[Cryptography] Why don't we protect passwords properly?

ianG iang at iang.org
Mon Dec 23 02:17:54 EST 2013


Hi Jerry,

fun debate,

On 22/12/13 16:25 PM, Jerry Leichter wrote:
> On Dec 22, 2013, at 1:28 AM, ianG wrote:
>>> There are people who really should know better: IETF WG members,
>>
>> Why do you think they should know any better?  Just curious...
>>
>> This is like the old von Mises fallacy of government regulation.  He asked why it is that people think that the government knows more about the market than those in the market?...
> Ah, yes, *that* old fallacy.  Based on a complete misunderstanding of people and of regulation.
>
> Regulation defines rules; governments enforce rules.  You don't expect the players in a soccer match to ref the game - or write the rulebook.  There are others who are much better at those things than the players, even though the players are those who know most about actually playing the game.  None of those people maintain the field either.


You are conflating regulation with government.  There is such a thing as 
self-regulation;  and it works well in its context:  The referees are 
appointed by the football associations which includes the players' as 
well.  In legal terms, such things typically refer their entire disputes 
to own dispute resolution, something called Arbitration or Alternative 
Dispute Resolution.

Which itself is typically enacted in law in the Arbitration Act (various 
names) in many countries, but its tradition & custom predates most all 
governments in existence today.


> If the only goal people have is maximizing their income - how do you explain that von Mises, who claimed to understand economics and markets so well, spent his career as a government bureaucrat and a professor?  Do as I say, not as I do?


He did what he was best at, and acted to maximise that?  His fallacy was 
pointed at those who believe what they are told without analysis, it was 
also an observation of governments on the field of the market;  it 
wasn't aimed at one man's personal choices.


> Indeed, the same issues apply to cryptography.  The best cryptographers aren't necessarily particularly good at developing software.  The best developers often do crappy UI's.  The best cryptographers, developers, and UI designers aren't generally very good at writing solid standards.  The best standards writers aren't very good at the political/marketing game of getting those standards written, accepted, implemented, and actually used.  Yes, there are rare individuals who can play more than one of these roles at a high level, but there's only so much time in a day and time spent filling one of them detracts from time spent filling another.


Indeed.  Although, your argument assumes a peculiar definition of 'best' 
which isn't as yet surfaced.

What von Mises was assuming is that 'best' was as defined by market 
popularity (in some sense, call it numbers or revenue or profits).  If 
we look at the 'best' in encryption ciphers and hashes, what do we see?

    DES -> IDEA/Blowfish... -> AES

    MD5 -> SHA0 -> SHA1 -> SHA2 -> Keccak

The shift is clearly towards the market;  NIST has discovered that it is 
not really capable of reliably doing better than the market.

Coming back to the IETF committees, they are a fixed target.  They are 
like a government of the net.  Of course they will be subject to the 
same forces that makes government bad.


> Hell, even at the level of cryptographers, there's specialization.  Adi Shamir is likely our best cryptanalyst/code breaker, but what new cryptosystems has he developed since RSA?


And, DJB is challenging for the prize for best cryptographer, because 
(today's outrageous claim) he is first and foremost a software engineer.

How many IETF committees is he on?  Adi?

Indeed, why isn't there a committee for cryptography?

Flame away :)



iang


More information about the cryptography mailing list