[148571] in cryptography@c2.net mail archive
Re: [Cryptography] Why don't we protect passwords properly?
daemon@ATHENA.MIT.EDU (Patrick Mylund Nielsen)
Sun Dec 22 02:56:42 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52B686AB.2000609@iang.org>
Date: Sun, 22 Dec 2013 02:40:25 -0500
From: Patrick Mylund Nielsen <cryptography@patrickmylund.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4787676435642942484==
Content-Type: multipart/alternative; boundary=047d7bdc8e86db7b9104ee1a9fe1
--047d7bdc8e86db7b9104ee1a9fe1
Content-Type: text/plain; charset=UTF-8
On Sun, Dec 22, 2013 at 1:28 AM, ianG <iang@iang.org> wrote:
> On 22/12/13 02:07 AM, Patrick Mylund Nielsen wrote:
>
>> There are people who really should know better: IETF WG members,
>>
>
>
Why do you think they should know any better? Just curious...
>
> This is like the old von Mises fallacy of government regulation. He asked
> why it is that people think that the government knows more about the market
> than those in the market? When you analyse what happens in the real world,
> all the signs point to the opposite: if people knew more about the market
> than the players, then they would be in the market making money. The
> reason they join the government is more likely that they know too little to
> be in the market.
>
> What's that old saw about teachers?
Point well taken.
3. The amount of stuff to learn to defeat the aggressive knowledgeable
> attacker is seriously scary. One guy could possibly do it after 10 years
> or so, but it really requires a team of diverse strengths. E.g., This week
> there was news of acoustic analysis, which perversely seems to be reverse
> correlated with other side-channel analysis techniques. Oh dear. A month
> ago there was a scare story about jumping airgaps.
Indeed, in light of recent events, it's easy to think that almost anything
a single person or a small team does is futile against a well-equipped
adversary. (I dare say one guy, given any amount of training, would still
be bested by the tendency of any human to make mistakes.) That puts an even
greater emphasis on the need for large groups composed of people with such
diverse strengths to work for the public good.
The best a single person can do is to use whatever is presented to them. If
they're never presented with anything, or don't understand the "why" (and
they actually tried to,) you can't really blame them for messing up
something important.
> 4. Critics think every thing should be fixed, and give the developers no
> credit. So criticism is loud, but it more follows the crowd than is
> actually useful.
I certainly don't mean to loudly criticize developers who choose a poor
construction. or make their own, even if it might put many users at risk.
If we know what works, but people continue to do something completely
different after more than a decade of md5crypt and bcrypt, the failure is
on us being... well, poor teachers. (Sorry, I couldn't resist.)
I tend to be the loudest in my criticism when people actively argue
*against* anything but a few iterations of SHA-256 with arguments that
outright dismiss user security without even providing a usability benefit.
When you're having trouble reaching a bigger crowd, misinformation
certainly doesn't help.
--047d7bdc8e86db7b9104ee1a9fe1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On S=
un, Dec 22, 2013 at 1:28 AM, ianG=C2=A0<span dir=3D"ltr"><<a href=3D"mai=
lto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span>=C2=A0wrot=
e:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:s=
olid;padding-left:1ex">
<div>On 22/12/13 02:07 AM, Patrick Mylund Nielsen wrote:</div><div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-wid=
th:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-l=
eft:1ex">
There are people who really should know better: IETF WG members,<br></block=
quote>=C2=A0<br></div></blockquote><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(20=
4,204,204);border-left-style:solid;padding-left:1ex">
<div></div>Why do you think they should know any better? =C2=A0Just curious=
...<br><br>This is like the old von Mises fallacy of government regulation.=
=C2=A0He asked why it is that people think that the government knows more =
about the market than those in the market? =C2=A0When you analyse what happ=
ens in the real world, all the signs point to the opposite: =C2=A0if people=
knew more about the market than the players, then they would be in the mar=
ket making money. =C2=A0The reason they join the government is more likely =
that they know too little to be in the market.<br>
<br>What's that old saw about teachers?</blockquote><div><br></div><div=
>Point well taken.</div><div><br></div><div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-colo=
r:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span style=3D"font-family:arial,sans-serif;font-size:12.727272033691406px"=
>3. =C2=A0The amount of stuff to learn to defeat the aggressive knowledgeab=
le attacker is seriously scary. =C2=A0One guy could possibly do it after 10=
years or so, but it really requires a team of diverse strengths. =C2=A0E.g=
., This week there was news of acoustic analysis, which perversely seems to=
be reverse correlated with other side-channel analysis techniques. =C2=A0O=
h dear. =C2=A0A month ago there was a scare story about jumping airgaps.</s=
pan></blockquote>
<div><br></div><div>Indeed, in light of recent events, it's easy to thi=
nk that almost anything a single person or a small team does is futile agai=
nst a well-equipped adversary. (I dare say one guy, given any amount of tra=
ining, would still be bested by the tendency of any human to make mistakes.=
) That puts an even greater emphasis on the need for large groups composed =
of people with such diverse strengths to work for the public good.</div>
<div><br></div><div>The best a single person can do is to use whatever is p=
resented to them. If they're never presented with anything, or don'=
t understand the "why" (and they actually tried to,) you can'=
t really blame them for messing up something important.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex"><span style=3D"font-family:arial,sans-ser=
if;font-size:12.727272033691406px">4. =C2=A0Critics think every thing shoul=
d be fixed, and give the developers no credit. =C2=A0So criticism is loud, =
but it more follows the crowd than is actually useful.</span></blockquote>
<div><br></div><div>I certainly don't mean to loudly criticize develope=
rs who choose a poor construction. or make their own, even if it might put =
many users at risk. If we know what works, but people continue to do someth=
ing completely different after more than a decade of md5crypt and bcrypt, t=
he failure is on us being... well, poor teachers. (Sorry, I couldn't re=
sist.)</div>
<div><br></div><div>I tend to be the loudest in my criticism when people ac=
tively argue *against* anything but a few iterations of SHA-256 with argume=
nts that outright dismiss user security without even providing a usability =
benefit. When you're having trouble reaching a bigger crowd, misinforma=
tion certainly doesn't help.</div>
</div></div></div></div>
--047d7bdc8e86db7b9104ee1a9fe1--
--===============4787676435642942484==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4787676435642942484==--
