1. 33
  1. 9

    When I think of Infosec people, I think of unconstructive mocking rants with terrible puns (this one coins Dunning-GNUger, but other ones like ‘Imagetragick’ come to mind) that frequently seem to misunderstand the time in which these systems were developed. It wasn’t so long ago that OpenSSL and GnuPG were seen as the bleeding edge of open source security software, and that C was the only sensible language around if you wanted either performance or interop with different language runtimes.

    Is there anything about this rant that shouldn’t have been a polite email to the GNU Name system people?

    1. 6

      I won’t condemn cryptographers ranting about the poor design of other crypto libraries on their own personal websites. But certainty I would like to see this cryptographer go to the GNU Name people with his concerns, in the interest of having more software in the ecosystem have better cryptography.

      1. 10

        The terrible puns are a coping mechanism for how often those polite emails get ignored 😅

        Suggest un-tagging as rant because although it has some generalizations it’s based on a specific action which it provides resources to understand, and has technical background and such. Borderline rant IMO.

        “Security used to be hard” isn’t really an excuse for doing new crypto wrong. Ultimately an accusatory blog post doesn’t meaningfully harm the project, its maintainers, nor its contributors. However, it might encourage its readers to use alternatives, or at least ask the right questions when developing or choosing solutions.

        Overall I’m disappointed by the comments on this post. Lots of “won’t anyone think of the developers privileged enough to have free time to donate to developing software” and not a lot of compelling cryptography discussion.

        1. 0

          Ultimately an accusatory blog post doesn’t meaningfully harm the project, its maintainers, nor its contributors

          That’s an interesting assumption. Blog posts and open source work are widely seen as being good for someone’s career. If a blog loudly calls non-anonymous people out as being incompetent in their chosen field, why couldn’t that have the opposite effect?

          Some of the GnuPG people rely on donations to work on it full-time. I would say that bad publicity for GnuPG affects them rather directly. Maybe this is warranted, but I would call it meaningful harm.

          But the author has updated his original post; his criticism of GNU Name seems to have been based on a misunderstanding.

          1. 4

            I appreciate the edit the author made, and it’s a good catch by the commenter, but the overall opinion of the article didn’t shift as a result.

            A blog post like this is can provide those contributors with essentially free security review/cryptanalysis, even if of limited scope or detail. The same technical content that gives it weight gives it value. Maybe it discourages someone from donating in the short term, but if it leads to a long-term better product, that’s good, and the short term effects can likely be countered by a reasoned response (especially if you respond to a rant in good faith, it’s a good look to be humble).

      2. 3

        The article would have been a lot more constructive if it gave some examples of better alternatives for the various projects mentioned.

        1. 18

          Are you suggesting they should say something like

          What To Use Instead?

          To replace GPG, you want age and minisign.

          To replace GnuTLS or libgcrypt, depending on what you’re using it for, you want one of the following: s2n, OpenSSL/LibreSSL, or Libsodium.

          which they said at the bottom of the article?

          1. 2

            Except Age/Minisign is not a GPG replacement?

            1. 5

              Age replaces file encryption. Minisign replaces signatures.

              Read https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

              A Swiss Army knife does a bunch of things, all of them poorly. PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file. It’s a clunky way to sign packages. It’s not great at protecting backups. It’s a downright dangerous way to converse in secure messages.

              Back in the MC Hammer era from which PGP originates, “encryption” was its own special thing; there was one tool to send a file, or to back up a directory, and another tool to encrypt and sign a file. Modern cryptography doesn’t work like this; it’s purpose built. Secure messaging wants crypto that is different from secure backups or package signing.

              You may think you want some cryptographic Swiss Army knife that “truly” replaces GPG, but what you really want is secure, single-purpose tools for replacing individual use cases that use modern cryptography and have been extensively reviewed by cryptography and security experts.

              1. 2

                What tool handles the identity and trust mechanism that GPG providing?

                With the multi-tool approach, the user has to re-establish the web of trust every time and learn about each disconnected tools as well.

                1. 2

                  What tool handles the identity and trust mechanism that GPG providing?

                  I hear webs of trust don’t work. Not sure why, but I believe it has to do with the difficulty of changing your root key if it ever becomes compromised.

                  Otherwise, maybe something like minisign, or even minisign itself, could help?

                  1. 1

                    Trust in what context?

                    For code-signing, I designed https://github.com/paragonie/libgossamer

            2. 1

              Totally agreed. But hey, a blog article poo-pooing a thing is much easier to write than one constructively criticizing it and offering solutions. And who has the time these days?

              On a related note, it was once a guaranteed way to get your latest blog article to the top of the orange site if the title contained something like, “Foobar: You’re Doing it Wrong” or “We Need Talk About Foobar”. Phrases like this are the equivalent of “One Weird Trick” headline clickbait for devs.

              1. 8

                Pretty sure the article offers solutions. It’s at the very bottom though.

            3. [Comment removed by moderator pushcx: If you don't like something irrelevant on the interwebs you can in fact ignore it rather than flame it.]

              1. [Comment removed by moderator pushcx: Pruning troll thread.]

                1. [Comment removed by moderator pushcx: Pruning troll thread.]

                2. [Comment removed by moderator pushcx: Pruning troll thread.]