Go choke on a bucket of cocks

[ciphergoth]

I've posted before about the generally dreadful nature of cryptographic products. Yesterday I got into an argument on bloody Slashdot with a developer about whether he should try to use good crypto or not. Now, unlike jwz I can see that he's not the only one with attitude in this thread, but the result still gets me down.

http://slashdot.org/comments.pl?sid=195651&cid=16032881

Next time you use something that uses crypto, bear in mind that it was probably written by the likes of this guy.

Comments

[brad.livejournal.com]

You don't know my system and I like it that way. Nobody but me should know my system! Explaining it's just too hard.

defensive shields up!

[trythil.livejournal.com]

That exchange was awesome.

In a sad way.

[calum]

Doing encryption well in an embedded system is not hard. It's just a case of choosing the right approach for the CPU/memory requirements you have. And he's got a hardware accelerator! Sheesh!

There is a certain amount of that sort of attitude among embedded system programmers I have known - very much a "I have to code in less space and less cycles than you, therefore dont try to question how I do things".

Theres very much a "it's not possible to do X in an embedded system" attitude floating around, which usually turns out to be false. I had the same argument about writing object-oriented code for embedded systems. Everyone said "you cant do that. It doesnt work in embedded systems. It'll be too slow". Turns out the answer is.. "Not if you do it right".

[altamira16.livejournal.com]

Mistake #1: Reading slashdot comments

[sjmurdoch.livejournal.com]

Amusing thread :-)

Perhaps I am missing something, but is there a need for unpredictable IVs? They should be unique, but wouldn't a counter be adequate, assuming you had sufficient locking to ensure no repetition?

On single pass encryption and authentication, I recently was reading about IGE mode, implemented in OpenSSL. It only needs an extra xor over CBC so looks pretty good.