This was actually going to be the first thing I posted when I read this link.
tptacek repeatedly assured everyone that this was absolutely not a big deal and meant nothing because nobody in their right mind uses the standard.
Except whoops, one of, if not the, largest players in the field. I'm sure he'll have a bunch of really great replies that manage to simultaneously say why this still isn't a big deal and passive-aggresively insult our knowledge of the situation. I look forward to reading what he has to say.
To be fair, the insanity of anyone using it was never called into question. We agree it shouldn't be used. As we all know, science has yet to establish any correlation between sanity and what companies are actually doing in the real world for security.
Edit: Actually, I take that back. I have no problem believing that RSA Security are perfectly sane. Would we be completely shocked if the reason they chose a questionable default was due to coercion from the spooks? Only NSA has the keys, so it's a pretty safe backdoor.
You know, props to China, had to go through the work of owning RSA's seed server last year just to level the playing field. They get so derided in the media for doing that, but it seems unfair when the other team has a backdoor. Who is the real "Advanced Persistent Threat"?
Sorry, that was worded incorrectly. I meant that we all agree it was insane to use it. The contention was over whether or not it was in use, not whether it is a good idea to use.
I should have said calling into question the insanity, will edit.
I don't understand his constant line in the sand on this issue (amongst other things). You basically illustrated exactly how he structures his arguments on this topic.
If I was smart enough to understand what this comment meant, I'd respond to it. Maybe you could clarify? I can't find a way to reconcile it with its parent comment in a way that gives me anything to discuss.
You seem to have already addressed it in another comment:
>Thanks for the link. I would have just gone on confirming my own biases without it.
This is incredibly evident in your comments on Dual_EC and sometimes happens on other comments as well. You draw a line in the sand and argue around it constantly, eventually bleeding into passive-aggressive attacks on the knowledge of others.
I find it valuable to hear from others outside of my industry (which is not crypto) who have no expertise in that field. They often have a fresh and agnostic look at something. Do you think all these comments slinging mud at you - however inaccurate they may be - were born from nothing?
> I have a different explanation for why I always seem to be at odds with people on NSA topics, but I'll wait to provide it.
I'm very interested in that actually. I'm often curious what shapes people's perspectives on these issues, particularly if it doesn't align with any obvious incentives. I always thought that you must have family in law enforcement or something, but I'd love to know the actual reason.
* NSA topics are heavy on computer security issues and legal issues.
* I'm professionally involved in computer security, like you, and have an an amateur interest in the law (I'm considering law school at some point).
* Message board nerds have a lot of weird, wrong beliefs about computer security and the law.
There is a political difference between me and HN: I'm not an anarcho-capitalist (that silly "world's smallest political test" thingy puts me dead center in "left liberal"). But politics have little to do with where I end up on the NSA threads; it's things like not understanding (or really, having even skimmed) NIST crypto standards, or not taking the time to understand what the 4th Amendment means. The things that get me into "trouble" here have more to do with taking the time to actually read primary sources than anything else.
We probably disagree about NSA a lot less than you think we do.
tptacek repeatedly assured everyone that this was absolutely not a big deal and meant nothing because nobody in their right mind uses the standard.
Except whoops, one of, if not the, largest players in the field. I'm sure he'll have a bunch of really great replies that manage to simultaneously say why this still isn't a big deal and passive-aggresively insult our knowledge of the situation. I look forward to reading what he has to say.