Apologies for this being a bit OT as far as the charter of this list goes, and perhaps a bit self-serving as well. I hope you will bear with me.
I'm going to use Adam's comment as a jumping off point. I hope that Adam doesn't mind because I've not asked him in advance. (Right now, Adam is saying to himself "uh oh!". ;-) On Sat, Feb 18, 2012 at 4:40 AM, Adam Back <[email protected]> wrote: [BIG SNIP] > Occam's razor suggests cryptographic incompetence.. number one reason > deployed systems have crypto fails. Who needs to hire crypto people, > the developer can hack it together, how hard can it be etc. There's a > psychological theory of why this kind of thing happens in general - > the Dunning-Kruger effect. But maybe 1 happened. > [1] http://en.wikipedia.org/wiki/Dunning–Kruger_effect To a degree, I think it is more ignorance than it is outright incompetence, Overall, developers generally are much better than the general public when it comes to analytic and reasoning abilities. And I think that this Dunning-Kruger effect that you mention is a good explanation. But this phenomena goes *way* beyond developer's ignorance of cryptography. It even goes way beyond a general ignorance of information security. A great example of this is time and time again, I encounter _web_ application developers who have absolutely no clue as to how HTTP works as a protocol. That just seems so counter intuitive to me. Yet at least with the younger web developers, it seems to be the rule rather than the exception. Some of this can be "blamed" on the fact that web developers deal with higher and higher levels of abstraction, until eventually, they really don't need to understand what a Set-Cookie response header looks like. All of us do this to some extent, but I think it is becoming more common and therefore more noticeable because 1) technology moves at an ever increasing pace and 2) IT management still hasn't figured out that developers can't wear all hats and that there is no substitute for expertise. IT management still thinks that all members of technical staff are completely interchangeable. What does this have to do with the Dunning-Kruger effect? Well, I think that it encourages developers, especially younger ones, to fake it. Back when I started (now over 30 yrs ago!), it was OK to admit your ignorance, at least at Bell Labs. And you could always find someone to mentor you if you wanted to learn something new. Not so today. Most people are too busy and I haven't seen any _formal_ mentorship programs in any company for at least the past 25 years. So, let's bring this back to cryptography. I'm going to assume that virtually all of you are a somewhat altruistic and are not in this game just to make a boatload of money by keeping all the crypto knowledge within the secret priesthood thereby driving your own salaries up. For starters, I would urge those of you who are not involved in the open source movement to step up and help out with things like OpenSSL, OpenSSH, cryptographic libraries (in languages *other* than C/C++), etc. Personally, I would *more* than welcome someone here stepping forward and volunteering to head up the crypto effort in OWASP ESAPI. Even though some people from the NSA have reviewed it, I'm paranoid enough to think that it's what they are NOT telling me that is wrong is what is worrying me. I know many of you have already contributed (I won't attempt to name names because I'd probably unintentionally leave a few of you out and offend them), but not nearly enough. Most of you who regularly post to this mailing have commented on how you've seen some of the same beginner crypto failures over and over, so how about starting with jus a simple crypto HowTo FAQ, maybe an OWASP crypto cheat sheat. Consider this...If *you* don't help, then the crypto will have to be left up to non-experts like me to work on it. And the only *major* difference between myself and complete crypto newbs is that I know that I don't know (and don't hesitate to squeal for help). Others don't know that they have ignorance, so they don't ask, and we've all seen the result. Contributions to the community can come in many forms, whether it be simple, like a FAQ, or a single crypto course on YouTube, or something much complex like a book aimed at beginner / intermediate developers. >From where I sit, I see the following things that the development community in general are lacking when it comes to things crypto: 1) They think that key size is the paramount thing; the bigger the better. 2) The have no clue as to what cipher modes are. It's ECB by default. 3) More importantly, they don't know how to choose a cipher mode (not surprising, given #2). They need to understand the trade-offs. 4) They have no idea about how to generate keys, derived keys, IVs, 5) They don't know what padding is, or when/why to use it. 6) They have a very naive concept of entropy...where/when to use it and from where and how to obtain it. Fill-in your own favorites. These are just the ones that immediately popped to mind. Thanks for listening, from someone who truly appreciates this community. IMHO, this is the *best* mailing list ever, bar none. Regards, -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
