication
A pedant may point out that record authentication applies to both SQL and NoSQL. However, I mostly only observe this feature in NoSQL databases and document storage systems in the wild, so I’m shoving it in here.
Encrypting fields is nice and all, but sometimes what you want to know is that your unencrypted data hasn’t been tampered with as it flows through your system.
The trivial way this is done is by using a digital signature algorithm over the whole record, and then appending the signature to the end. When you go to verify the record, all of the information you need is right there.
This works well enough for most use cases, and everyone can pack up and go home. Nothing more to see here.
Except…
When you’re working with NoSQL databases, you often want systems to be able to write to additional fields, and since you’re working with schema-free blobs of data rather than a normalized set of relatable tables, the most sensible thing to do is to is to append this data to the same record.
Except, oops! You can’t do that if you’re shoving a digital signature over the record. So now you need to specify which fields are to be included in the signature.
And you need to think about how to model that in a way that doesn’t prohibit schema upgrades nor allow attackers to perform downgrade attacks. (See below.)
I don’t have any specific real-world examples here that I can point to of this problem being solved well.
Art: CMYKat

Furthermore, as with preventing confused deputy and/or canonicalization attacks above, you must also include the fully qualified path of each field in the data that gets signed.
As I said with encryption before, but also true here:
Where your data lives is part of its identity, and MUST be authenticated.
Soatok’s Rule of Database Cryptography
This requirement holds true whether you’re using symmetric-key authentication (i.e. HMAC) or asymmetric-key digital signatures (e.g. EdDSA).
Bonus: A Maximally Schema-Free, Upgradeable Authentication Design
Art: Harubaki
Okay, how do you solve this problem so that you can perform updates and upgrades to your schema but without enabling attackers to downgrade the security? Here’s one possible design.
Let’s say you have two metadata fields on each record:
1. A compressed binary string representing which fields should be authenticated. This field is, itself, not authenticated. Let’s call this meta-auth.
2. A compressed binary string representing which of the authenticated fields should also be encrypted. This field is also authenticated. This is at most the same length as the first metadata field. Let’s call this meta-enc.
Furthermore, you will specify a canonical field ordering for both how data is fed into the signature algorithm as well as the field mappings in meta-auth and meta-enc.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-enc */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false  /* example.superfluous.rewards-member */  ]),  "signature": /* -- snip -- */}
```
When you go to append data to an existing record, you’ll need to update meta-auth to include the mapping of fields based on this canonical ordering to ensure only the intended fields get validated.
When you update your code to add an additional field that is intended to be signed, you can roll that out for new records and the record will continue to be self-describing:
- New records will have the additional field flagged as authenticated in meta-auth (and meta-enc will grow)
- Old records will not, but your code will still sign them successfully
- To prevent downgrade attacks, simply include a schema version ID as an additional plaintext field that gets authenticated. An attacker who tries to downgrade will need to be able to produce a valid signature too.
You might think meta-auth gives an attacker some advantage, but this only includes which fields are included in the security boundary of the signature or MAC, which allows unauthenticated data to be appended for whatever operational purpose without having to update signatures or expose signing keys to a wider part of the network.
```
{  "example": {    "credit-card": {      "number": /* encrypted */,      "expiration": /* encrypted */,      "ccv": /* encrypted */    },    "superfluous": {      "rewards-member": null    }  },  "meta-auth": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true,  /* meta-enc */    true   /* meta-version */  ]),  "meta-enc": compress_bools([    true,  /* example.credit-card.number */    true,  /* example.credit-card.expiration */    true,  /* example.credit-card.ccv */    false, /* example.superfluous.rewards-member */    true   /* meta-version */  ]),  "meta-version": 0x01000000,  "signature": /* -- snip -- */}
```
If an attacker tries to use the meta-auth field to mess with a record, the best they can hope for is an Invalid Signature exception (assuming the signature algorithm is secure to begin with).
Even if they keep all of the fields the same, but play around with the structure of the record (e.g. changing the XPath or equivalent), so long as the path is authenticated with each field, breaking this is computationally infeasible.
Searchable Encryption
If you’ve managed to make it through the previous sections, congratulations, you now know enough to build a secure but completely useless database.
Art: CMYKat
Okay, put away the pitchforks; I will explain.
Part of the reason why we store data in a database, rather than a flat file, is because we want to do more than just read and write. Sometimes computer scientists want to compute. Almost always, you want to be able to query your database for a subset of records based on your specific business logic needs.
And so, a database which doesn’t do anything more than store ciphertext and maybe signatures is pretty useless to most people. You’d have better luck selling Monkey JPEGs to furries than convincing most businesses to part with their precious database-driven report generators.
Art: Sophie
So whenever one of your users wants to actually use their data, rather than just store it, they’re forced to decide between two mutually exclusive options:
1. Encrypting the data, to protect it from unauthorized disclosure, but render it useless
2. Doing anything useful with the data, but leaving it unencrypted in the database
This is especially annoying for business types that are all in on the Zero Trust buzzword.
Fortunately, the cryptographers are at it again, and boy howdy do they have a lot of solutions for this problem.
Order-{Preserving, Revealing} Encryption
On the fun side of things, you have things like Order-Preserving and Order-Revealing Encryption, which Matthew Green wrote about at length.
[D]atabase encryption has been a controversial subject in our field. I wish I could say that there’s been an actual debate, but it’s more that different researchers have fallen into different camps, and nobody has really had the data to make their position in a compelling way. There have actually been some very personal arguments made about it.
Attack of the week: searchable encryption and the ever-expanding leakage function
The problem with these designs is that they have a significant enough leakage that it no longer provides semantic security.
From Grubbs, et al. (GLMP, 2019.)
Colors inverted to fit my blog’s theme better.
To put it in other words: These designs are only marginally better than ECB mode, and probably deserve their own poems too.
Order revealing
Reveals much more than order
Softcore ECB
Order preserving
Semantic security?
Only in your dreams
Haiku for your consideration
Deterministic Encryption
Here’s a simpler, but also terrible, idea for searchable encryption: Simply give up on semantic security entirely.
If you recall the AES_{De,En}crypt() functions built into MySQL I mentioned at the start of this article, those are the most common form of deterministic encryption I’ve seen in use.
```
 SELECT * FROM foo WHERE bar = AES_Encrypt('query', 'key');
```
However, there are slightly less bad variants. If you use AES-GCM-SIV with a static nonce, your ciphertexts are fully deterministic, and you can encrypt a small number of distinct records safely before you’re no longer secure.
From Page 14 of the linked paper. Full view.
That’s certainly better than nothing, but you also can’t mitigate confused deputy attacks. But we can do better than this.
Homomorphic Encryption
In a safer plane of academia, you’ll find homomorphic encryption, which researchers recently demonstrated with serving Wikipedia pages in a reasonable amount of time.
Homomorphic encryption allows computations over the ciphertext, which will be reflected in the plaintext, without ever revealing the key to the entity performing the computation.
If this sounds vaguely similar to the conditions that enable chosen-ciphertext attacks, you probably have a good intuition for how it works: RSA is homomorphic to multiplication, AES-CTR is homomorphic to XOR. Fully homomorphic encryption uses lattices, which enables multiple operations but carries a relatively enormous performance cost.
Art: Harubaki
Homomorphic encryption sometimes intersects with machine learning, because the notion of training an encrypted model by feeding it encrypted data, then decrypting it after-the-fact is desirable for certain business verticals. Your data scientists never see your data, and you have some plausible deniability about the final ML model this work produces. This is like a Siren song for Venture Capitalist-backed medical technology companies. Tech journalists love writing about it.
However, a less-explored use case is the ability to encrypt your programs but still get the correct behavior and outputs. Although this sounds like a DRM technology, it’s actually something that individuals could one day use to prevent their ISPs or cloud providers from knowing what software is being executed on the customer’s leased hardware. The potential for a privacy win here is certainly worth pondering, even if you’re a tried and true Pirate Party member.
Just say “NO” to the copyright cartels.
Art: CMYKat

Searchable Symmetric Encryption (SSE)
Forget about working at the level of fields and rows or individual records. What if we, instead, worked over collections of documents, where each document is viewed as a set of keywords from a keyword space?
Art: CMYKat
That’s the basic premise of SSE: Encrypting collections of documents rather than individual records.
The actual implementation details differ greatly between designs. They also differ greatly in their leakage profiles and susceptibility to side-channel attacks.
Some schemes use a so-called trapdoor permutation, such as RSA, as one of their building blocks.
Some schemes only allow for searching a static set of records, while others can accommodate new data over time (with the trade-off between more leakage or worse performance).
If you’re curious, you can learn more about SSE here, and see some open source SEE implementations online here.
You’re probably wondering, “If SSE is this well-studied and there are open source implementations available, why isn’t it more widely used?”
Your guess is as good as mine, but I can think of a few reasons:
1. The protocols can be a little complicated to implement, and aren’t shipped by default in cryptography libraries (i.e. OpenSSL’s libcrypto or libsodium).
2. Every known security risk in SSE is the product of a trade-offs, rather than there being a single winner for all use cases that developers can feel comfortable picking.
3. Insufficient marketing and developer advocacy.
  SSE schemes are mostly of interest to academics, although Seny Kamara (Brown Univeristy professior and one of the luminaries of searchable encryption) did try to develop an app called Pixek which used SSE to encrypt photos.
Maybe there’s room for a cryptography competition on searchable encryption schemes in the future.
You Can Have Little a HMAC, As a Treat
Finally, I can’t talk about searchable encryption without discussing a technique that’s older than dirt by Internet standards, that has been independently reinvented by countless software developers tasked with encrypting database records.
The oldest version I’ve been able to track down dates to 2006 by Raul Garcia at Microsoft, but I’m not confident that it didn’t exist before.
The idea I’m alluding to goes like this:
1. Encrypt your data, securely, using symmetric cryptography.
  (Hopefully your encryption addresses the considerations outlined in the relevant sections above.)
2. Separately, calculate an HMAC over the unencrypted data with a separate key used exclusively for indexing.
When you need to query your data, you can just recalculate the HMAC of your challenge and fetch the records that match it. Easy, right?
Even if you rotate your keys for encryption, you keep your indexing keys static across your entire data set. This lets you have durable indexes for encrypted data, which gives you the ability to do literal lookups for the performance hit of a hash function.
Additionally, everyone has HMAC in their toolkit, so you don’t have to move around implementations of complex cryptographic building blocks. You can live off the land. What’s not to love?
Hooray!
However, if you stopped here, we regret to inform you that your data is no longer indistinguishable from random, which probably undermines the security proof for your encryption scheme.
How annoying!
Of course, you don’t have to stop with the addition of plain HMAC to your database encryption software.
Take a page from Troy Hunt: Truncate the output to provide k-anonymity rather than a direct literal look-up.
“K-What Now?”
Imagine you have a full HMAC-SHA256 of the plaintext next to every ciphertext record with a static key, for searchability.
Each HMAC output corresponds 1:1 with a unique plaintext.
Because you’re using HMAC with a secret key, an attacker can’t just build a rainbow table like they would when attempting password cracking, but it still leaks duplicate plaintexts.
For example, an HMAC-SHA256 output might look like this: 04a74e4c0158e34a566785d1a5e1167c4e3455c42aea173104e48ca810a8b1ae
Art: CMYKat\
If you were to slice off most of those bytes (e.g. leaving only the last 3, which in the previous example yields a8b1ae), then with sufficient records, multiple plaintexts will now map to the same truncated HMAC tag.
Which means if you’re only revealing a truncated HMAC tag to the database server (both when storing records or retrieving them), you can now expect false positives due to collisions in your truncated HMAC tag.
These false positives give your data a discrete set of anonymity (called k-anonymity), which means an attacker with access to your database cannot:
1. Distinguish between two encrypted records with the same short HMAC tag.
2. Reverse engineer the short HMAC tag into a single possible plaintext value, even if they can supply candidate queries and study the tags sent to the database.
Art: CMYKat\
As with SSE above, this short HMAC technique exposes a trade-off to users.
- Too much k-anonymity (i.e. too many false positives), and you will have to decrypt-then-discard multiple mismatching records. This can make queries slow.
- Not enough k-anonymity (i.e. insufficient false positives), and you’re no better off than a full HMAC.
Even more troublesome, the right amount to truncate is expressed in bits (not bytes), and calculating this value depends on the number of unique plaintext values you anticipate in your dataset. (Fortunately, it grows logarithmically, so you’ll rarely if ever have to tune this.)
If you’d like to play with this idea, here’s a quick and dirty demo script.
Intermission
If you started reading this post with any doubts about Cendyne’s statement that “Database cryptography is hard”, by making it to this point, they’ve probably been long since put to rest.
Art: Harubaki
Conversely, anyone that specializes in this topic is probably waiting for me to say anything novel or interesting; their patience wearing thin as I continue to rehash a surface-level introduction of their field without really diving deep into anything.
Thus, if you’ve read this far, I’d like to demonstrate the application of what I’ve covered thus far into a real-world case study into an database cryptography product.
Case Study: MongoDB Client-Side Encryption
MongoDB is an open source schema-free NoSQL database. Last year, MongoDB made waves when they announced Queryable Encryption in their upcoming client-side encryption release.
Taken from the press release, but adapted for dark themes.
A statement at the bottom of their press release indicates that this isn’t clown-shoes:
Queryable Encryption was designed by MongoDB’s Advanced Cryptography Research Group, headed by Seny Kamara and Tarik Moataz, who are pioneers in the field of encrypted search. The Group conducts cutting-edge peer-reviewed research in cryptography and works with MongoDB engineering teams to transfer and deploy the latest innovations in cryptography and privacy to the MongoDB data platform.
If you recall, I mentioned Seny Kamara in the SSE section of this post. They certainly aren’t wrong about Kamara and Moataz being pioneers in this field.
So with that in mind, let’s explore the implementation in libmongocrypt and see how it stands up to scrutiny.
MongoCrypt: The Good
MongoDB’s encryption library takes key management seriously: They provide a KMS integration for cloud users by default (supporting both AWS and Azure).
MongoDB uses Encrypt-then-MAC with AES-CBC and HMAC-SHA256, which is congruent to what Signal does for message encryption.
How Is Queryable Encryption Implemented?
From the current source code, we can see that MongoCrypt generates several different types of tokens, using HMAC (calculation defined here).
According to their press release:
The feature supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
MongoDB Queryable Encryption Announcement
Which means that most of the juicy details probably aren’t public yet.
These HMAC-derived tokens are stored wholesale in the data structure, but most are encrypted before storage using AES-CTR.
There are more layers of encryption (using AEAD), server-side token processing, and more AES-CTR-encrypted edge tokens. All of this is finally serialized (implementation) as one blob for storage.
Since only the equality operation is currently supported (which is the same feature you’d get from HMAC), it’s difficult to speculate what the full feature set looks like.
However, since Kamara and Moataz are leading its development, it’s likely that this feature set will be excellent.
MongoCrypt: The Bad
Every call to do_encrypt() includes at most the Key ID (but typically NULL) as the AAD. This means that the concerns over Confused Deputies (and NoSQL specifically) are relevant to MongoDB.
However, even if they did support authenticating the fully qualified path to a field in the AAD for their encryption, their AEAD construction is vulnerable to the kind of canonicalization attack I wrote about previously.
First, observe this code which assembles the multi-part inputs into HMAC.
```
/* Construct the input to the HMAC */uint32_t num_intermediates = 0;_mongocrypt_buffer_t intermediates[3];// -- snip --if (!_mongocrypt_buffer_concat (  &to_hmac, intermediates, num_intermediates)) {   CLIENT_ERR ("failed to allocate buffer");   goto done;}if (hmac == HMAC_SHA_512_256) {   uint8_t storage[64];   _mongocrypt_buffer_t tag = {.data = storage, .len = sizeof (storage)};   if (!_crypto_hmac_sha_512 (crypto, Km, &to_hmac, &tag, status)) {      goto done;   }   // Truncate sha512 to first 256 bits.   memcpy (out->data, tag.data, MONGOCRYPT_HMAC_LEN);} else {   BSON_ASSERT (hmac == HMAC_SHA_256);   if (!_mongocrypt_hmac_sha_256 (crypto, Km, &to_hmac, out, status)) {      goto done;   }}
```
The implementation of _mongocrypt_buffer_concat() can be found here.
If either the implementation of that function, or the code I snipped from my excerpt, had contained code that prefixed every segment of the AAD with the length of the segment (represented as a uint64_t to make overflow infeasible), then their AEAD mode would not be vulnerable to canonicalization issues.
Using TupleHash would also have prevented this issue.
Silver lining for MongoDB developers: Because the AAD is either a key ID or NULL, this isn’t exploitable in practice.
The first cryptographic flaw sort of cancels the second out.
If the libmongocrypt developers ever want to mitigate Confused Deputy attacks, they’ll need to address this canonicalization issue too.
MongoCrypt: The Ugly
MongoCrypt supports deterministic encryption.
If you specify deterministic encryption for a field, your application passes a deterministic initialization vector to AEAD.
MongoDB documentation
We already discussed why this is bad above.
Wrapping Up
This was not a comprehensive treatment of the field of database cryptography. There are many areas of this field that I did not cover, nor do I feel qualified to discuss.
However, I hope anyone who takes the time to read this finds themselves more familiar with the subject.
Additionally, I hope any developers who think “encrypting data in a database is [easy, trivial] (select appropriate)” will find this broad introduction a humbling experience.
Art: CMYKat
https://soatok.blog/2023/03/01/database-cryptography-fur-the-rest-of-us/
#appliedCryptography #blockCipherModes #cryptography #databaseCryptography #databases #encryptedSearch #HMAC #MongoCrypt #MongoDB #QueryableEncryption #realWorldCryptography #security #SecurityGuidance #SQL #SSE #symmetricCryptography #symmetricSearchableEncryption
#appliedcryptography #blockciphermodes #cryptography #databasecryptography #databases #encryptedsearch
Ms. Que Banh @[email protected] · 2024-11-03 · 17:34 UTC

My friend, Jane, from Lake Cowichan, was the first senior citizen activist who was arrested in 2021, at Fairy Creek Blockades. She messaged before heading out to meet up with me at HQ camp. She told me she's never been arrested for protesting anything before but due to seeing too much ecocide still happening in her golden years - declared, 'Getting arrested for protecting Mother Nature is now on my bucket list"🌲💦 💗🦅🌲🦉🌲 Jane stayed at HQ camp for 2 nights & on her 3rd day, headed out to chain herself/walker to a tripod hardblock. Jane was arrested, along with 12 others that day, after several hours. Jane is a wonderful human being, a musician, a fibers artist, a Mother & Grandmother, who loves nature very much.
#RadicalSeniors #AwesomeElders #ClimateAction #Activists #AsianMastodon #AncientForestDefenders #BritishColumbia #StopDeforestation #StopEcocide #blockade #FairyCreekBlockade #SaveOldGrowth #WorthMoreStanding #VancouverIsland #VanIsle #PacificNorthwest #OneEarth #TreesOverGreed #PNW #StandEarth #EcoJustice #AbolishRCMPCIRG #BCpoli #BCNDP #BCForestryReform #environmentalists #ecological #ClimateChange #CarbonSink #BCOldGrowth #ProtectTrees #SilentSunday #Cascadia #RadicalSeniorCitizens #DirectAction #Resistance

#directaction #resistance #radicalseniors #awesomeelders #climateaction #activists
The Bleeding Obvious 🩸 @[email protected] · 2022-11-28 · 08:11 UTC

This Thursday I'm back on hosting duties for monthly comedy night SIPS & GIGGLES in Wakefield 🍹
9 comedians (and me) at RBT VIDEO on Northgate - mic goes hot at 8pm, free in but bring cash to chuck in the bucket for the acts.
This month I'm welcoming Rachel Cracknell, Jamie Mcauley, Lewis Costello, Lucy Holbrook, Rachel Selkirk, Louis Etinne, Perry Martins, Annabelle Devey and Tom Douglas.
#comedy #comedyClub #comedyNight #wakefield #westYorkshire #Yorkshire

#comedy #comedyclub #comedynight #wakefield #westyorkshire #yorkshire
🤘 The Metal Dog 🤘 @[email protected] · 2024-06-12 · 14:10 UTC

#TheMetalDogArticleList
#guitarworld
“He’d call me at four in the morning and leave a 15-minute guitar solo on my voicemail”: Serj Tankian on his collaborations with the enigmatic Buckethead – and the time they played a high school battle of the bands together
From taxidermy-inspired music videos to playing a high school battle of the bands as fully grown adults, the System of a Down frontman recalls his artistic camaraderie with Buckethead
https://www.guitarworld.com/news/serj-tankian-buckethead-collaborations
#SerjTankian #Buckethead

#themetaldogarticlelist #guitarworld #serjtankian #buckethead
Raglan Niall :lk: :tinoflag: @[email protected] · 2024-10-25 · 02:20 UTC

Thank you Peter of 'The Hoon' for this daft story: "Man accidentally shoots himself in the groin". He was in a Walmart, in the meat department....
It happened in 2018 so it's not exactly news but it still made me laugh/cringe/despair
https://www.azcentral.com/story/news/local/southwest-valley-breaking/2018/11/28/man-accidentally-shoots-himself-groin-inside-buckeye-walmart/2143635002/
#OldNews
#DarwinAward
#TheKaka

#oldnews #darwinaward #thekaka
Travelling Worm @[email protected] · 2025-03-14 · 22:02 UTC

Blue Rag Range Track, VIC
In this post: Blue Rag Range Track near Dargo in Victoria, Australia: the track, the views, and our route to get there.
This is the blog of Mark Wordsworm, the travelling worm. I’m a 40-year-old bookmark (give or take a few years) and I proudly boast my own Hallmark serial number, 95 HBM 80-1. You’ll probably want to read all about me and my Travelling Companion (the TC).
Today’s travel notes
Me and the TC recently spent a week and a half in the Victorian High Country, a landscape of mountains and valleys in the state of Victoria, Australia. On 23 February, we tackled a bucket-list four-wheel driving track in the area: Blue Rag Range Track.
The book I’m in
Lathe of Heaven by Ursula K Le Guin. Every time this worm gets into a book by this author, I’m astounded at the cleanness of her style and the smartness of her plots. This book is no exception.
Recommended accommodation
Hinnomunjie Bridge campground in Omeo Valley, Victoria. The site is well laid out on the banks of the Mitta Mitta river, with clean toilets and clear grassy areas to pitch your tent.
Recommended restaurant
Dargo Hotel in Dargo.
Travel tips
Try to avoid pitching your tent on a slope. The TC, bless her cotton socks, kept waking up with her feet hanging over the end of the bed and a big empty space at the top of the bed. She finally worked out that she was sliding down thanks to the slope.
The photos
Me at the trig point at the top of Blue Rag Range Track (elevation 1,700 metres / 5,580 feet):
Observant readers will notice the trophies stuck to the trig tower, by people who’re proud to make it to the top. We didn’t leave a trophy, but it is indeed a great feeling to have made this trip.
Observant readers will also notice that it was windy up there! This worm strikes a jaunty pose nonetheless, with my tassel horizontal and a firm grasp from a friendly hand.
Hyper-observant readers will notice Peg skulking in the book at bottom right. Peg makes occasional appearances in my posts, her firm grip on reality keeping me grounded. But even Peg wasn’t strong enough for the gale at the Blue Rag Range trig point.
The track
It took us three and a half hours (12:30pm to 4pm) to drive the track itself, with a one-hour lunch break and stops for photographs.
At the start of the track is a steep mound with a hole at its crest, ready to trap the unwary vehicle. Most people choose to go round:
https://youtu.be/1QTcw-_lkZk
Another video shows the approach to the trig point at the top of the track:
https://youtu.be/jVQ8oNtN2cg
Friendly locals in Dargo told us that it’s unwise to venture beyond the trig point. Those who do will almost certainly need help recovering their vehicles, and the Dargo police are inundated with calls for help from drivers who don’t realise the risks.
The views from the track are stunning, with mountain ranges all round:
Much of the track runs along the top of the ridge:
A sign post marks the track part-way along, surrounded by white tree skeletons and scrubby grass:
Our route
We started the day by fuelling up in Dargo. This is one of the cars in our convoy:
The Dargo Hotel offers a good feed. Here’s Beetle the Jeep, lined up and ready to go:
We left Dargo in mid-morning, following Lind Avenue along the banks of the Dargo River, then Dargo High Plains Road to the start of the track.
A sign post shows the start of the Blue Rag Range Track on Dargo High Plains Road:
After reaching the Blue Rag Range trig point, we turned round and went back to Dargo High Plains Road, continuing north to the B500.
We camped overnight at Hinnomunjie Bridge campground on the banks of the Mitta Mitta river in Omeo Valley. This beautiful fire barrel was made by one of our travelling companions:
That’s all for today, folks
#4wd #adventure #australia #BlueRagRangeTrack #bookmark #bookworm #Dargo #HinnomunjieBridge #travel #travellingWorm #travelog #travelogue #Victoria #VictorianHighCountry

#4wd #adventure #australia #blueragrangetrack #bookmark #bookworm
Travelling Worm @[email protected] · 2025-03-14 · 22:02 UTC

Blue Rag Range Track, VIC
In this post: Blue Rag Range Track near Dargo in Victoria, Australia: the track, the views, and our route to get there.
This is the blog of Mark Wordsworm, the travelling worm. I’m a 40-year-old bookmark (give or take a few years) and I proudly boast my own Hallmark serial number, 95 HBM 80-1. You’ll probably want to read all about me and my Travelling Companion (the TC).
Today’s travel notes
Me and the TC recently spent a week and a half in the Victorian High Country, a landscape of mountains and valleys in the state of Victoria, Australia. On 23 February, we tackled a bucket-list four-wheel driving track in the area: Blue Rag Range Track.
The book I’m in
Lathe of Heaven by Ursula K Le Guin. Every time this worm gets into a book by this author, I’m astounded at the cleanness of her style and the smartness of her plots. This book is no exception.
Recommended accommodation
Hinnomunjie Bridge campground in Omeo Valley, Victoria. The site is well laid out on the banks of the Mitta Mitta river, with clean toilets and clear grassy areas to pitch your tent.
Recommended restaurant
Dargo Hotel in Dargo.
Travel tips
Try to avoid pitching your tent on a slope. The TC, bless her cotton socks, kept waking up with her feet hanging over the end of the bed and a big empty space at the top of the bed. She finally worked out that she was sliding down thanks to the slope.
The photos
Me at the trig point at the top of Blue Rag Range Track (elevation 1,700 metres / 5,580 feet):
Observant readers will notice the trophies stuck to the trig tower, by people who’re proud to make it to the top. We didn’t leave a trophy, but it is indeed a great feeling to have made this trip.
Observant readers will also notice that it was windy up there! This worm strikes a jaunty pose nonetheless, with my tassel horizontal and a firm grasp from a friendly hand.
Hyper-observant readers will notice Peg skulking in the book at bottom right. Peg makes occasional appearances in my posts, her firm grip on reality keeping me grounded. But even Peg wasn’t strong enough for the gale at the Blue Rag Range trig point.
The track
It took us three and a half hours (12:30pm to 4pm) to drive the track itself, with a one-hour lunch break and stops for photographs.
At the start of the track is a steep mound with a hole at its crest, ready to trap the unwary vehicle. Most people choose to go round:
https://youtu.be/1QTcw-_lkZk
Another video shows the approach to the trig point at the top of the track:
https://youtu.be/jVQ8oNtN2cg
Friendly locals in Dargo told us that it’s unwise to venture beyond the trig point. Those who do will almost certainly need help recovering their vehicles, and the Dargo police are inundated with calls for help from drivers who don’t realise the risks.
The views from the track are stunning, with mountain ranges all round:
Much of the track runs along the top of the ridge:
A sign post marks the track part-way along, surrounded by white tree skeletons and scrubby grass:
Our route
We started the day by fuelling up in Dargo. This is one of the cars in our convoy:
The Dargo Hotel offers a good feed. Here’s Beetle the Jeep, lined up and ready to go:
We left Dargo in mid-morning, following Lind Avenue along the banks of the Dargo River, then Dargo High Plains Road to the start of the track.
A sign post shows the start of the Blue Rag Range Track on Dargo High Plains Road:
After reaching the Blue Rag Range trig point, we turned round and went back to Dargo High Plains Road, continuing north to the B500.
We camped overnight at Hinnomunjie Bridge campground on the banks of the Mitta Mitta river in Omeo Valley. This beautiful fire barrel was made by one of our travelling companions:
That’s all for today, folks
#4wd #adventure #australia #BlueRagRangeTrack #bookmark #bookworm #Dargo #HinnomunjieBridge #travel #travellingWorm #travelog #travelogue #Victoria #VictorianHighCountry

#4wd #adventure #australia #blueragrangetrack #bookmark #bookworm
Travelling Worm @[email protected] · 2025-03-14 · 22:02 UTC

Blue Rag Range Track, VIC
In this post: Blue Rag Range Track near Dargo in Victoria, Australia: the track, the views, and our route to get there.
This is the blog of Mark Wordsworm, the travelling worm. I’m a 40-year-old bookmark (give or take a few years) and I proudly boast my own Hallmark serial number, 95 HBM 80-1. You’ll probably want to read all about me and my Travelling Companion (the TC).
Today’s travel notes
Me and the TC recently spent a week and a half in the Victorian High Country, a landscape of mountains and valleys in the state of Victoria, Australia. On 23 February, we tackled a bucket-list four-wheel driving track in the area: Blue Rag Range Track.
The book I’m in
Lathe of Heaven by Ursula K Le Guin. Every time this worm gets into a book by this author, I’m astounded at the cleanness of her style and the smartness of her plots. This book is no exception.
Recommended accommodation
Hinnomunjie Bridge campground in Omeo Valley, Victoria. The site is well laid out on the banks of the Mitta Mitta river, with clean toilets and clear grassy areas to pitch your tent.
Recommended restaurant
Dargo Hotel in Dargo.
Travel tips
Try to avoid pitching your tent on a slope. The TC, bless her cotton socks, kept waking up with her feet hanging over the end of the bed and a big empty space at the top of the bed. She finally worked out that she was sliding down thanks to the slope.
The photos
Me at the trig point at the top of Blue Rag Range Track (elevation 1,700 metres / 5,580 feet):
Observant readers will notice the trophies stuck to the trig tower, by people who’re proud to make it to the top. We didn’t leave a trophy, but it is indeed a great feeling to have made this trip.
Observant readers will also notice that it was windy up there! This worm strikes a jaunty pose nonetheless, with my tassel horizontal and a firm grasp from a friendly hand.
Hyper-observant readers will notice Peg skulking in the book at bottom right. Peg makes occasional appearances in my posts, her firm grip on reality keeping me grounded. But even Peg wasn’t strong enough for the gale at the Blue Rag Range trig point.
The track
It took us three and a half hours (12:30pm to 4pm) to drive the track itself, with a one-hour lunch break and stops for photographs.
At the start of the track is a steep mound with a hole at its crest, ready to trap the unwary vehicle. Most people choose to go round:
https://youtu.be/1QTcw-_lkZk
Another video shows the approach to the trig point at the top of the track:
https://youtu.be/jVQ8oNtN2cg
Friendly locals in Dargo told us that it’s unwise to venture beyond the trig point. Those who do will almost certainly need help recovering their vehicles, and the Dargo police are inundated with calls for help from drivers who don’t realise the risks.
The views from the track are stunning, with mountain ranges all round:
Much of the track runs along the top of the ridge:
A sign post marks the track part-way along, surrounded by white tree skeletons and scrubby grass:
Our route
We started the day by fuelling up in Dargo. This is one of the cars in our convoy:
The Dargo Hotel offers a good feed. Here’s Beetle the Jeep, lined up and ready to go:
We left Dargo in mid-morning, following Lind Avenue along the banks of the Dargo River, then Dargo High Plains Road to the start of the track.
A sign post shows the start of the Blue Rag Range Track on Dargo High Plains Road:
After reaching the Blue Rag Range trig point, we turned round and went back to Dargo High Plains Road, continuing north to the B500.
We camped overnight at Hinnomunjie Bridge campground on the banks of the Mitta Mitta river in Omeo Valley. This beautiful fire barrel was made by one of our travelling companions:
That’s all for today, folks
#4wd #adventure #australia #BlueRagRangeTrack #bookmark #bookworm #Dargo #HinnomunjieBridge #travel #travellingWorm #travelog #travelogue #Victoria #VictorianHighCountry

#4wd #adventure #australia #blueragrangetrack #bookmark #bookworm
Travelling Worm @[email protected] · 2025-03-14 · 22:02 UTC

Blue Rag Range Track, VIC
In this post: Blue Rag Range Track near Dargo in Victoria, Australia: the track, the views, and our route to get there.
This is the blog of Mark Wordsworm, the travelling worm. I’m a 40-year-old bookmark (give or take a few years) and I proudly boast my own Hallmark serial number, 95 HBM 80-1. You’ll probably want to read all about me and my Travelling Companion (the TC).
Today’s travel notes
Me and the TC recently spent a week and a half in the Victorian High Country, a landscape of mountains and valleys in the state of Victoria, Australia. On 23 February, we tackled a bucket-list four-wheel driving track in the area: Blue Rag Range Track.
The book I’m in
Lathe of Heaven by Ursula K Le Guin. Every time this worm gets into a book by this author, I’m astounded at the cleanness of her style and the smartness of her plots. This book is no exception.
Recommended accommodation
Hinnomunjie Bridge campground in Omeo Valley, Victoria. The site is well laid out on the banks of the Mitta Mitta river, with clean toilets and clear grassy areas to pitch your tent.
Recommended restaurant
Dargo Hotel in Dargo.
Travel tips
Try to avoid pitching your tent on a slope. The TC, bless her cotton socks, kept waking up with her feet hanging over the end of the bed and a big empty space at the top of the bed. She finally worked out that she was sliding down thanks to the slope.
The photos
Me at the trig point at the top of Blue Rag Range Track (elevation 1,700 metres / 5,580 feet):
Observant readers will notice the trophies stuck to the trig tower, by people who’re proud to make it to the top. We didn’t leave a trophy, but it is indeed a great feeling to have made this trip.
Observant readers will also notice that it was windy up there! This worm strikes a jaunty pose nonetheless, with my tassel horizontal and a firm grasp from a friendly hand.
Hyper-observant readers will notice Peg skulking in the book at bottom right. Peg makes occasional appearances in my posts, her firm grip on reality keeping me grounded. But even Peg wasn’t strong enough for the gale at the Blue Rag Range trig point.
The track
It took us three and a half hours (12:30pm to 4pm) to drive the track itself, with a one-hour lunch break and stops for photographs.
At the start of the track is a steep mound with a hole at its crest, ready to trap the unwary vehicle. Most people choose to go round:
https://youtu.be/1QTcw-_lkZk
Another video shows the approach to the trig point at the top of the track:
https://youtu.be/jVQ8oNtN2cg
Friendly locals in Dargo told us that it’s unwise to venture beyond the trig point. Those who do will almost certainly need help recovering their vehicles, and the Dargo police are inundated with calls for help from drivers who don’t realise the risks.
The views from the track are stunning, with mountain ranges all round:
Much of the track runs along the top of the ridge:
A sign post marks the track part-way along, surrounded by white tree skeletons and scrubby grass:
Our route
We started the day by fuelling up in Dargo. This is one of the cars in our convoy:
The Dargo Hotel offers a good feed. Here’s Beetle the Jeep, lined up and ready to go:
We left Dargo in mid-morning, following Lind Avenue along the banks of the Dargo River, then Dargo High Plains Road to the start of the track.
A sign post shows the start of the Blue Rag Range Track on Dargo High Plains Road:
After reaching the Blue Rag Range trig point, we turned round and went back to Dargo High Plains Road, continuing north to the B500.
We camped overnight at Hinnomunjie Bridge campground on the banks of the Mitta Mitta river in Omeo Valley. This beautiful fire barrel was made by one of our travelling companions:
That’s all for today, folks
#4wd #adventure #australia #BlueRagRangeTrack #bookmark #bookworm #Dargo #HinnomunjieBridge #travel #travellingWorm #travelog #travelogue #Victoria #VictorianHighCountry

#victorianhighcountry #victoria #travelogue #travelog #travellingworm #travel
Travelling Worm @[email protected] · 2025-03-14 · 22:02 UTC

Blue Rag Range Track, VIC
In this post: Blue Rag Range Track near Dargo in Victoria, Australia: the track, the views, and our route to get there.
This is the blog of Mark Wordsworm, the travelling worm. I’m a 40-year-old bookmark (give or take a few years) and I proudly boast my own Hallmark serial number, 95 HBM 80-1. You’ll probably want to read all about me and my Travelling Companion (the TC).
Today’s travel notes
Me and the TC recently spent a week and a half in the Victorian High Country, a landscape of mountains and valleys in the state of Victoria, Australia. On 23 February, we tackled a bucket-list four-wheel driving track in the area: Blue Rag Range Track.
The book I’m in
Lathe of Heaven by Ursula K Le Guin. Every time this worm gets into a book by this author, I’m astounded at the cleanness of her style and the smartness of her plots. This book is no exception.
Recommended accommodation
Hinnomunjie Bridge campground in Omeo Valley, Victoria. The site is well laid out on the banks of the Mitta Mitta river, with clean toilets and clear grassy areas to pitch your tent.
Recommended restaurant
Dargo Hotel in Dargo.
Travel tips
Try to avoid pitching your tent on a slope. The TC, bless her cotton socks, kept waking up with her feet hanging over the end of the bed and a big empty space at the top of the bed. She finally worked out that she was sliding down thanks to the slope.
The photos
Me at the trig point at the top of Blue Rag Range Track (elevation 1,700 metres / 5,580 feet):
Observant readers will notice the trophies stuck to the trig tower, by people who’re proud to make it to the top. We didn’t leave a trophy, but it is indeed a great feeling to have made this trip.
Observant readers will also notice that it was windy up there! This worm strikes a jaunty pose nonetheless, with my tassel horizontal and a firm grasp from a friendly hand.
Hyper-observant readers will notice Peg skulking in the book at bottom right. Peg makes occasional appearances in my posts, her firm grip on reality keeping me grounded. But even Peg wasn’t strong enough for the gale at the Blue Rag Range trig point.
The track
It took us three and a half hours (12:30pm to 4pm) to drive the track itself, with a one-hour lunch break and stops for photographs.
At the start of the track is a steep mound with a hole at its crest, ready to trap the unwary vehicle. Most people choose to go round:
https://youtu.be/1QTcw-_lkZk
Another video shows the approach to the trig point at the top of the track:
https://youtu.be/jVQ8oNtN2cg
Friendly locals in Dargo told us that it’s unwise to venture beyond the trig point. Those who do will almost certainly need help recovering their vehicles, and the Dargo police are inundated with calls for help from drivers who don’t realise the risks.
The views from the track are stunning, with mountain ranges all round:
Much of the track runs along the top of the ridge:
A sign post marks the track part-way along, surrounded by white tree skeletons and scrubby grass:
Our route
We started the day by fuelling up in Dargo. This is one of the cars in our convoy:
The Dargo Hotel offers a good feed. Here’s Beetle the Jeep, lined up and ready to go:
We left Dargo in mid-morning, following Lind Avenue along the banks of the Dargo River, then Dargo High Plains Road to the start of the track.
A sign post shows the start of the Blue Rag Range Track on Dargo High Plains Road:
After reaching the Blue Rag Range trig point, we turned round and went back to Dargo High Plains Road, continuing north to the B500.
We camped overnight at Hinnomunjie Bridge campground on the banks of the Mitta Mitta river in Omeo Valley. This beautiful fire barrel was made by one of our travelling companions:
That’s all for today, folks
#4wd #adventure #australia #BlueRagRangeTrack #bookmark #bookworm #Dargo #HinnomunjieBridge #travel #travellingWorm #travelog #travelogue #Victoria #VictorianHighCountry

#4wd #adventure #australia #blueragrangetrack #bookmark #bookworm
The Bleeding Obvious 🩸 @[email protected] · 2022-11-28 · 08:11 UTC

This Thursday I'm back on hosting duties for monthly comedy night SIPS & GIGGLES in Wakefield 🍹
9 comedians (and me) at RBT VIDEO on Northgate - mic goes hot at 8pm, free in but bring cash to chuck in the bucket for the acts.
This month I'm welcoming Rachel Cracknell, Jamie Mcauley, Lewis Costello, Lucy Holbrook, Rachel Selkirk, Louis Etinne, Perry Martins, Annabelle Devey and Tom Douglas.
#comedy #comedyClub #comedyNight #wakefield #westYorkshire #Yorkshire

#comedy #comedyclub #comedynight #wakefield #westyorkshire #yorkshire
The Bleeding Obvious 🩸 @[email protected] · 2022-11-28 · 08:11 UTC

This Thursday I'm back on hosting duties for monthly comedy night SIPS & GIGGLES in Wakefield 🍹
9 comedians (and me) at RBT VIDEO on Northgate - mic goes hot at 8pm, free in but bring cash to chuck in the bucket for the acts.
This month I'm welcoming Rachel Cracknell, Jamie Mcauley, Lewis Costello, Lucy Holbrook, Rachel Selkirk, Louis Etinne, Perry Martins, Annabelle Devey and Tom Douglas.
#comedy #comedyClub #comedyNight #wakefield #westYorkshire #Yorkshire

#comedy #comedyclub #comedynight #wakefield #westyorkshire #yorkshire
The Bleeding Obvious 🩸 @[email protected] · 2022-11-28 · 08:11 UTC

This Thursday I'm back on hosting duties for monthly comedy night SIPS & GIGGLES in Wakefield 🍹
9 comedians (and me) at RBT VIDEO on Northgate - mic goes hot at 8pm, free in but bring cash to chuck in the bucket for the acts.
This month I'm welcoming Rachel Cracknell, Jamie Mcauley, Lewis Costello, Lucy Holbrook, Rachel Selkirk, Louis Etinne, Perry Martins, Annabelle Devey and Tom Douglas.
#comedy #comedyClub #comedyNight #wakefield #westYorkshire #Yorkshire

#yorkshire #westyorkshire #wakefield #comedynight #comedyclub #comedy
The Bleeding Obvious 🩸 @[email protected] · 2022-11-28 · 08:11 UTC

This Thursday I'm back on hosting duties for monthly comedy night SIPS & GIGGLES in Wakefield 🍹
9 comedians (and me) at RBT VIDEO on Northgate - mic goes hot at 8pm, free in but bring cash to chuck in the bucket for the acts.
This month I'm welcoming Rachel Cracknell, Jamie Mcauley, Lewis Costello, Lucy Holbrook, Rachel Selkirk, Louis Etinne, Perry Martins, Annabelle Devey and Tom Douglas.
#comedy #comedyClub #comedyNight #wakefield #westYorkshire #Yorkshire

#comedy #comedyclub #comedynight #wakefield #westyorkshire #yorkshire
Ms. Que Banh @[email protected] · 2024-11-03 · 17:34 UTC

My friend, Jane, from Lake Cowichan, was the first senior citizen activist who was arrested in 2021, at Fairy Creek Blockades. She messaged before heading out to meet up with me at HQ camp. She told me she's never been arrested for protesting anything before but due to seeing too much ecocide still happening in her golden years - declared, 'Getting arrested for protecting Mother Nature is now on my bucket list"🌲💦 💗🦅🌲🦉🌲 Jane stayed at HQ camp for 2 nights & on her 3rd day, headed out to chain herself/walker to a tripod hardblock. Jane was arrested, along with 12 others that day, after several hours. Jane is a wonderful human being, a musician, a fibers artist, a Mother & Grandmother, who loves nature very much.
#RadicalSeniors #AwesomeElders #ClimateAction #Activists #AsianMastodon #AncientForestDefenders #BritishColumbia #StopDeforestation #StopEcocide #blockade #FairyCreekBlockade #SaveOldGrowth #WorthMoreStanding #VancouverIsland #VanIsle #PacificNorthwest #OneEarth #TreesOverGreed #PNW #StandEarth #EcoJustice #AbolishRCMPCIRG #BCpoli #BCNDP #BCForestryReform #environmentalists #ecological #ClimateChange #CarbonSink #BCOldGrowth #ProtectTrees #SilentSunday #Cascadia #RadicalSeniorCitizens #DirectAction #Resistance

#radicalseniors #awesomeelders #climateaction #activists #asianmastodon #ancientforestdefenders
Ms. Que Banh @[email protected] · 2024-11-03 · 17:34 UTC

My friend, Jane, from Lake Cowichan, was the first senior citizen activist who was arrested in 2021, at Fairy Creek Blockades. She messaged before heading out to meet up with me at HQ camp. She told me she's never been arrested for protesting anything before but due to seeing too much ecocide still happening in her golden years - declared, 'Getting arrested for protecting Mother Nature is now on my bucket list"🌲💦 💗🦅🌲🦉🌲 Jane stayed at HQ camp for 2 nights & on her 3rd day, headed out to chain herself/walker to a tripod hardblock. Jane was arrested, along with 12 others that day, after several hours. Jane is a wonderful human being, a musician, a fibers artist, a Mother & Grandmother, who loves nature very much.
#RadicalSeniors #AwesomeElders #ClimateAction #Activists #AsianMastodon #AncientForestDefenders #BritishColumbia #StopDeforestation #StopEcocide #blockade #FairyCreekBlockade #SaveOldGrowth #WorthMoreStanding #VancouverIsland #VanIsle #PacificNorthwest #OneEarth #TreesOverGreed #PNW #StandEarth #EcoJustice #AbolishRCMPCIRG #BCpoli #BCNDP #BCForestryReform #environmentalists #ecological #ClimateChange #CarbonSink #BCOldGrowth #ProtectTrees #SilentSunday #Cascadia #RadicalSeniorCitizens #DirectAction #Resistance

#radicalseniors #awesomeelders #climateaction #activists #asianmastodon #ancientforestdefenders
Ms. Que Banh @[email protected] · 2024-11-03 · 17:34 UTC

My friend, Jane, from Lake Cowichan, was the first senior citizen activist who was arrested in 2021, at Fairy Creek Blockades. She messaged before heading out to meet up with me at HQ camp. She told me she's never been arrested for protesting anything before but due to seeing too much ecocide still happening in her golden years - declared, 'Getting arrested for protecting Mother Nature is now on my bucket list"🌲💦 💗🦅🌲🦉🌲 Jane stayed at HQ camp for 2 nights & on her 3rd day, headed out to chain herself/walker to a tripod hardblock. Jane was arrested, along with 12 others that day, after several hours. Jane is a wonderful human being, a musician, a fibers artist, a Mother & Grandmother, who loves nature very much.
#RadicalSeniors #AwesomeElders #ClimateAction #Activists #AsianMastodon #AncientForestDefenders #BritishColumbia #StopDeforestation #StopEcocide #blockade #FairyCreekBlockade #SaveOldGrowth #WorthMoreStanding #VancouverIsland #VanIsle #PacificNorthwest #OneEarth #TreesOverGreed #PNW #StandEarth #EcoJustice #AbolishRCMPCIRG #BCpoli #BCNDP #BCForestryReform #environmentalists #ecological #ClimateChange #CarbonSink #BCOldGrowth #ProtectTrees #SilentSunday #Cascadia #RadicalSeniorCitizens #DirectAction #Resistance

#resistance #directaction #radicalseniorcitizens #cascadia #silentsunday #protecttrees
Ms. Que Banh @[email protected] · 2024-11-03 · 17:34 UTC

My friend, Jane, from Lake Cowichan, was the first senior citizen activist who was arrested in 2021, at Fairy Creek Blockades. She messaged before heading out to meet up with me at HQ camp. She told me she's never been arrested for protesting anything before but due to seeing too much ecocide still happening in her golden years - declared, 'Getting arrested for protecting Mother Nature is now on my bucket list"🌲💦 💗🦅🌲🦉🌲 Jane stayed at HQ camp for 2 nights & on her 3rd day, headed out to chain herself/walker to a tripod hardblock. Jane was arrested, along with 12 others that day, after several hours. Jane is a wonderful human being, a musician, a fibers artist, a Mother & Grandmother, who loves nature very much.
#RadicalSeniors #AwesomeElders #ClimateAction #Activists #AsianMastodon #AncientForestDefenders #BritishColumbia #StopDeforestation #StopEcocide #blockade #FairyCreekBlockade #SaveOldGrowth #WorthMoreStanding #VancouverIsland #VanIsle #PacificNorthwest #OneEarth #TreesOverGreed #PNW #StandEarth #EcoJustice #AbolishRCMPCIRG #BCpoli #BCNDP #BCForestryReform #environmentalists #ecological #ClimateChange #CarbonSink #BCOldGrowth #ProtectTrees #SilentSunday #Cascadia #RadicalSeniorCitizens #DirectAction #Resistance

#directaction #resistance #radicalseniors #awesomeelders #climateaction #activists
Angry Metal Guy @[email protected] · 2024-10-23 · 11:10 UTC

Bütcher – On Fowl of Tyrant Wing Review
By Steel Druhm
Where is the goat and the chariot? Where is the meat Billy horn that was blowing? The days have gone down in the West behind the hills into the fowl of a Tyrant. 2020 saw the metalverse shaken to its core by the massively infectious sophomore album by Belgian black/trad/thrashers Bütcher. So much rowdy fun was 666 Goats Carry My Chariot that it mattered not a wit that it was entirely composed of well-trod metal tropes. The hyperactive 80s speed with blackened edges was just the right mixture of heavy, catchy, and over-the-top with songs that had teeth. Fast-forward to 2024 and we get the much-anticipated follow-up On Fowl of Tyrant Wing. Can these unheralded goat hoarders rebottle the lightning and magic that made 666 such an out-of-left-field brain smasher? That’s no small ask and no easy feat to manage, even with unlimited goatpower at their disposal!
Things open with a slick intro loaded with NWoBHM flavor with regal guitar lines that reek of Savage Grace. From there you get launched into burning chaos with the crazy speed-thrashing rampage of “Speed Metal Samurai.” Yes, it’s a cheeseball title but the song is this album’s version of “Iron Bitch” off of 666, so you’ll get shaken, slapped up, and brutally prodded. R Hellshrieker is once again an unhinged maniac at the mic, screaming, growling, shrieking, and singing with lunatic gusto and verve. He even adopts very ICS Vortex high-register cleans for dramatic effect. Rabid riffs and crazed harmonies storm with menace beneath his ravings and the hyperkinetic energy cannot be denied or restrained. The commitment to excess splashes over into “Blessed by the Blade” and the 80s live loudly in the resulting mayhem. It’s speed metal all day with a slight blackened touch and it’s madcap, raucous fun. Hellshrieker straddles the line between enthusiastic thrash bark and wailing King Diamond-esque dramatics to good effect and classic metal elements round out the bashing and add a veneer of accessibility and class. An especially wild outburst arrives with “Keep the Steele (Flamin’ Hot)” where all the chains come off and the Mad Bütcher runs amok. It’s a nuclear speed bomb with no guard rails to keep it safe and things get out of control fast. Hellshrieker really goes off the reservation here, screaming, roaring, and adding little King Diamond theatrics in a vocal slurry. His commands to “bow down to the Powerlord” are especially endearing as that was my nickname in high school.
The second half of On Fowl of Tyrant Wing is a different beast of an altered color. The last few songs are all much longer and more involved, trying to suture a ton of ideas into cohesive pieces of music with varying degrees of success. “A Sacrifice to Satan’s Spawn” welds NWoBHM bits to Mercyful Fate-esque pieces and slathers it all with guitar-forward excess and a somewhat “restrained” performance by Hellshrieker. It works because it asserts a modicum of moderation. 9-plus minute closer “An Ending in Fyre” exercises not such discipline, dumping Viking black metal, NWoBHM, and classic metal into an industrial cow juicer with unusual flavors flopping out of the thresher. It has good bits and interesting moments but it’s messy, feels a bit forced and duct-taped together, and after 6 minutes it starts to drag. Though the album is only 43-plus minutes, the presence of back-to-back-to-back long songs on the back end makes things feel longer than they are. Worse, the material lacks the same wild novelty and raw hooks that 666 had in abundance. I like it all but I’m only really impressed by certain tracks. That’s a bit of a letdown.
Musically, Bütcher has a lot going for them. KK Ripper and KV Bonecrusher go all in guitar-wise with furiously jagged riffs stacked on melodic NOWoBHM harmonies and grooves. The six-string insanity flows like blood from the n00b recycling unit at AMG HQ, making every track kinetic. There are many slick, memorable moments scattered over the album, and the duo never seems hard up for inspiration. Hellshrieker is a special kind of monster. He’s like 15 people trapped in one body and they all want their time in the spotlight. Screams, death roars, blackened cackles, croons, everything just comes out in seemingly random fashion and it all kinda works. It’s really just an issue of the songs having less bite and staying power this time that undermines the goatworks.
There’s never going to be a dull Bütcher album. Their all-gas, no-brakes approach guarantees that much. I enjoy On Fowl of Tyrant Wing and several songs are good enough to make playlists. I just don’t see blasting this as much as I did 666 Goats, because I was obsessed with that goatwomit nonsense. I can still recommend it though because good times will be had and the milk of Black Phillip will season your beer salad with many exotic blessings. Go get bucked.

Rating: 3.0/5.0
DR: 6 | Format Reviewed: 320 kbps mp3
Label: Osmose
Websites: osmoseproductions.bandcamp.com | facebook.com/butcherspeedmetal | instagram.com/butcherspeedmetal
Releases Worldwide: October 25th, 2024
#2024 #30 #BelgianMetal #BlackMetal #Bütcher #HeavyMetal #IronAngel #MercyfulFate #Oct24 #OnFowlOfTyrantWing #OsmoseProductions #Review #Reviews #ThrashMetal

#belgianmetal #blackmetal #butcher #heavymetal #ironangel #mercyfulfate
Angry Metal Guy @[email protected] · 2024-10-23 · 11:10 UTC

Bütcher – On Fowl of Tyrant Wing Review
By Steel Druhm
Where is the goat and the chariot? Where is the meat Billy horn that was blowing? The days have gone down in the West behind the hills into the fowl of a Tyrant. 2020 saw the metalverse shaken to its core by the massively infectious sophomore album by Belgian black/trad/thrashers Bütcher. So much rowdy fun was 666 Goats Carry My Chariot that it mattered not a wit that it was entirely composed of well-trod metal tropes. The hyperactive 80s speed with blackened edges was just the right mixture of heavy, catchy, and over-the-top with songs that had teeth. Fast-forward to 2024 and we get the much-anticipated follow-up On Fowl of Tyrant Wing. Can these unheralded goat hoarders rebottle the lightning and magic that made 666 such an out-of-left-field brain smasher? That’s no small ask and no easy feat to manage, even with unlimited goatpower at their disposal!
Things open with a slick intro loaded with NWoBHM flavor with regal guitar lines that reek of Savage Grace. From there you get launched into burning chaos with the crazy speed-thrashing rampage of “Speed Metal Samurai.” Yes, it’s a cheeseball title but the song is this album’s version of “Iron Bitch” off of 666, so you’ll get shaken, slapped up, and brutally prodded. R Hellshrieker is once again an unhinged maniac at the mic, screaming, growling, shrieking, and singing with lunatic gusto and verve. He even adopts very ICS Vortex high-register cleans for dramatic effect. Rabid riffs and crazed harmonies storm with menace beneath his ravings and the hyperkinetic energy cannot be denied or restrained. The commitment to excess splashes over into “Blessed by the Blade” and the 80s live loudly in the resulting mayhem. It’s speed metal all day with a slight blackened touch and it’s madcap, raucous fun. Hellshrieker straddles the line between enthusiastic thrash bark and wailing King Diamond-esque dramatics to good effect and classic metal elements round out the bashing and add a veneer of accessibility and class. An especially wild outburst arrives with “Keep the Steele (Flamin’ Hot)” where all the chains come off and the Mad Bütcher runs amok. It’s a nuclear speed bomb with no guard rails to keep it safe and things get out of control fast. Hellshrieker really goes off the reservation here, screaming, roaring, and adding little King Diamond theatrics in a vocal slurry. His commands to “bow down to the Powerlord” are especially endearing as that was my nickname in high school.
The second half of On Fowl of Tyrant Wing is a different beast of an altered color. The last few songs are all much longer and more involved, trying to suture a ton of ideas into cohesive pieces of music with varying degrees of success. “A Sacrifice to Satan’s Spawn” welds NWoBHM bits to Mercyful Fate-esque pieces and slathers it all with guitar-forward excess and a somewhat “restrained” performance by Hellshrieker. It works because it asserts a modicum of moderation. 9-plus minute closer “An Ending in Fyre” exercises not such discipline, dumping Viking black metal, NWoBHM, and classic metal into an industrial cow juicer with unusual flavors flopping out of the thresher. It has good bits and interesting moments but it’s messy, feels a bit forced and duct-taped together, and after 6 minutes it starts to drag. Though the album is only 43-plus minutes, the presence of back-to-back-to-back long songs on the back end makes things feel longer than they are. Worse, the material lacks the same wild novelty and raw hooks that 666 had in abundance. I like it all but I’m only really impressed by certain tracks. That’s a bit of a letdown.
Musically, Bütcher has a lot going for them. KK Ripper and KV Bonecrusher go all in guitar-wise with furiously jagged riffs stacked on melodic NOWoBHM harmonies and grooves. The six-string insanity flows like blood from the n00b recycling unit at AMG HQ, making every track kinetic. There are many slick, memorable moments scattered over the album, and the duo never seems hard up for inspiration. Hellshrieker is a special kind of monster. He’s like 15 people trapped in one body and they all want their time in the spotlight. Screams, death roars, blackened cackles, croons, everything just comes out in seemingly random fashion and it all kinda works. It’s really just an issue of the songs having less bite and staying power this time that undermines the goatworks.
There’s never going to be a dull Bütcher album. Their all-gas, no-brakes approach guarantees that much. I enjoy On Fowl of Tyrant Wing and several songs are good enough to make playlists. I just don’t see blasting this as much as I did 666 Goats, because I was obsessed with that goatwomit nonsense. I can still recommend it though because good times will be had and the milk of Black Phillip will season your beer salad with many exotic blessings. Go get bucked.

Rating: 3.0/5.0
DR: 6 | Format Reviewed: 320 kbps mp3
Label: Osmose
Websites: osmoseproductions.bandcamp.com | facebook.com/butcherspeedmetal | instagram.com/butcherspeedmetal
Releases Worldwide: October 25th, 2024
#2024 #30 #BelgianMetal #BlackMetal #Bütcher #HeavyMetal #IronAngel #MercyfulFate #Oct24 #OnFowlOfTyrantWing #OsmoseProductions #Review #Reviews #ThrashMetal

#belgianmetal #blackmetal #butcher #heavymetal #ironangel #mercyfulfate
Angry Metal Guy @[email protected] · 2024-10-23 · 11:10 UTC

Bütcher – On Fowl of Tyrant Wing Review
By Steel Druhm
Where is the goat and the chariot? Where is the meat Billy horn that was blowing? The days have gone down in the West behind the hills into the fowl of a Tyrant. 2020 saw the metalverse shaken to its core by the massively infectious sophomore album by Belgian black/trad/thrashers Bütcher. So much rowdy fun was 666 Goats Carry My Chariot that it mattered not a wit that it was entirely composed of well-trod metal tropes. The hyperactive 80s speed with blackened edges was just the right mixture of heavy, catchy, and over-the-top with songs that had teeth. Fast-forward to 2024 and we get the much-anticipated follow-up On Fowl of Tyrant Wing. Can these unheralded goat hoarders rebottle the lightning and magic that made 666 such an out-of-left-field brain smasher? That’s no small ask and no easy feat to manage, even with unlimited goatpower at their disposal!
Things open with a slick intro loaded with NWoBHM flavor with regal guitar lines that reek of Savage Grace. From there you get launched into burning chaos with the crazy speed-thrashing rampage of “Speed Metal Samurai.” Yes, it’s a cheeseball title but the song is this album’s version of “Iron Bitch” off of 666, so you’ll get shaken, slapped up, and brutally prodded. R Hellshrieker is once again an unhinged maniac at the mic, screaming, growling, shrieking, and singing with lunatic gusto and verve. He even adopts very ICS Vortex high-register cleans for dramatic effect. Rabid riffs and crazed harmonies storm with menace beneath his ravings and the hyperkinetic energy cannot be denied or restrained. The commitment to excess splashes over into “Blessed by the Blade” and the 80s live loudly in the resulting mayhem. It’s speed metal all day with a slight blackened touch and it’s madcap, raucous fun. Hellshrieker straddles the line between enthusiastic thrash bark and wailing King Diamond-esque dramatics to good effect and classic metal elements round out the bashing and add a veneer of accessibility and class. An especially wild outburst arrives with “Keep the Steele (Flamin’ Hot)” where all the chains come off and the Mad Bütcher runs amok. It’s a nuclear speed bomb with no guard rails to keep it safe and things get out of control fast. Hellshrieker really goes off the reservation here, screaming, roaring, and adding little King Diamond theatrics in a vocal slurry. His commands to “bow down to the Powerlord” are especially endearing as that was my nickname in high school.
The second half of On Fowl of Tyrant Wing is a different beast of an altered color. The last few songs are all much longer and more involved, trying to suture a ton of ideas into cohesive pieces of music with varying degrees of success. “A Sacrifice to Satan’s Spawn” welds NWoBHM bits to Mercyful Fate-esque pieces and slathers it all with guitar-forward excess and a somewhat “restrained” performance by Hellshrieker. It works because it asserts a modicum of moderation. 9-plus minute closer “An Ending in Fyre” exercises not such discipline, dumping Viking black metal, NWoBHM, and classic metal into an industrial cow juicer with unusual flavors flopping out of the thresher. It has good bits and interesting moments but it’s messy, feels a bit forced and duct-taped together, and after 6 minutes it starts to drag. Though the album is only 43-plus minutes, the presence of back-to-back-to-back long songs on the back end makes things feel longer than they are. Worse, the material lacks the same wild novelty and raw hooks that 666 had in abundance. I like it all but I’m only really impressed by certain tracks. That’s a bit of a letdown.
Musically, Bütcher has a lot going for them. KK Ripper and KV Bonecrusher go all in guitar-wise with furiously jagged riffs stacked on melodic NOWoBHM harmonies and grooves. The six-string insanity flows like blood from the n00b recycling unit at AMG HQ, making every track kinetic. There are many slick, memorable moments scattered over the album, and the duo never seems hard up for inspiration. Hellshrieker is a special kind of monster. He’s like 15 people trapped in one body and they all want their time in the spotlight. Screams, death roars, blackened cackles, croons, everything just comes out in seemingly random fashion and it all kinda works. It’s really just an issue of the songs having less bite and staying power this time that undermines the goatworks.
There’s never going to be a dull Bütcher album. Their all-gas, no-brakes approach guarantees that much. I enjoy On Fowl of Tyrant Wing and several songs are good enough to make playlists. I just don’t see blasting this as much as I did 666 Goats, because I was obsessed with that goatwomit nonsense. I can still recommend it though because good times will be had and the milk of Black Phillip will season your beer salad with many exotic blessings. Go get bucked.

Rating: 3.0/5.0
DR: 6 | Format Reviewed: 320 kbps mp3
Label: Osmose
Websites: osmoseproductions.bandcamp.com | facebook.com/butcherspeedmetal | instagram.com/butcherspeedmetal
Releases Worldwide: October 25th, 2024
#2024 #30 #BelgianMetal #BlackMetal #Bütcher #HeavyMetal #IronAngel #MercyfulFate #Oct24 #OnFowlOfTyrantWing #OsmoseProductions #Review #Reviews #ThrashMetal

#thrashmetal #reviews #review #osmoseproductions #onfowloftyrantwing #oct24
Columbus - Feeds @[email protected] · 2024-09-12 · 05:30 UTC

OSU Hillel’s Bagel Café now accepts BuckID swipes, aims to expand kosher dining options for Jewish students - Kyrie Thomas
[🖼 The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer]
The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer

OSU Hillel’s Bagel Café — located at 46 E. 16th Ave. — now accepts BuckID swipes as part of a general movement to increase kosher, on-campus dining options for students.

Students who live on campus must select an Ohio State dining plan, according to Dining Services’ website. With on-campus living being a requirement for first-year students, having access to food that meets their dietary restrictions is a critical component of the college experience.

“I got approved to use one of the off-campus dining plans since there weren’t kosher options on campus,” said Talia Sukienik, a Kosher-keeping student and a second-year in biomedical engineering.

Dave Issacs, a university spokesperson, said in an email the university has utilized the same Kosher kitchen as Bagel Café uses to provide food served in Union Marketplace on campus.

Swipes allow students to swipe into the three Traditions Dining Halls on campus with their BuckID for both to-go and self-service options, while BuckID cash can be used like a debit card at on-campus and off-campus locations, according to the Dining Services’ website.

Aaron Portman, campus rabbi and senior Jewish educator at OSU Hillel, said Bagel Café previously only accepted BuckID cash as payment. Letting the eatery allow swipes aligns with OSU Hillel’s goal of bringing more convenience to the university’s Jewish community, he said.

“This is a really transformative thing, especially for students who are living in the dorms and on a meal plan,” Portman said. “They can have their meals at our kosher café three times a day if they want to, which is exciting.”

The act of “keeping kosher” relates to dietary restrictions and religious laws surrounding a kosher diet, Portman said. Not mixing meat and milk and ensuring food is certified kosher are the diet’s main two regulations.

“There’s different levels of keeping kosher,” Portman said. “Kind of like organic or vegan, you can trust that the food is made a particular way, and for people who keep kosher, it falls within their observance level.”

Supervised by Buckeye Kosher — a local establishment that supervises all of Columbus’ kosher institutions — Bagel Café strictly follows the aforementioned guidelines, Portman said.

The café will rotate its options weekly, Portman said. A dairy-based menu will be offered Monday through Wednesday, Thursdays will offer a meat-based menu and Fridays will feature a Shabbat dinner for anyone within Ohio State’s community.

“We are one of the few kosher establishments where people can come here and buy food, but we really would love anyone that’s interested in kosher food or learning more about the Jewish community on campus to come to our Hillel building,” Portman said.

Though adding Bagel Café to the list of kosher-friendly options covered by Ohio State’s dining plans is a form of progress, Sukienik said there is always room for improvement.

“It’d be awesome if we could have more kosher dining hall food where all the food is prepared with the laws of kosher, because there are certain restrictions in place,” Sukienik said. “Then, [Jewish students] could feel more included because anyone could come and they could eat together with their Jewish and non-Jewish friends.”

Providing a variety of convenient kosher options allows students to enjoy food without the added stress of confirming if it adheres to their religious restrictions, Portman said. Moreover, he said accommodating the kosher diet on a wider scale is a way the university can demonstrate its care for its diverse range of students.

“We really do hope in the next few years we can use this as a point to show Jewish students from across the country that Ohio State is a place that can really accommodate their religious needs,” Portman said.

#campus #instagrampage #news #accessibility #bagelcafe #buckid
Columbus - Feeds @[email protected] · 2024-09-12 · 05:30 UTC

OSU Hillel’s Bagel Café now accepts BuckID swipes, aims to expand kosher dining options for Jewish students - Kyrie Thomas
[🖼 The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer]
The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer

OSU Hillel’s Bagel Café — located at 46 E. 16th Ave. — now accepts BuckID swipes as part of a general movement to increase kosher, on-campus dining options for students.

Students who live on campus must select an Ohio State dining plan, according to Dining Services’ website. With on-campus living being a requirement for first-year students, having access to food that meets their dietary restrictions is a critical component of the college experience.

“I got approved to use one of the off-campus dining plans since there weren’t kosher options on campus,” said Talia Sukienik, a Kosher-keeping student and a second-year in biomedical engineering.

Dave Issacs, a university spokesperson, said in an email the university has utilized the same Kosher kitchen as Bagel Café uses to provide food served in Union Marketplace on campus.

Swipes allow students to swipe into the three Traditions Dining Halls on campus with their BuckID for both to-go and self-service options, while BuckID cash can be used like a debit card at on-campus and off-campus locations, according to the Dining Services’ website.

Aaron Portman, campus rabbi and senior Jewish educator at OSU Hillel, said Bagel Café previously only accepted BuckID cash as payment. Letting the eatery allow swipes aligns with OSU Hillel’s goal of bringing more convenience to the university’s Jewish community, he said.

“This is a really transformative thing, especially for students who are living in the dorms and on a meal plan,” Portman said. “They can have their meals at our kosher café three times a day if they want to, which is exciting.”

The act of “keeping kosher” relates to dietary restrictions and religious laws surrounding a kosher diet, Portman said. Not mixing meat and milk and ensuring food is certified kosher are the diet’s main two regulations.

“There’s different levels of keeping kosher,” Portman said. “Kind of like organic or vegan, you can trust that the food is made a particular way, and for people who keep kosher, it falls within their observance level.”

Supervised by Buckeye Kosher — a local establishment that supervises all of Columbus’ kosher institutions — Bagel Café strictly follows the aforementioned guidelines, Portman said.

The café will rotate its options weekly, Portman said. A dairy-based menu will be offered Monday through Wednesday, Thursdays will offer a meat-based menu and Fridays will feature a Shabbat dinner for anyone within Ohio State’s community.

“We are one of the few kosher establishments where people can come here and buy food, but we really would love anyone that’s interested in kosher food or learning more about the Jewish community on campus to come to our Hillel building,” Portman said.

Though adding Bagel Café to the list of kosher-friendly options covered by Ohio State’s dining plans is a form of progress, Sukienik said there is always room for improvement.

“It’d be awesome if we could have more kosher dining hall food where all the food is prepared with the laws of kosher, because there are certain restrictions in place,” Sukienik said. “Then, [Jewish students] could feel more included because anyone could come and they could eat together with their Jewish and non-Jewish friends.”

Providing a variety of convenient kosher options allows students to enjoy food without the added stress of confirming if it adheres to their religious restrictions, Portman said. Moreover, he said accommodating the kosher diet on a wider scale is a way the university can demonstrate its care for its diverse range of students.

“We really do hope in the next few years we can use this as a point to show Jewish students from across the country that Ohio State is a place that can really accommodate their religious needs,” Portman said.

#university #thelantern #taliasukienik #swipes #shabbat #religiouslaws
Columbus - Feeds @[email protected] · 2024-09-12 · 05:30 UTC

OSU Hillel’s Bagel Café now accepts BuckID swipes, aims to expand kosher dining options for Jewish students - Kyrie Thomas
[🖼 The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer]
The order counter at OSU Hillel’s Bagel Café, which is located at 46 E. 16th Ave. Credit: Kyrie Thomas | Campus LTV Producer

OSU Hillel’s Bagel Café — located at 46 E. 16th Ave. — now accepts BuckID swipes as part of a general movement to increase kosher, on-campus dining options for students.

Students who live on campus must select an Ohio State dining plan, according to Dining Services’ website. With on-campus living being a requirement for first-year students, having access to food that meets their dietary restrictions is a critical component of the college experience.

“I got approved to use one of the off-campus dining plans since there weren’t kosher options on campus,” said Talia Sukienik, a Kosher-keeping student and a second-year in biomedical engineering.

Dave Issacs, a university spokesperson, said in an email the university has utilized the same Kosher kitchen as Bagel Café uses to provide food served in Union Marketplace on campus.

Swipes allow students to swipe into the three Traditions Dining Halls on campus with their BuckID for both to-go and self-service options, while BuckID cash can be used like a debit card at on-campus and off-campus locations, according to the Dining Services’ website.

Aaron Portman, campus rabbi and senior Jewish educator at OSU Hillel, said Bagel Café previously only accepted BuckID cash as payment. Letting the eatery allow swipes aligns with OSU Hillel’s goal of bringing more convenience to the university’s Jewish community, he said.

“This is a really transformative thing, especially for students who are living in the dorms and on a meal plan,” Portman said. “They can have their meals at our kosher café three times a day if they want to, which is exciting.”

The act of “keeping kosher” relates to dietary restrictions and religious laws surrounding a kosher diet, Portman said. Not mixing meat and milk and ensuring food is certified kosher are the diet’s main two regulations.

“There’s different levels of keeping kosher,” Portman said. “Kind of like organic or vegan, you can trust that the food is made a particular way, and for people who keep kosher, it falls within their observance level.”

Supervised by Buckeye Kosher — a local establishment that supervises all of Columbus’ kosher institutions — Bagel Café strictly follows the aforementioned guidelines, Portman said.

The café will rotate its options weekly, Portman said. A dairy-based menu will be offered Monday through Wednesday, Thursdays will offer a meat-based menu and Fridays will feature a Shabbat dinner for anyone within Ohio State’s community.

“We are one of the few kosher establishments where people can come here and buy food, but we really would love anyone that’s interested in kosher food or learning more about the Jewish community on campus to come to our Hillel building,” Portman said.

Though adding Bagel Café to the list of kosher-friendly options covered by Ohio State’s dining plans is a form of progress, Sukienik said there is always room for improvement.

“It’d be awesome if we could have more kosher dining hall food where all the food is prepared with the laws of kosher, because there are certain restrictions in place,” Sukienik said. “Then, [Jewish students] could feel more included because anyone could come and they could eat together with their Jewish and non-Jewish friends.”

Providing a variety of convenient kosher options allows students to enjoy food without the added stress of confirming if it adheres to their religious restrictions, Portman said. Moreover, he said accommodating the kosher diet on a wider scale is a way the university can demonstrate its care for its diverse range of students.

“We really do hope in the next few years we can use this as a point to show Jewish students from across the country that Ohio State is a place that can really accommodate their religious needs,” Portman said.

#campus #instagrampage #news #accessibility #bagelcafe #buckid
- Stories By DBW - @[email protected] · 2024-12-26 · 18:24 UTC

Worms, Spiders, Ghosts—Oh My! CH. 5
The Iron Guardians; Lysandra, Alaric, Eadric, and Gareth, trekked through the forests walking their horses due to the density of the trees in the southeastern region of Elyria, the sun cast slanted beams of light through the towering canopy, dappling their skin in warm golden patterns. The crunch of dry leaves and rustle of bushes filled the air as they made their way deeper into the forest. King Alaric, always alert and watchful, led the way, his keen senses picking up on any small changes in the environment. Lysandra, her lithe figure graceful and agile, moved with an ease and stealth that belied her profession as a shadow walker. Eadric, the scholar and elder mage, trailed behind them, his eyes scanning the undergrowth for any signs of interest. Gareth, with his enchanted armor glistening in the sunlight, brought up the rear, his wary gaze darting left and right as he scanned the area behind them for anything out of place.
They had been traveling through the forest for days now, off the beaten path and fatigue was starting to set in.
Eadric looking at the map, “The map depicts magical constructs guarding the lair,” but they had yet to encounter any sign of it.
The air was thick with anticipation and excitement, seasoned with a hint of nervousness. The trill of a bird in the distance or the huff of a distant wind made them all jump, on edge for the unknown that lay ahead.
“It’s been days going on weeks since we left Grambondll,” Lysandra said, brushing a stray strand of her fiery red hair behind her ear. “How much further to Kaelithorne’s Lair?”
“I’m not sure,” King Alaric replied, his voice low and measured.
“According to the map, we should reach the area of the hidden entrance in a few more days give or take a few,” Eadric stated. He glanced back at Lysandra who nodded in affirmation.
Eadric adjusted his pack, making sure his precious scrolls and vials were secure. “The draconic text speaks of golems protecting the entire area,” he warned.
Gareth grunted. “Eh, construct, monster what’s one more?” he muttered, hefting his enormous sword. ” I’ve faced worse.”
Lysandra couldn’t help but roll her eyes at the warrior’s bluster. Gareth’s bravado was equal parts infuriating and endearing. She quickened her pace, catching up to Alaric. “Do you really think we’re ready for this? Legends are one thing, but a real guardian…”
“I am not one to run head first into battle mind you. There’s a reason they call me a shadow walker you know.” Lysandra states worried.
The king’s jaw clenched. “We watch out for each other, I expect you and Eadric to hang back when we get there and provide cover support.” Alaric States. Besides we don’t have a choice in the matter, Lysandra. With our combined strength and skills nothing short of the King of Dragons himself could stop us. Failure is no option—”
The forest suddenly went silent except for a few birds chirping in the distance as they inched forward.
They quickly stumbled out of the forest abruptly upon a small glade, the ground soft and carpeted with ferns and wildflowers. The towering trees stood like massive arches around them, their branches stretching high into the sky. In the center of the glade was a large mound of dirt and large rock, the azure sky above like a shimmering jewel once out of the canopy of the forest. As they approached the mound to cross it, they noticed something strange about it; it seemed loose, pulsing gently in time with their hearts.
The companions froze, every instinct honed by years of danger screaming at them to seek cover. Their horses started to become uneasy, even the birds fell silent, as if sensing the impending doom. The earth beneath their feet began to shake, the tremors rapidly growing in intensity with each passing heartbeat.
“Run!” Eadric shouted as he took his first step, but it was too late.
From the depths of the earth erupted a gargantuan purple worm, its segmented body tearing through the forest floor like it was parchment. Its massive, tooth-studded maw gaped open, revealing a cavernous pink interior, while rows of bone like teeth lined its body in perfect symmetry.
The air split with an ear-piercing shriek, and the monstrous worm hurling large rocks and debris in every direction. Everyone except Alaric was caught off balance and thrown to the ground by the force of its emergence, completely defenseless against the beast.
Alaric already had drew his enchanted red blade, its fiery glow slicing through a large boulder effortlessly as it fell to the ground split in two behind him. “On your feet!” he bellowed, charging head-first into the maelstrom while drawing his second blade wisdom that is beaming with brilliant white energy.
Alaric now at a full on sprint towards the creature as the group regains their composer. His swords both on his right side the tips dragging on the ground as they start to create a swirl of red and white energy. Meanwhile the Gargantuan purple worm whipped its tail around revealing a massive stinger half the size of an adult human hurling towards Alaric.
The others gained their footing shortly and soon were a tide of steel and magic at their backs. Eadric unleashed a barrage of icy shards that ricocheted off the creature’s hide, while Gareth raised his massive sword into the air creating a swirling of clouds directly above him.
The worms stinger flew with piercing speed as Alaric, screaming, whipped his swords in an upward arch in front of him and over his head creating an energy burst as he dug his boots into the ground to an abrupt stop. The swirling red and white energy flew into the beast like a large blade slicing into it, disrupting its attack and causing its stinger to miss Alaric completely.
The clouds above Gareth shot an insanely massive lighting bolt down striking Gareth’s sword as he held it high. As the blade started crackling and sparking wildly before pointing towards the purple worm and releasing a sharp lighting bolt from the tip of it.
The beast’s tail whipped back at the group, flying right at Gareth. Lysandra’s reflexes kicked in, and she grabbed the back of his armor’s collar, phasing them both backward to safety at the edge of the tree-line, just as towering pines toppled backward like matchsticks.
Gareth gasped, wincing as his thick skull collided with a low-hanging branch.
Lysandra grinned. “you’re welcome, dimwit.” She quipped before disappearing back into the fight.
Eadric’s ice magic slowed the creature’s movements, but it was far from finished. The purple worm thrashed and coiled, striking out with unnerving speed. Alaric and Gareth’s blades chipped away at its armored hide while Lysandra’s enchanted throwing daggers found exposed flesh, eliciting high-pitched ear shattering shrieks from the creature. The clearing soon ran with the creature’s acidic blood.
A low growl rumbled in the beast’s gullet, and its serpentine neck shot forward, jaws gaping wide. Eadric’s ice shield shattered as the worm engulfed him whole, filling his senses with the putrid stench of decay and the rank stench of death.
“Eadric!” Lysandra screamed, eyes blazing.
Gareth dove for the worm’s maw, sword raised. Alaric joined him, their blades moving in a lethal ballet as they carved their way through its scaly side.
Inside the worm’s darkened cavern of a stomach, Eadric choked on noxious fumes, his heart pounding in his chest. He threw a handful of his freezing dust which mixed with the toxic gas. Barely able to put up a magic barrier as the ensuing explosion propelled him through the beast’s gaping maw, along with a torrent of stomach acid and half-digested prey. He landed in a gasping, retching heap on the glade.
The worm howled, flailing in its death throes , before it collapsed lifeless and bloody to the ground.
“Eadric!” Lysandra dove toward him, her face a mask of relief.
He spat out foul bile, gulping fresh air. “Thanks for the rescue,” Eadric croaked out, smiling weakly.
Gareth nudged Alaric. “That,” he grinned, “was the most epic escape I’ve ever seen!” as excitement breathed into Gareth for the first time on their quest.
Alaric grinned. “I guess Eadric didn’t settle well with the beast,” looking at Gareth while chuckling lightly.
Exhausted but triumphant, the Iron Guardians stood over their defeated foe. Sweat and blood mingled on their skin, their hearts racing from the adrenaline-fueled battle. They could hear the distant rumble of thunder in the distance, warning of an approaching storm. Gareth gestured towards a large rocky outcropping nearby, and they made their way towards it for shelter. As they huddled underneath, the wind picked up, howling through the trees and sending leaves and debris flying through the air. The sky grew darker by the moment as bolts of lightning flashed across the sky.
“we need to find better shelter from this storm coming in.” Alaric suggested to Eadric. “Is there anything close by on the map?” he suggests.
“Maybe, let me take a look. Just remember, everything on here is pretty old and might not even exist anymore.” As Eadric pulled out the map, he began scanning every detail of their current area. “There looks to be a small village nearby in the forest here, I have no idea if it is still there. I do not recall ever having heard of it.”
“Does it have a name?” Lysandra asked sarcastically.
“The Arcane City of Häwold is what it says here on the map.” Eadric replied.
“What are we waiting for?” Alaric paused looking at his companions. “Let’s go, we don’t have time to sit here and decide or Gareth and I’s armor will turn to rust.” Alaric stated as the storm gained momentum.
They quickly headed back into the forest from the glade, a light drizzle began to fall. Leafy canopies above did little to muffle the noise as the storm intensified with a loud thunderous crash that was so loud the sound wave could be felt as it rang out, for what seemed like minutes.
“We need to move faster, the storm is gaining momentum.” Gareth panted, a Sheen of Sweat on his brow. “my armor is not conducive but conductive to lighting! I don’t want to end up like burnt hog meat on a skewer.”
“Look!” Lysandra pointed ahead to a town, “I think we made it. Just in time too,” She commented.
As they approached, the town came into view. It was a ghost town, abandoned, dilapidated and overgrown as the forest is slowly reclaiming the land. The once-bustling streets were now covered with vines and moss, the buildings crumbling and collapsing in on themselves with some held up by the foliage that is growing around it. The air was thick with a sense of panic, as if the very earth whispered dark secrets to them. Lysandra shivered involuntarily, her hand moving instinctively to the hilt of one of her daggers. She glanced at her companions, who were equally wary of their surroundings.
The rain picked up as they hurried down the cobblestone streets. The only sounds were the pattering rain and the pounding of their hearts. They navigated the overgrown paths, noticing remnants of a past life – a broken-down well, a few collapsed cottages, and a once-grand hall missing 2 of its walls. The hair on the back of Eadric’s neck stood on end as he felt an unseen presence watching them from the shadows. A prickle of dread danced down his spine.
Finally, they reached an old inn that was barely held together, its sign swinging dangerously in the wind.
Eadric stopped to look at the weathered sign as if he had seen a ghost. “Barden’s Cove? This place is supposed to be cursed, I’ve read about this place in the old lore books back at the great library. So that would mean this town is over 900 years old according to the lore,” he remarked softly. “I’m not sure if this is a good choice. It said the travelers of this inn were brutally murdered at random. Oddly enough, the town was never spoke of.”
“We don’t have a choice,” Alaric said, kicking open the rickety door. The doors rusty hinges squealed as it flung open, revealing an dilapidated lobby covered in dust and cobwebs. “We will look for something else after the storm passes. Maybe whatever was killing them died with the town?” Alaric replied questioningly as he walked inside.
Gareth frowned, his sword at the ready. “This place gives me the creeps.”
Inside, mildewed tapestries hung in tatters, and rainwater pooled on the warped floorboards. Alaric struck a tinder-box flame he found next to the candelabra, illuminating their grim surroundings.
“We’ll take watches,” he said, voice laced with weariness, ” Gareth, your on first watch, I’ll take second watch. Lysandra you can take third watch with Eadric.”
As the others bedded down on mildewed couches, Gareth took up position at the far end of the room by the window, his gaze scanning the rain-soaked streets. The storm not showing any signs of letting up.
An hour later, he was joined by Lysandra. “I Can’t sleep.”
“Aren’t you exhausted?” he replied, questioningly.
“A bit…,” she admitted, perching beside him looking out the window. “Nice view,” she teased, gesturing at the downpour.
“hmm,” he muttered, but couldn’t hide his crooked grin.
They sat in silence together, watching as the storm raged outside. Thunder shook the Inn’s foundations, and the air thickened with tension.
“Gareth?” she said, her voice a whisper.
“yeah?” Gareth replied.
“Why does it feel like we’re being watched?”
Gareth’s blood ran cold as he met her worried gaze. “I… I can’t say for sure,” he lied, his hand drifting to the hilt of his sword on his back.
Suddenly, the rickety door slammed shut with a deafening bang, shattering the quietude and plunging the room into complete darkness. Gareth’s heart raced as he fumbled for a candle, but it was no use; something or someone was toying with them. The hairs on their nape stood at attention as an icy draft caressed their skin, the distinct feeling of unseen eyes upon them.
“A-Alaric?” Lysandra whimpered, clutching Gareth’s arm.
“I’m here,” came a strained reply from across the room. “Eadric? Gareth?”
“Here,” they chorused, their voices barely audible above the howling wind and pounding rain.
“We’re not alone,” Alaric said, his voice quivering with fear. “And I think our watcher just made themselves known.”
In that moment, a ghostly glow illuminated the room, revealing a sight straight out of their darkest nightmares. A translucent figure in tattered robes floated before them, its hollowed-eyes brimming with malevolence. Lysandra let out a sharp scream as the apparition raised its spectral hand, its bony fingers stretched towards them.
“Run!” Gareth bellowed.
They bolted for the door, but it had been sealed shut, trapping them with their supernatural assailant. The ghost cackled, its voice sending shivers down their spine, and advanced on them, its ethereal form passing through solid objects with ease.
“We fight!” Eadric commanded, raising his cane towards the apparition.
Gareth’s mind raced,”I-I’ve got an idea,” he blurted, remembering a passage about the repelling power of iron. “Form a circle! Stay close!”
Trembling, they did as he said, linking hands as Gareth brandished his sword before them. Quickly pouring holy water he kept in a water bladder over the blade. The ghost hesitated, its glowing orbs narrowing in fury.
“Whatever you are, leave this place at once!” Gareth bellowed, his voice deep with righteous fury. “You have no business here!”
The apparition hissed, its form shuddering as if repelled by their combined wills and the Holy water. With one last menacing glare, it lunged towards them, as Gareth commanded, Divine light shot out of Gareth’s blade in all directions. Unable to get away the apparition screamed seeping through the cracks in the walls and vanishing into the stormy night.
The rain continued to lash against the shutters, as they watched.
“What in the nine hells was that?” Lysandra gasped, her face as pale as the ghost that had just menaced them.
Alaric shook his head, his eyes wide with terror. “I don’t want to know. “Let’s just find a dry spot and wait out the storm.”
“Let’s clear this place so we can sleep soundly,” Gareth suggested. “Follow me.” He commanded as he headed into the inn and down the hallway.
Something quickly scuttled across the floorboards. The group tensed, weapons drawn. Was it just the storm or something more? They crept carefully down the stairs, peering into the darkness of the main room. A chill ran down Lysandra’s spine as she saw wisps of mist curling around their feet. The air felt thick and humid from the storm.
“There better not be anymore ghosts or I’ll take my chances with the storm outside.” Lysandra stated timidly.
Up ahead, a door creaked open ever so slightly, revealing a small room filled with cobwebs and dust. Something moved within, casting long shadows on the walls. With a collective gulp, they rushed forward, swords at the ready. But instead of bandits or monsters, they found an old desk littered with parchments and scrolls. Eadric slammed the door shut quickly, not wanting to invite whatever was out there inside.
“Looks like we found a potential treasure trove,” Alaric mused, examining one of the documents. “We should search the place for anything useful. Who knows what might be here.”
King Alaric’s sword Wisdom suddenly shone bright as he spoke, as if sensing the danger close by. The others nodded in agreement, spreading out to comb through the abandoned building. Lysandra felt her heart racing as she descended into the cellar, searching for anything that might provide shelter from the storm. Suddenly, the hairs on the back of her neck stood up, and she froze. There was something else down here…
As she turned around, she saw it. A dozen pairs of beady eyes stared back at her, surrounded by furry black bodies and hairy legs. Giant wolf spiders, their fangs dripping venom, crawling out of the holes in the corner. Her breath hitched in fear, and she fought the urge to scream. No one must ever know about her irrational fear.
The group just behind her gasped, seeing this new threat. But she couldn’t move, couldn’t speak. Would they come to her rescue? Or would they think she’d take care of them by herself, as she stared trapped and defeated?
Gareth charged forward, sword drawn while Eadric started chanting under his breath. Soon the room filled with a soothing green glow as Alaric finished casting. Then a mighty gust of wind pushed the spiders back and slammed them against the back wall. some splattered against the wall while the rest quickly regrouped, but didn’t stop coming. Their menacing clicks and clacks echoing in the dank cellar. But it was too late. A spider crawled up her leg, fangs sinking into her skin before she could react.
“Lyss!” Gareth called out, rushing to her side. “Hold on, stay with me! We’ll get you out of here.”
She screamed, more out of pain than fear. Gareth wrestled the spider off her leg with his free hand, crushing its body with his boot and stabbing the head with his sword. She felt the venom course through her veins, burning like acid. Gareth grabbed her with his free hand, lifting her over his shoulders as Alaric and Eadric continued to fend off the spiders with their magic. Alaric stayed back to assist Eadric as the group escaped the cellar, running out into the torrential downpour that pummeled them both. Soon after Eadric and Alaric came sprinting out like their souls had escaped.
Gareth carried Lysandra, struggling to keep his footing on the muddy road while the storm raged around them. Thunder shaking the very ground beneath them. Just then lightning struck a tree close by catching it on fire in the rain, bathing them in blinding light. He could hear her shallow breaths while he could smell her sweat mixed with the rain. Her soft curves pressed against him, her body limp in his arms. He clenched his teeth, fighting the urge to comfort her as they tread through the treacherous overgrown street. The rain was relentless, pounding on his armor, soaking him to the bone. A cold shiver raced through his body as he spotted a clearing up ahead. He couldn’t lose her now Gareth thought anxiously.
Eadric created an invisible energy shield around them, protecting them from the storm. They huddled together, protected from the elements yet still drenched to the bone. The paladin’s focused gaze as he laid her down gently onto the wet earth. Then laying his sword over her, he holds his hands upward over her closing his eyes calmly while chanting.
“Amidst the hall of death I stand,
Yet despair shall not consume me,
Even when faced with wickedness and despair,
Be it foe or treachery.
Though death’s touch lingers on me,
My blessed sword shines bright,
For it shall guide me to the halls of light,
And stand as sentinel for all God’s children.
Until the hour of my dying breath,
I shall go fearless,
into the serpent’s den,
Wielding my blade for heaven.”
Gareth’s voice rises, fervent and passionate as he holds his hands tenderly over Lysandra’s body, as the venom starts slowly pulling out of Lysandra, into the air. Eadric quickly pulls a vile from his pocket and fills it with some of the venom. Swiftly, the rest of the venom starts to evaporate.
“I think I removed all of the poison! Let’s get the hell off this street and out of the storm!” Gareth shouting over the intensity of the storm.
Gareth, quickly but carefully picking up Lysandra who is still unconscious. The group made their way down the street quickly, the rain beating down on rotten wooden structures and abandoned shacks like tiny knifes hitting an impenetrable wall. The wind was howling like a hungry beast. As they continued down the street the rain kept coming down so fast the streets started to flood and become a muddy mess under them. It was as if nature itself was against them, try as it might to drive them back and off course.
Finally, they found an old stone library barely standing. Its interior was dry and safe from the storm, providing some respite. King Alaric dropped to the floor just inside, leaning against a table. “We’ve come so far,” he said, panting heavily. “But we’re not done yet.”
Eadric nodded in agreement sitting next to him. “This storm won’t let up anytime soon; we need to recover our strength.” He closed his eyes, seemingly lost in thought.
Gareth placed Lysandra gently on the floor then quickly pulling out and wrapping her in a fur blanket to keep her warm. Shortly Gareth joined King Alaric and Eadric against the table. Alaric pulled out a flask from his belt and took a long swig before handing it to him. He accepted gratefully, taking small sips as he tried to ignore the burning sensation in his throat. Gareth doesn’t ever drink as he is usually always training. “What now?” he asked between gulps trying not to cough.
Eadric opened his eyes again, his brow furrowed. “I’ve studied these Golems for years. They’re not your typical sentinels,” he said slowly. “They are assembled using old world magic. Something much stronger and far more dangerous than what you would find today. We’ll have to use our wits if we wish to pass them.”
“Wits and brute force,” Gareth added with a grunt.
Eadric laughs at Gareth’s remark. “These Golems were designed to guard the Dragon King’s lair. Each one was built then imbued with magic. This magic is the life force of these Golems. If you understand how they work, they become simple traps to dismantle. These days spell casters use more humanitarian methods for protecting areas. Ones that are also much more difficult to defend against.”
Alaric turning to Gareth, “the lore told tales of their savage nature; even a scratch from one could prove fatal if you don’t nullify their magic.” They couldn’t afford any more injuries Alaric thought. “We will stay back and let Eadric take care of these guardians.”
“I’m starting a fire, the temperature keeps dropping and we need to stay warm.” Eadric announced before pointing his cane, casting a fire spell on the stone floor in front of them.
“I’ll watch the entrance, but be mindful of the inner door as well. We have no idea what’s in this place.” Gareth says as he sits in a chair facing the window over by Lysandra.
Shortly they had a small fire that was somehow warming the entire room.
After a few minutes Lysandra slowly came to, Gareth caught her sloth like movements out of the corner of his eye.
“Are you alright?” Gareth asked, concern etched on his face.
She nodded, trying to catch her breath. “I’ll live.” Her voice was hoarse from dehydration and pain. “Did I ever say I hate spiders.” she said forcing a smirk with what little energy she had.
“Just rest. The danger has past.” Gareth replied concerned. “Here, drink this it will help.” He said as he hands her a bladder of water, but Lysandra had already passed out, still completely exhausted. Gareth places the bladder next to her for when she wakes again.
Eadric walked over to lysandra and started to murmur incantations under his breath as he waved his hand above her. Soon and just for an instant Lysandra’s skin was glowing orange.
“That should help speed her recovery,” Eadric stated as he looked over to Gareth, “She is worn from today’s events. the poison had worked its way pretty deep before you removed it. Let her rest, she will be fine in time.” He declares before sitting back down over by Alaric.
The storm raged on outside, thunder shaking the walls and rain pounding against the windows all while the temperature kept dropping. Gareth’s gaze never left the window facing down the street towards the inn they narrowly escaped. The howling wind and endless rain created an eerie symphony, like the world was crying. He couldn’t help but think about home, about his mother’s warm cooking and sister’s laughter. But here he was, far from home, fighting for a cause he barely understood. With people he found himself starting to care for like a family.
Soon enough, everyone was asleep, except for Gareth who found himself watching Lysandra as she slept next to him – her chest rising and falling rhythmically under her stretchy black wraps she wore on her torso like a long shirt and legs like tights. He couldn’t shake the feeling that there was more to her than met the eye. She seemed so vulnerable in her sleep, and yet he knew she could handle herself just as well as he could.
Gareth sat up straighter, his swords shaft resting against his inner thigh and shoulder. His eyes darted to the door every time there was a loud crash of thunder or gust of wind. He knew they were safe in their temporary shelter, but the tension remained.
King Alaric paced the room during his watch, a solemn expression on his face. He trusted Eadric’s knowledge but still couldn’t shake the feeling that they were walking into a trap. He began to strategize how to avoid the dangers as much as possible.
The night passed slowly, with each hour marked by another round of thunder and lightning. Eadric murmured incantations under his breath during his watch, casting spells and wards to keep them safe while they slept.
The rain slowly turned to sleet then quickly to snow. in the early hours of the morning Eadric casting warmth spells and making sure the group stayed comfortable. Eventually sleep took its hold over Gareth as he slowly nodded off not moving an inch as if made of stone while his massive sword stayed rested against him.
Finally, dawn broke. The storm had passed, leaving only a few inches of snow on the ground. Gareth felt exhausted, but he didn’t sleep well. His mind was consumed with thoughts of Lysandra and how she is feeling. He rose to his feet as Alaric grunted awake.
“Any sign of trouble?” Alaric asked slowly gaining composure rubbing his eyes.
“Not last night, but look,” Gareth pointed outside. The spiders from yesterday were crawling over the building they’d left down the street, their many legs making sinister patterns on the walls. “They’re back.”
Gareth put on a heavy pelt tunic over his armor than swung his sword over his broad shoulder letting it come to rest on his shoulder, “I’ve had enough of these damn spiders. Wait here, I’ll take care of this. Eadric, select whats for breakfast, I’m starving,” Gareth declared. as he ducked under and passed through the doorway leading outside. his footsteps crunching on the freshly fallen snow. The air was colder now and crisp as he took in a deep breath.
“Let’s do this,” Gareth mumbled, psyching himself up as he walked down the road towards the cursed Inn.
The spiders were relentless, their fangs dripping venom as they spotted him approaching.
“I’m gonna make short work of you pests. Hurt my friends, you’ll taste this blade.” he said walking up as if talking to the spiders.
Gareth stretched his sword out to his side, with the blade parallel to the ground, then quickly twisting his wrist forward turning the blade at the spiders general direction. he started whipping his arm around and immediately shooting out a blinding light, it seemed to be brighter than the sun driving most of the spiders back into the Inn. The remaining half dozen or so were hacked through with his massive blade, his sword humming through the air casually and with a deadly efficiency, like he’s chopping blades of grass.
The group watched as Gareth aggressively controlled the entire fight like a divine entity. Alaric was getting dressed as fast as he could while Eadric was sitting calmly going over the choices for breakfast.
“Relax Alaric. The boy can take care of a few spiders,” Eadric said as he stood, walked over to Alaric while holding food in both hands.
“Now for the important question Alaric, eggs with Hash?” Eadric says raising his right hand that’s holding a plate. “Or, leftover mushroom mash with garlic on rye toast?”
“Toas…,” Alaric begrudgingly starts to reply as Eadric stuffs the toast into his mouth. Alaric eyeing Eadric as he smirks leaving the eggs and hash, then walking over to Lysandra.
Gareth cast the rest of the giant spiders back into the Inn with one more shot of blinding light from his blade. Just then He stabbed his sword into the ground next to him, his hands started weaving through the air as if he were conducting an orchestra. The spiders started to crawl and over take the building consuming it. Shortly after casting a large celestial appeared in the air above the Inn casting a massive beam of fire directly down onto the cursed Inn smashing the old glass out and destroying the building and everything within.
“Gareth one, Spiders zero.” Gareth chuckles to himself.
His efforts paid off, and soon the fight was over. The spiders lay singed and lifeless as the inn was now in rubble and on fire.Gareth started to walk back to the Library carrying his sword over his shoulder, while snow started to fall again softly to the ground. The group breathed a collective sigh of relief, but they kept their wits about them as they were only getting started.
“Lysandra,” Eadric says softly as he gently presses against her shoulder crouched over her holding the eggs and hash plate.”
Lysandra slowly came to and as she sat up, Eadric comically dropped the plate in her lap. causing her to wince as she caught it.
“Eat up, we need you strong.” Eadric says walking back over to the fire.
“Thanks,” Lysandra said half heartedly.
As Gareth comes back through the entrance into the room placing his sword now by the door.
“Lysandra, I see you’ve returned to the living.” Gareth smirks looking over at her as he stands next to Eadric who has a plate of eggs and hash stretched out at him as an offer.
“Don’t let him fool you Lysandra, the boy was worried to death about you last night.” Eadric remarks smirking at Gareth.
“Funny,” Gareth replies.
“I would joke but I’m too exhausted.” Lysandra replies choking down the food before lying back down.
The storm was back as a full on blizzard now, while early winter was now under way the group needed to head further into the old dilapidated Library.
“Gareth, Eadric, we need to search this library and find a more suitable stay until this weather passes. Lysandra you need to stay here and rest until your strength is back.” Alaric declares. “The rest, grab your gear and let’s go sweep the library. Let’s try to be more careful this time. We don’t need anymore injuries.”
Alaric slowly unsheathed wisdom as he opened the large nailed wooden door into the hallway leading to the main hall of the library. The tension was palpable as the adventurers cautiously entered the dusty library, guided by the dim light filtering through the stained-glass windows. The air reeked of mold and decay, and the silence was heavy enough to suffocate. Gareth’s heart pounded in his chest as he carefully approached the pedestal, his eyes transfixed on the ancient tome. His hand reached out confidently to pick it up.
“Wait!” Eadric hissed, his voice barely above a whisper. “There might be traps.”
Gareth froze, his hand mere inches from the book. Eadric cautiously circled the pedestal, searching for any signs of booby traps or magical wards. Satisfied that the book was clear, Eadric nodded.
“I think it’s safe,” he said, his voice still hushed.
Gareth exhaled in relief and gently picked up the tome. A thin layer of dust rose into the air as he opened the cover, sending chills down their spines. he began to leaf through the yellowed pages, his eyes darting over the archaic script.
“It’s the arch mage’s journal. Or it seems to be that of a senior member.” Gareth states handing the book over to Eadric. “what do you think?”
Gareth looked at the name on the book and a look of dread immediately, spread across his face. “we should leave while we can,” there is very strong magic in this place and we don’t want to disturb it.”
“We don’t need anymore problems than we already have, let’s get out of here.” Alaric whispers.
As they backed away from the pedestal, a sinister creaking echoed through the library. The air seemed to thicken, and the stench of death became stronger. The adventurers turned as one, their senses on high alert. From the shadows, a chilling hiss filled the room, and a legion of undead creatures shambled into the dim light from nowhere. Bones clacking and foul-smelling, they advanced, their hollowed-out eyes fixated on the interlopers.
“Great, what are we waiting for?” Gareth grumbled sarcastically, “Let’s get this over with.”
Gareth drew his sword from its sheath, hands tightening on the hilt as he became more serious. “Looks like we’ll have to fight our way out. You hold them off while I work my magic – pun intended,” he said with a smirk.
As the undead horde closed in, Eadric and Alaric Stood in front of Gareth while he started to chant, ready to face the evil undead horde in front of them.
From the depths of the shadows, a sinister voice laughed, mocking their determination. “You fools,” it cackled. “You’ve played right into my hands.”
The chilling laughter reverberated off the walls, raising goosebumps on their arms. Suddenly, the undead creatures stopped their advance, turning as one to face the source of the voice. Emerging from the darkness, a cloaked figure glided into the flickering light.
“My, my, what have we here?” the figure purred, his emerald eyes glinting with malice. “If it isn’t our intrepid heroes, come to end my reign of terror.”
“You know nothing of us or our intentions,” Gareth growled, stepping in front of the others. “Don’t listen to his lies,” he exclaims looking at the group. “Show yourself, coward!”
With a flourish, the figure tossed back his hood, revealing the face of none other than the High Mage, who’s journal they grabbed. Gasps of disbelief escaped Eadric’s lips, while Alaric’s grip tightened on his sword.
“It’s the High Mage from the journal!” Eadric uttered.
I’ve been waiting for you,” the High Mage cackled, “The power in this place has kept me strong, thanks to you it’s time to finish my transformation.” With a grand gesture, the floor began to fracture beneath them. “I will use your life force to complete my ritual, Die you fools!”
The companions had no choice but to leap for their lives as the chamber bucked and heaved, the undead horde tumbling into the new-formed crevices. Alaric grabbed the back of Gareth’s chest plate as Gareth almost slipped into one of the gaping crevices.
“Hold on,” Eadric yelled as he cast a magic bubble separating them from the arch mages attack just as the ground beneath gave way. Eadric then swiftly levitated them over the chasm to a stable area of the room before the bubble dissipated, the High Mage cackling with malignant glee.
“Foolish children,” he sneered. “You cannot stop the inevitable!” With a flick of his wrist, the undead throng began to climb out of the crevasses, their rotting limbs flailing towards them as lightning crackled from the mages aura.
“We end this now,” Alaric shouted, determination in his eyes. He shot a couple bolts from his wrist at the High Mage, but they disintegrated before reaching him.
The High Mage sneered and declared, “Your toys will not protect you. Soon, you will join my army of undead!” He lifted his hand towards Alaric, releasing a bolt of electricity in his direction. However, Alaric’s armor dispelled the magic as he took the hit head on.
Gareth’s face twisted into a look of pure rage as he lifted his sword and bellowed, “Shut your mouth, fool! You don’t even know you’re already dead!”
Gareth’s voice echoes through the chamber, his chant growing louder and more fervent as he holds his gleaming blade aloft. “I banish you! I banish you from the light!” he cries, his eyes blazing with determination. The undead, their rotting bodies encircling Gareth and his companions, seem to cower at his words.
With a sudden burst of energy, a brilliant, radiant light shoots through the stained glass windows and into the dark chamber. It bathes the room in a warm glow, illuminating every corner and casting shadows on the faces of the undead. They screech and writhe as they are consumed by the holy light, their silhouettes etched into the ground beneath them like dark stains.
But amidst the chaos, the High Mage remains unfazed. His expression is twisted into a scowl as he floats menacingly above them, his power still pulsing through the air. Gareth stands tall, his sword still held high as he stares defiantly at his enemy. Victory may be within reach, but their battle is far from over.
As the tension mounted, Eadric brandished his glowing cane with ferocity. Alaric gripped his sword tightly, knowing he couldn’t reach the elusive spirit. But then, Eadric summoned a powerful column of ice, creating a bridge from them to their target. Suddenly, a crackling black light surged through the air like electrifying lightning from Eadric’s cane, striking the arch mage with deadly precision. The mage let out a gut-wrenching shriek as the dark energy consumed the entire room in its chaotic grasp.
Amidst the dimming light, every eye was drawn to Alaric as he launched from the edge of the ice bridge, his sword of wisdom blazing like a beacon. With a fierce thrust, it impaled the High Mage’s chest, unleashing a surge of electric and magical energy that reverberated through the room. Alaric was sent flying back against the wall, his armor charred and singed from the intense impact.
“Alaric!” Lysandra’s voice pierced the tense air, her footsteps echoing through the dimly lit chamber as she hurried back to him. King Alaric lay still against the rough stone wall, his chest rising and falling in a steady rhythm, a faint furrow on his brow hinting at his temporary state of unconsciousness. The flickering torchlight cast gentle shadows on his features, emphasizing the peaceful expression that graced his face, reassuring all that he was merely resting.
Eadric frowned, tapping his cane on the missing floorboards. “This won’t do at all,” he muttered. With a flick of his wrist and a sharp focus of his mind, the room began to restore itself – floor and windows included. Eadric’s intense concentration was evident as he worked his magic.
“that’s a neat trick.” Gareth remarks watching everything slowly going back together.
With a sigh, Lysandra offers her hand to Alaric and helps him up. “I suppose we should search the rest of the building,” she says. “Although, I highly doubt we’ll find anything after all that noise.” Alaric brushes off his clothes as he stands.
As night fell, they made camp in the grand hall of the ancient castle. Eadric, ever vigilant, took first and last watch while Lysandra rested, her injuries still not fully healed. His keen eyes scanned the darkness for any sign of movement, his hand firmly clutching his sword. Alaric found a bench to settle on, exhaustion tugging at his bones. He closed his eyes and let himself drift off, dreaming of S’vyrra’s warm embrace, a cold ale in hand, and a hearty meal waiting for him. Gareth took second watch, sitting by the dwindling fire. The embers crackled and sparked, casting an orange glow over his features. But even as the fire died down, there was another flame that burned bright in his mind – the alluring figure of Lysandra. Her intoxicating aroma lingered in his memory, drawing him back to thoughts of her soft touch and captivating presence. Despite the darkness surrounding them, her light shone through and left Gareth entranced.
As the weight of exhaustion finally pulled his eyelids shut, Gareth was greeted by the familiar sight of Lysandra’s face. Her delicate features were illuminated by a small, mischievous smile that both unsettled and excited him in his dreams. The image lingered in his mind, taunting him with its alluring yet elusive nature. He could almost feel her breath on his skin and the warmth of her touch, making it difficult for him to fully surrender to sleep. But as he drifted off, he couldn’t help but wonder if this vision was a mere figment of his imagination or a manifestation of his deepest desires.
In the morning, they awoke to a world covered in white; the snow blanketing everything outside. The storm had passed, leaving behind a sense of calm. They gathered by the window, peering out at the landscape transformed by the snowstorm. A fresh layer of powdery snow covered the ground, making their surroundings look almost ethereal.
“Well, that was quite the storm,” Lysandra said, rubbing her eyes. “It’s like nature itself was trying to keep us away from whatever lies ahead.”
“Aye,” Alaric agreed, looking out at the snow-covered trees. “We’ve come this far, we might as well see it through.”
The group broke their fast with the food they had, their stomachs growling in appreciation of the warm meal. They set out again, trudging through the snow. The world seemed to be endlessly white, and it was easy to lose track of time.
As they journeyed deeper into the forest, they noticed the trees growing thicker and more twisted, as if they were alive with malice. The air became colder, and the snow deeper. The wind picked up again, but this time it was less fierce than before. The group huddled together against the bitter chill.
“We need shelter,” King Alaric said, leading them to a low overhang carved into the large rock face ahead. It was just big enough for all of them, so it would have to do. They huddled close to stay warm, the fire crackling merrily between them. “We’ll rest here for the night.” he assured them.
“At least the ground is untouched under it.” Eadric says as he started cooking a meal, using dried meats and vegetables from their packs. The smell of sizzling venison filled the air, making their mouths water.
Lysandra settled down next to Gareth, pulling her cloak tight around her. He put an arm around her shoulders, giving her a reassuring squeeze.
She leaned into him; her warm breath caressed his cheek as she whispered, “I never thanked you for rescuing me, Gareth.”
“Don’t,” he replied. “We’re in this together. I would expect the same from any of you.” Despite his own fears, he couldn’t help but feel a sense of camaraderie with her.
Lysandra rolled her eyes. “You get a pass today, but tomorrow I go back to teasing you when you say stupid things like that.” She smirked as they sat there, trying to stay warm, huddled together.
“Ok, Food’s ready. Eadric past the food down as they all sat huddle together, Eadric, Alaric, Lysandra, and Gareth at the end.
Eadric kicked the fire into the snow then cast a barrier spell in a 15 meter radius all around them, keeping the elements out. He then cleared off the snow in a small area in front of them using a wind spell.
“this was always your father’s favorite part on our journeys Alaric,” Eadric stated before rubbing his hands together ferociously back-and-forth.
It was as if he was trying to start a fire with them like you would kindling. after a short while everything became warm and the snow in the barrier started to melt.
Then he summoned a large tent for them.
“That’s insane!” Lysandra states excitedly as she jumps up and heads into the tent.
“Thanks,” Gareth says as he also heads in the tent following Lysandra like a stray puppy.
“Where the hell has this been?” Alaric remarks, looking at Eadric while out stretching his arms and gesturing at the tent.
“It’s too cold to stay out under the stars. Eadric replies. The barrier spell will only last a couple of hours. Oh, and the tent has been in your bag of holding. I just summoned it out.” He states smirking as he enters the tent, Alaric smirking, following directly behind.
Back at the Palace Winter was underway, the snow covered gardens looked like molded white marble. S’vyrra, the fierce Queen of the kingdom, was in deep discussion with her council about the brewing trouble on the eastern shores. Meanwhile, Rivlet, her trusted Chief Commander, was sending updates on the current situation with the kingdom via their Little magic box Eadric had crafted.
“As Chief Commander I recommend we send a full regiment out to the edge of the eastern mountains to help keep an eye on this trouble and find out what exactly is going on. Make sure to send a full team of experienced mages to lead, I don’t want any rookies on this mission. Rivlet stated to the Council members.”
The long, drawn-out debate among the council members festered an air of unease in the room. Eyes darted back and forth, voices rising and falling in intensity as each member voiced their concerns and proposed solutions to the growing threat on the eastern shores. Queen S’vyrra’s patience wore thin, and she slammed her fist on the table, silencing the bickering crowd.
Queen S’vyrra chimed in, “That is an excellent suggestion, Chief Commander.” She pauses, scanning the room with her eyes. “I won’t tolerate any further disagreements,” she declares firmly. “We must act quickly and take control of the situation before this threat spreads to the entire eastern shore and potentially beyond.” She states confidently.
The council fell in line with S’vyrra’s orders, letting Rivlet send his Regiment.
“I’ll get started right away.” I assume you will be apart of this won’t you Rivlet?” S’vyrra smirks.
“You know me to well Queen.” Rivlet smirks.
“Very well take only your best fighters, Ithic Make sure to assist Rivlet and send your best platoons of mages. Some are the most advanced I have ever seen. They will be of great assistance I am sure.” S’vyrra states.
Rivlet nodded. “Of course. Ithic and I will pull the troops together shortly. Now if you will please excuse us.” The council dismissed Rivlet and Ithic, who quickly departed to assemble the Regiment.
#ActionAndAdventure #adventure #book #books #chapter5 #Elyria #fantasy #fiction #fictionSeries #fictionalStories #landOfElyria #MysticalLandOfElyria #novel #shortStory #storiesByDbw #writing

#actionandadventure #adventure #book #books #chapter5 #elyria