Hacker News new | ask | show | jobs
by MaxfordAndSons 3362 days ago
FYI I think you're getting downvoted because NIST is known to have recommended a pseudo-random number generation algorithm that is believed to have been intentionally designed with a backdoor [1], presumably by some US 3 letter agency.

OWASP seems like a decent source for learning about security topics at a high level (particularly web app security).

[1]http://dualec.org/
1 comments
yeukhon 3362 days ago
I didn't follow that discussion closely, so I will avoid the argument here on that subject. Overall, NIST is a good resource for comparison. If you work with government, enterprise security, or compliance, you want to go through NIST. If you have spare time I recommend read https://beta.csrc.nist.gov/publications.

NIST is also responsible for running https://nvd.nist.gov/ which is a great asset for finding CVE.

link
nickpsecurity 3362 days ago
I agree. They got subverted at one point by an organization they thought was helping them. Their overall catalog of advice is OK in that it's a lot of the stuff readers would hear from people they paid for IT or INFOSEC advice. Just free instead. A good example are the recommendations in this one for small, business owners that don't know anything about INFOSEC:

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

DISA has the "STIG's" for security configuration:

http://iase.disa.mil/stigs/Pages/index.aspx

The NSA themselves, the Information Assurance Directorate, had guides on hardening various things. There's one for deploying Chrome in the link below that also references STIG on Chrome:

https://www.iad.gov/iad/library/ia-guidance/security-configu...

It would be straight-forward for INFOSEC people to vet the NIST or STIG guides for content accuracy then host that copy on their own sites. Or produce similar guides as some do. Just important to target them at people of low knowledge or competence so they know exactly what they need to do. It's them whose hardware will become part of the next DDOS due to configuration error.

link
MaxfordAndSons 3362 days ago
> They got subverted at one point by an organization they thought was helping them.

Fair points, shouldn't throw the baby out with the bathwater etc. But as a governmental agency, do they have the autonomy to avoid being similarly subverted in the future? Not rhetorical, I genuinely don't know how they are governed/if they can refuse the "help" of the 3 letter agencies.

Which makes me realize, the 3 letter agencies may have still benefitted by the Dual_EC_DRBG scandal coming to light - what they lost in a backdoor, they gained in a chilling effect on the spread of good crypto practices by staining NIST's reputation.

link
nickpsecurity 3362 days ago
"do they have the autonomy to avoid being similarly subverted in the future? Not rhetorical, I genuinely don't know how they are governed/if they can refuse the "help" of the 3 letter agencies."

It could happen to anyone if it's about receiving bad advice from an authority with a conflict of interest. That's why the solution is to either produce good advice for each of the things they're talking about or vet their advice to see if it contains any problems.

"what they lost in a backdoor, they gained in a chilling effect on the spread of good crypto practices by staining NIST's reputation."

I never thought about that. I doubt they intended that but it might be a real benefit for SIGINT side. That's interesting enough angle I'm going to bring it up to regulars on Schneier's blog who discussed the NIST stuff a lot.

link