[cryptography] caring requires data

ianG iang at iang.org
Mon Oct 13 06:40:35 EDT 2014

On 13/10/2014 01:03 am, coderman wrote:
> On 9/22/14, coderman <coderman at gmail.com> wrote:
>> ...
>>> Please elaborate.  TKIP has not been identified as a ‘active attack’
>>> vector.
> hi nymble,
> it appears no one cares about downgrade attacks, like no one cares
> about MitM (see mobile apps and software update mechanisms). [0]

No, and I argue that nobody should care about MITM nor downgrade attacks
nor any other theoretical laboratory thing.  I also argue that people
shouldn't worry about shark attacks, lightning or wearing body armour
when shopping.

What distinguishes what we should care about and what we shouldn't is
data.  And analysis of that data.  In absence of data, you're in FUD
land.  Just another religion, or another lightning rod salesman [1].

> 0. "no one cares" - this is not strictly true; people care a bit more
> if you have done significant and detailed analysis of the sort that
> eats lives by the quarter-year. i have long since quit giving freebies
> freely, and instead pick my disclosures carefully with significant
> limitations.

Well, if that translated to data of actual attacks, hacks, losses, then
I'd have more sympathy.

Otherwise, it's all sales in the market for silver bullets.  Or
indistinguishable from, the harder you want people to care, the more a
salesman copies your technique ...

> perhaps i should re-state: "no one working in the public interest
> cares". there is a roaring business for silence and proprietary
> development, and these people care quite a bit.

Yeah, ain't that the truth.  Meanwhile, data...


[1] a "lightning rod salesman" is an expression in earlier American
times which refers to someone selling something you don't really need.
I think, perhaps others could explain it better...

More information about the cryptography mailing list