Hacker News new | ask | show | jobs
by gjurhgd 145 days ago
Surely someone who has been here as long as you have understands that this type of behavior is not compatible with the guidelines.

> Converse curiously; don't cross-examine.

You could have just corrected them and not goaded them into further revealing their ignorance. Yes, they underestimated how difficult it is to crack 3DES. You could have simply told them that.
2 comments
tptacek 145 days ago
I have no idea who they are or what they were talking about. I think they're thinking about 3DES used as a password hash. I never in 100 years would have guessed that's where they were coming from.

The thread that ensued, a discussion of what it means for a cipher to be obsoleted or unsafe versus "broken", is an actually-interesting question.

I feel pretty OK about how this went.

link
gjurhgd 145 days ago
You could never, in a million years, have guessed by "broken" they meant "it can be decrypted by the public with little effort?" I doubt that. I see no evidence they are talking about a password hash. Here's what they actually cited:

> The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, ...

They're clearly talking about it's use as a cipher. Again, someone who has been here as long as you have should understand that you shouldn't put words in their mouth or be evasive in this way.

The conversation would still have touched on these interesting topics, and would likely have done so more immediately.

link
tptacek 145 days ago
Do we have conflicting premises about what Hashcat is? I'm pretty sure you're just wrong here.
link
gjurhgd 145 days ago
Do we have conflicting premises about what SSH is? I'm pretty sure you're dodging and deflecting from the actual issues here.

They were clearly suggesting that there exists a publicly available tool to attack this algorithm. They clearly didn't care one way or the other about whether it was used in passwords. What they actually cited was vulnerabilities in network services.

You are being disingenuous. Cut it out.

link
tptacek 145 days ago
What are you talking about? No there isn't. There is no "publicly available tool to attack 3DES". Hashcat is a password cracker. You know what else it supports? AES. Is AES broken?
link
gjurhgd 145 days ago
It's very difficult for me to imagine a way you could have read my remarks in good faith and come to that conclusion. I hope someday you figure this out, I guess I have no hope of explaining it.
link
zxcvasd 145 days ago
this is a very common pattern in tptacek's comments, but it's not worth calling out as he absolutely refuses to recognize it, always falling back to a similar response you see here.

with a quick google of "3des broken" and reading the first paragraph of wikipedia on 3des, i was able to guess (correctly!) what they original commenter was referring to.

link
tptacek 145 days ago
It's pretty self-indulgent of me to respond to this comment, but just real quick: the pattern you're seeing is me in fact not being one of the top-tier experts in cryptography on Hacker News (just one of the loudest), and not knowing who this person is, and not having had a reason to think about 3DES in quite a long time. What you're reading as snark or lawyering is, rather, me meaning exactly what I said, and being uncertain about what that person was talking about.
link
rootlocus 139 days ago
Sorry for being off-topic but I find it so refreshing that people can still engage in arguments in good faith, without resorting to personal attacks.

Thank you!

link