[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

stef s at ctrlc.hu
Mon Mar 16 06:34:14 EDT 2015

On Sun, Mar 15, 2015 at 01:08:48PM +0100, Fabio Pietrosanti (naif) - lists wrote:
> > you should be much more open about your limits.
> Stef, don't troll! :-)

your debating style is cute, ad-hominems, generalisms, dodging of hard
questions, lots of weasel words. not very convincing.

what is less convincing, is for example the fact, that the magyarleaks guys
for example run wordpress and other bugdoors on the same host as your
globaleaks. while at the same time the local government has put them on a
putin-like-ngo-blacklist, sends out the cops they usually send to football
matchesto recover accounting documentation, and are a happy customer of your
friends at hackingteam and finfischer.and your little js app is sitting in the
middle of all this, while you waive your conscience away, luckily parallel
construction will reduce chances of you ever having to admit responsibility.
you can devise scrypt-based password schemes as much as you like, noone really
cares about them, and people like greenwald will be happy to lose their heads
while nodding and drooling to your crypto-porn, but it's useless it will be
easily circumvented.

i argue that leakers leak using mail and facebook does not actually create
such a nice watering hole style attack surface as your shiny js app, hosted
next to the wordpress of the journalists having no clue about such setups or
their maintenance. even silkroad was busted, and those guys at least had some
motivation, as it was their ass, not their sources ass that they wanted to

maybe you want to revisit my questions/statements also in previous and
reconsider responding to them honestly to restore some respect and trust that
you squandered so far.

otr fp: https://www.ctrlc.hu/~stef/otr.txt

More information about the cryptography mailing list