It drives me nuts that people think the right way to teach cryptography and "cryptanalysis" (I'd say: cryptographic vuln research) is stuff like differential and linear cryptanalysis, or, for that matter, index calculus. Practically nobody is going to use that stuff; it's just the stuff that's been in textbooks for 20 years, and so people assume they need to teach it.
How far into this do you get before you learn how CBC bitflips work? Trick question! It's never covered. The cryptanalysis slides are from 2013, sure, but CBC padding oracles were already passé by then.
It just makes me feel like people aren't taking the subject seriously. Which is how a lot of this courseware reads to me! A recitation of random facts.
If you learn well in a self directed "hands on" fashion, https://cryptopals.com/ is a good place to start. (Co-created by the person you're responding to)
Disclaimer: I have zero professional crypto experience.
That said, my hypothetical crypto curriculum looks like this:
1. Cryptopals challenges as a guide to what to learn and pay attention to (which I suspect tptacek would probably recommend as well since he had a hand in making it :P)
2. Serious Cryptography as an introduction to core concepts
3. Applied Cryptography for encyclopedic reference
A prominent practitioner should make an "applied cryptography syllabus" that sketches a coherent learning philosophy. Topics, level of detail, order, references.
Even just annotating the table of contents from "Serious Cryptography", "Cryptography Engineering", etc. would be enormously useful for motivated hobbyists.
Probably hard to monetize, but it would be a great service to the community.
Hi Thomas. Xeno here. Perhaps some background is in order.
OST was started a decade ago when I was at MITRE and had zero public profile. So I didn't exactly have the luxury of running around and asking people to go do free work for me by making free classes. But I did have the luxury of turning to my colleagues like Kerry, who I could get into the MITRE program which paid bonuses for making classes. Kerry obviously has an academic background, and thus she created material with an academic slant.
Now that I'm going to be working on the site full time over many years and trying to find a way to make it so that instructors can get paid more than $2k per class (which is what we were getting at MITRE, but which at the time was plenty of motivation for me to make many classes :)), I hope we can go much broader and much deeper on crypto material this time around, both from the academic and applied perspective (though the latter is the priority.)
But the problem of course is that I don't consider myself in any way qualified to create or judge crypto content. Thus I have to rely on whatever I can convince folks to contribute. I hear great things about cryptopals (and I got to work with both Sean and Alex at Apple until I recently quit), but I haven't ever looked at it in detail since it's outside of my primary area of interest (though if I'm correct in believing it's primary about crypto-implementation-vulnerabilities, I find it intellectually interesting as it's own unique bag of tricks which some, but not most, vulnerability hunters end up adding to their larger bag of tricks, depending on whether they choose to (or have to) audit crypto or not (I very literally just outsourced it to Sean for multiple audits)). But while things like cryptopals can serve as an important component of both crypto and exploits learning paths, it's only a small part of the overall curriculum which is needed to get people into jobs that actually use/audit crypto on a regular basis. And that's what I think is needed now, the full set of classes which are needed for people to start off in jobs (because that's what OST2 is going to be about when I relaunch it - vocational classes that lead directly to jobs.)
So who do you think I should reach out to in order to find people who are passionate and willing to help craft such a curriculum?
I wish computer security training included courses on avoiding or destroying the bureaucracy that seems to inevitably form around cybersecurity dogma.
COVID was a lightning rod and channeled a lot of technological advances through that would’ve been otherwise halted by the cyber hand wringers who seem to have infiltrated all approval processes.
I agree that it's unfortunate that security and bureaucracy go hand-in-hand. As security becomes more a priority, the annoying overhead grows with it.
However, I think this is just the nature of security. It's a cumbersome task. Think of any organization that security is very important to, especially where it is life and death. Military, government, criminal gangs, VIPs/executives. All have large bureaucracies to maintain and enforce security. I think the adversaries any of these groups face are so persistent and capable that the only answer is bureaucracy. Training the person can only go so far. Individuals alone are too susceptible to minor slips in operational security.
If a small company that isn't targeted by advanced persistent threats has such a bureaucracy, it's overkill.
There's a difference between defense in depth and bureaucracy.
One recent example I saw was prioritizing the re-evaluation of a system that is low impact and limited access over the remediation of issues on a widely accessible system, only because the low impact evaluation was going to be out of tolerance sooner and therefore look bad on report cards.
They're getting suspicious, I guess. Here's what I know about funding these sorts of activities:
Greenpeace started out selling shirts and buttons and things which had a pretty quick turnaround. Then they began signing up middle and upper class people to donate $10+/mo regularly. At present greenpeace has at least a million such monthly donors of $10/mo or more. As the years wore on and they became famous, wealthy people began willing their estates to Greenpeace. It was all driven by their media and communications machine: iconic images of men and women in orange jumpsuits riding zodiacs into a hail of soviet whaler bullets and harpoons just to protect endangered whales. Of course this was pre-internet so their media was distributed by mail and telex. Greenpeace has probably spent millions on postage alone by now.
I feel comfortable sharing this knowledge because just knowing this is not enough to actually make a difference in the grand scheme of things. Even if OST gets funded, without a good lawyer this Xeno Kovah person could easily have it all stolen out from under his nose in an instant. Or the other members of his organization could turn on him and purge him. Or his board could just choose to ignore his vision and completely change the direction and shape of OST.
More money, more problems. All the money in the world won't make a difference if you don't have any skills managing such a large sum. And it's hard to find mentorship for such things because usually, consistently, your mentor will decide that you are dead weight and THE MENTOR should be in charge of the whole enterprise, not you. It takes much more than just money to succeed. So I feel completely comfortable discussing fundraising techniques.
You need to elaborate now because I don't understand what you're saying? What was their assessment? What is the trap?
I just asked how he's getting his money. Then I explained how other people who ran a similar project got their money. Then I explained how there's no real harm in explaining where money comes from, because managing money is a skill in itself which few people possess.
Nevermind. Maybe Xeno was just joking when he said OST would be his "full time job" and he'd pay his instructors 100k every year. Someone would have come up with a decent answer by now if OST was a serious enterprise. As it is, I'll check back in a year and see how they're doing.
How far into this do you get before you learn how CBC bitflips work? Trick question! It's never covered. The cryptanalysis slides are from 2013, sure, but CBC padding oracles were already passé by then.
It just makes me feel like people aren't taking the subject seriously. Which is how a lot of this courseware reads to me! A recitation of random facts.