[Cryptography] Serious paranoia...
Bill Cox
waywardgeek at gmail.com
Thu Dec 26 08:48:11 EST 2013
I regret using "lame" and "crazy rant". I apologize for that. I'll try to
be less inflammatory going forward. I am glad some people responded
seriously about the "shill" question. I didn't know if there would be
several others who felt there seem to be shills now and then or not. The
answer seems to be not many, and I appreciate that answer.
You said, "there is a lot to fear about scrypt" and that kind of statement
sets of my spidey senses. You also said, "one could also ask how safe it
is to sprinkle the secret all over the RAM." I assume you made that
statement knowing that scrypt calls PBKDF2_SHA256 on the password as it's
first step, and "the secret" will be interpreted by most readers as the
password rather than it's hash. Now many of the new poorly informed
readers like me that have joined this list after the Snowden leaks may be
misinformed about scrypt, fearing that it spreads the plaintext password
all over RAM. You probably did that unintentionally, but that's exactly
the sort of thing I suspect the NSA would want.
What scares me is the nearly useless (against custom hardware attacks)
hard-coded key stretching in the tools that protect most of us. When you
turned my question about why we don't properly protect our passwords to a
discussion of why should fear scrypt, I suspected a shill. Sorry about
that. The title of this thread is "serious paranoia" after all. After the
Snowden leaks, just how paranoid should we be?
I suspect the moderators have allowed non-technical discussions like this
in light of the Snowden revelations. There are some serious expert crypto
guys on this list, and I appreciate that some of them are taking the time
to answer these sorts of questions.
By the way, I like the word "dork" because of this Dilbert series:
http://search.dilbert.com/comic/Dorkage
I'll try and find some other way to describe people who are likely not
aware that they are misleading the public.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131226/84a005d2/attachment.html>
More information about the cryptography
mailing list