[Cryptography] Boing Boing pushing an RSA Conference boycott

Phillip Hallam-Baker hallam at gmail.com
Wed Jan 15 15:48:59 EST 2014 

On Wed, Jan 15, 2014 at 2:24 PM, Jonathan Hunt <j at me.net.nz> wrote:

> Oh come on. Here is Schneier in 2007 linking to a presentation by 2
> very respected cryptographers (Shumow, Ferguson) demonstrating their
> ability to backdoor Dual EC by choosing the constants. This was a bad
> of a break of an RNG as you could possibly hope to see.
> https://www.schneier.com/blog/archives/2007/12/dual_ec_drbg_ad.html
>
> You can choose between explaining RSA's actions as (evil) selling out
> their customers or genuine incompetence at their stated core business.
> But the results above were well-known in the security community since
> 2007 and demonstrated a practical possibility that Dual EC was
> backdoored. From 2008 onwards, leaving Dual EC (with default
> constants) as the default choice for a cryptographic library is not a
> defensible choice.
>
> Jonny
>
> On Wed, Jan 15, 2014 at 10:29 AM, Salz, Rich <rsalz at akamai.com> wrote:
> >> Also, we have the fact that they ignored the warnings that came out
> about DUAL_EC, from around 2007 - 2013.
> >> In short, their highly regarded cryptographic experts were not
> deployed, not available, not on that job.
> >
> > Perhaps their experts had different opinions. Or perhaps the marketing
> literature you quoted was somewhat exaggerated; wow, like that's never
> happened before.
> >
> > It's easy to look backwards and say "they must have been evil."  But
> unless you were there, or can read minds, that's just an opinion.
>

What then should we do about all the folk clinging to 3DES? How about the
people who stuck with MD5? How about the people who have not junked SHA-1?

Rather than compiling lists of people who should be drummed out of the
industry for bad decisions their companies made in the past, how about
compiling a list of proposals for things that you think people should get
drummed out for in the future?

I remember back in the day when I was having a USENET flame war with Dennis
Richie over the then UNIX policy of keeping the password file world
readable. It didn't take them very long to change in the wake of crack
(which arrived a few months later). But boy did they cling to their
religion hard. I should have taken a drive down to the Vatican and got John
Paul II to change his policy on abortion and birth control. It would have
been easier and more chance of success.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140115/e12fd519/attachment.html>

More information about the cryptography mailing list