Oh, it should indeed still be possible to produce a best-of-breed class as well as a best-all-round class, but the closer we get to the deadline, the more apathy and office politics subsumes the process.

It would be great to have a family. Since SHA-3 entries were to produce a fixed-sized hash, the family would consist of different breeds of hash rather than different output lengths. I don't see a problem with that. People can then use what is correct for the problem, rather than changing the problem to make it correct for the hash.

They've not "nixed" it per-se, but they were uncomfortable at the start with the idea (apparently because it would confuse manufacturers to tell them "X is good for Y") and as soon as it did start getting any traction on the list, there was no further discussion or commentary by the chief experts. It died on the grapevine from those experts being actively passive. (Passsive aggression might help in their workplaces, but I don't think the mathematics gives a damn.)

The closest to a workable theory came on Slashdot in a prior discussion on SHA-3, where someone thought it might be because you'd need too much cryptanalys for too many functions, that nobody on the list was willing to admit that there was a manpower issue. After all, admit that and outsiders start wondering how good the filtering was in all the other rounds,

True, for computer information, but plenty of data was sent via radio - it was simplicity itself to tune into civilian and military digital chatter. (See "The Hacker's Handbook", by "Hugo Cornwall" - pseudonym of Peter Sommer, an expert in information systems security.) For military purposes, it was much much easier to teach people to type messages into a portable machine which would digitize it and blast the digital form wirelessly (and encrypted) than to get them to key properly. Keying in morse was also far, far slower and error-prone on both sides.

Being able to intercept such messages was easy - SIGINT had listening posts everywhere - but breaking them was a far harder problem. Hence my thought that they could have extended the Colossus approach to do basically the same thing as Colossus did but with newer codes. And, again, the NSA facility in the UK has certainly been accused of performing exactly that sort of role.

I have zero idea if that was ever done. Dad almost never talked about his time in the military, working in C-Corp (ie: the communications division, just as I-Corp was the intelligence division) in Cyprus, a key listening post in the 50s. It was only towards the end of his life that he revealed anything at all (they used one-time pads, where the tapes were delivered by courier and where both ends synchronized the decrypt tape - so it was real-time encrypt/decrypt), but most of that could either easily be deduced or had been covered by documentaries on the limitations of OTP cryptographic techniques and how those limitations resulted in work that evolved into public cryptography. I have no idea if listening posts such as that were gathering significant amounts of encrypted data, and even less of one as to how that had changed by the 70s.

On the other hand, I'm increasingly of the view it doesn't matter. If something can be built, then eventually it will be. You just don't know when, where, why or who, although you may be able to place limits on the when, provided my ideas on a Grand Universal Moore's Law are near-enough correct. At that point, it's security through sheer bloody expense, which is no more security than obscurity if the data is valuable enough.

Very true. Which is why I'm anxious SHA-3 has as little (ideally nothing) in common with SHA-2, be it algorithmically or in terms of the underpinning mathematical problems used that are assumed to be hard.

I would have preferred Blue Midnight Wish to be still in the running (well, it's got a cool name, but more importantly it has a very different design).

I ALSO wish Bruce and the others would pay attention to those of us on the SHA-3 mailing list advocating a SHA-3a and SHA-3b where -3a has the best compromise between speed and security, and -3b has absolutely b. all compromise and is as secure as you can get. Why? Because that meets Bruce's objections. -3a may will be broken before SHA-2 is so threatened that it is unusable, because of all the compromises NIST want to include. -3b, because it refuses to bow to such compromises, should remain secure for much longer. You can afford to stick it in the freezer and let it sit there for a decade, because it should still be fresh BECAUSE no compromises were made. By then, computers would be able to run it as fast, or faster, than -3a could be run now.

So I have ZERO sympathy with Schneier. He is complaining about a problem that he is, in part, responsible for making. Other views WERE expressed, he thought he knew better, but his path now leads to a solution he believes useless. So, to NIST, Bruce, et al, I say "next time, leave your bloody arrogance at home, there's no room for it, doubly so when you've got mine to contend with as well".

To be fair, the NSA don't seem to have caused problems with the S-Boxes and differential analysis doesn't seem to have worked too well. On the other hand, COCACABANA et al were glorified 1940s-era Colossus machines - cracking codes via a massively parallel architecture. To me, that's the scary part. Turing's work on cryptography and massively parallel code breakers was 100% applicable to the design of DES because the keylength was so incredibly short. You could build enough machines to effectively break it.

How many DES engines do you think someone could have crammed onto a wafer in the 1980s? (Remember, each die can have multiple engines, and then the dies that work can be hooked together.) Link up a bunch of such wafers and you end up with a crypto engine from hell. It would have been VERY expensive, but I would imagine it perfectly plausible that a sufficiently detemined and rich organization (I would imagine the NSA might have been one such) could have potentially built such a machine when the rest of us still thought the 6502 was a really neat idea.

Doesn't mean anyone ever did. People could have reached Mars in the 1980s, so "could have" and "did" are obviously very different things. What people actually did is anyone's guess, though "nothing" sounds about right.

Had they built such a device, though, then near-real-time breaking of DES would have been possible at the time it was in mainstream use. Certainly, there were claims circulating that such devices existed, but a claim like that without proof is hard to accept. All I can say is that it's demonstrably not impossible, merely unlikely.

Back to SHA-2. Are we in the same boat? Are there ways to build something today, even if nobody is likely to have actually built it yet, that could endanger SHA-2? (To me, THAT is the measure of security, not whether anyone actually has, because they're not likely to tell you when they have.) Quantum computing is the obvious threat, since 512 bits is a lot of security, too much to attack in parallel with a classical architecture. Quantum computing, though, should let you scale up non-linearly. The question is whether it's enough. (I'm assuming here that there are no issues with preimages or timing that can be exploited to reduce the problem to a scale QC can solve even if classical machines can't.)

There have been a few murmurs that suggest SHA's security isn't as strong as the bitlength implies. Would that be enough? If Japan can build a vector machine the size of a US football stadium, then it is not physically impossible to scale a machine to those sizes. Nobody has scaled a quantum computer beyond a few bits, but I repeat, I don't care what people have publicly done, it is what is within the capacity of people TO build whether publicly or not that matters.

If you're not 100% certain that not even a quantum computer on such a scale, where all nodes were designed at the hardware level to perform JUST the task trying to break the has, then the hash is not safe for 20+ years. It may be unlikely, but there's nothing to say it might not be vulnerable right now. There's nothing physically impossible about it (as shown), it's merely a hard problem. And hard problems get solved. What you need in a crypto hash is something you can be sure WILL be impossible to break in a 20 year window, which means what you need is a crypto hash that is beyond anything where the components can be prototyped today. For a 30 year window, it needs to be beyond detailed theory. A 50 year window can be achieved if it's beyond any machine ANY existing theory can describe.

(It takes time to go from theory to prototype to working system to working system on the right scale. The intervals seem to be fairly deterministic in each subject. I believe this to indicate a mathematical model that underpins things like Moore's Law and which is independent of field. Know that model and you know when Moore's Law will fail. Moore's Law is merely the equivalent of Hooke's Constant for computing, failure is inevitable, and if I'm correct then just as QM explains why Hooke's model worked over the interval that it did, there is a model in Information Theory which will explain why Moore's Law works and when it will not. However, that's for another time, when I show how since the underpinnings can be modeled and since the practice is social in nature rather than technical, something non-physical like societies nonetheless obey QM-like laws and thus a deeper theory must exist that describes sufficiently large societies in a model that could legitimately be called Psychohistory. For now, it is sufficient to say that if you want security for a period of X years, certain things must not have been discovered/built.)

SHA-3 doesn't increase keylength, but it DOES make things considerably less vulnerable to a massively distributed attack on scales we now know to be possible using non-traditional technologies we now know can be used.

My great uncle certainly didn't, back in the 80s. Each cow had the predecessor to an RFID tag around its neck. When it entered the feeding station, food specifically mixed for that cow was delivered. (Dairy cows had a diet that maximized both health and the value of the milk. Beef cattle were optimized for health and meat value. But every cow was treated as a unique entity, using parental data, size and weight as primary inputs, with tweaks manually coded in.) He would probably have fed someone to one of the bulls if they'd suggested just throwing any old junk at the animals.

Ok, eccentric wetware hackers aren't exactly two a penny in the farming industry. But, then, that's part of what created the mess. Those growing corn sell it to ethanol producers, not other farmers or the food industry. The health consequences for farm animals in using the new alternatives to grass are a product of an abuse of the old alternatives to grass plus an abuse of antibiotics and other bulking-up agents ("angel dust" - PCP - is one farmers use, even where it's not legal, Clenbuterol is another).

If, instead of using illegal drugs, nonsensical feeds, steroids and antibiotics, they'd simply opted for a more sensible diet for each cow, they'd have had the same profits with none of the scandals. Higher initial costs (so it takes longer for the net profits to be the same), sure, plus having to think (always a problem for conservative, rural districts), but that's it.

Shhhh! Now everyone knows how to make self-breading chickens!

More so than anything produced by the fast food industry.

The chances of prions surviving the process to make gummy worms seems low. Nonetheless, I can't see it being a good idea.

I thought that was called "profitable disclosure".

Can someone forward the parent post to every world leader, corporation and Murdoch paper on the planet.

Given the stuff most lawyers come up with, I'm not so sure consulting Slashdot readers can be that much worse no matter how incorrect/blatantly stupid/illegal it might be.

The church would lobby for the guy to be declared a terrorist. After all, it's their divine right to abuse videos (see the lawsuits by the actors involved in the recent video scandal).

There are guides on the hidden TOR services on how to get people/organizations SWATted, but I cannot condone such tactics. Smirk, yes, but not condone.

To be a true measure, you need latency as well. After all, you can't really play a decent MMORG if the latency is through the roof.

As two dimensional values confuse people, I suggest dividing the bandwidth by the delays in getting it, giving you Libraries of Congress per second per fillibuster.

My understanding is that Satan discards spammer souls as unfit for Hell, and they langush instead in the Bog of Eternal Stench.

Actually, USENET was middle-aged when those Utah lawyers posted the first mainstream spam. (And the more serious crime was their publishing a book on how to exploit the Internet to harvest personal data and spam them.)

AT&T should have been terminated, not just by USENET but by the MBone and maybe even some of their Tier 1 peers. Not just until they did something, but permanently. Some crimes should not be forgiven, and AT&T's actions then have cost the world on aggregate since that time (bandwidth ain't cheap, neither is storage) far more than the market value of AT&T. This was anticipated and widely expected to be the outcome of AT&T's negligence. Sometimes, the best option is to cut your losses and run, and AT&T was definitely a loss.

Today, such action would serve little purpose. Spam, which is essentially economic cyberwarfare, has become too widespread. You can't dig it up by the roots, there are too many of them. It will require action on a far larger scale. System admins, network admins and ISP admins alike will have to become the largest gang of herbicidal maniacs ever gathered in one virtual spot. Exterminating botnets, the ultimate weed, will require a change in attitudes. Provider agreements must make spamming grounds for terminating Internet access. System admins must monitor their systems more rigorously for evidence of compromise. Network admins must stop assuming they can just get away with a trivial spam filter then ignore the problem. Spam is a reduction of service, rather than a denial of it, but then in a DDOS, so is each individual component of that attack. Network admins wouldn't be caught dead regarding components of a DDOS as something they can just ignore. Same's true here.