This is not the first time that I hear Zed Shaw’s Learn X the Hard Way is bad.
E.g. Learn C The Hard Way is so bad that it’s on the list of stuff to avoid on iso-9899.info, the most popular C wiki [1]. Experts in the #c channel on Freenode IRC also recommend against it.
Putting aside Zed's abrasiveness, is this just a miscommunication around whether unqualified (to write crypto) developers should attempt to write crypto code at all, versus whether they should publish/use said work in production? I'd argue that it's perfectly reasonable for unqualified devs to write crypto code... as long as that code never reaches a production server.
I could well be wrong, but with arguments like this I'm always inclined to first consider that the two sides are talking past each other. I can't see any reasonable person arguing either that unqualified devs should release custom crypto into the world, or that they should not even write crypto code as a learning exercise.
> Putting aside Zed's abrasiveness, is this just a miscommunication around whether unqualified (to write crypto) developers should attempt to write crypto code at all, versus whether they should publish/use said work in production? I'd argue that it's perfectly reasonable for unqualified devs to write crypto code... as long as that code never reaches a production server.
Thanks - I've read your original post and I agree with your write-up. I still suspect that Zed basically skim-read and misinterpreted your message - he probably has a knee-jerk reaction to the phrase "don't roll your own crypto" and dived on twitter to respond to that, which IMO is a behaviour twitter trains/incentivises people to do (hot takes). The idea that "quantum woo crackpots in crypto are bad" is basically universally agreeable to any reasonable person, including Zed, hence why I think he just knee-jerked in this case.
I think that's in the ballpark, but Zed also seems to be intuitively aware of something else going on in the infosec community that most people outside of it aren't.
There's a huge emphasis on publishing and branding/networking and as a result there are a lot of talking heads. Thing is, most of them are punching _way_ above their weight and it's mostly people just cargo culting their way through the industry.
Literally for 20 years, people just looked at OpenSSL and said "well everyone else says it's okay." Knowing a little bit the way Zed is, I think his reaction is because he's sick of the talking heads versus the mediocre output from the "experts" in industry.
I thankfully don't work "in infosec", but millions of dollars of infrastructure and its security is my responsibility and I'm not clueless. In fact, I earned my Black Badge doing something legitimately difficult. I'd say that 3/4 of the supposed professionals that I encounter in industry are at least six ways full of shit.
That's a reasonable interpretation, but then why is Zed lashing out at OP's original article? I've read through it and it's a reasonable argument that many people in crypto have been making for years.
"you don't know anything, you haven't even independently audited OpenSSL for free before it was cool" is not a reasonable response to "there's a problem with woo crackpots trying to gain credibility within crypto", but it is a reasonable (if needlessly inflammatory, but we are talking about Zed) response to "nobody should write crypto except experts like me", which is a common misinterpretation of "don't roll your own crypto". Hence why I suspect it was just a kneejerk reaction to a misinterpretation of the article.
There’s a middle-ground, there, where you’re developing something that you intend purely as a personal learning exercise, but you’re doing it in public — or at least not well-hidden enough — and then someone comes along, finds it, and uses it.
(There’s an analogy to make with security researchers who develop exploits while practicing bad OPSEC — they don’t intend to create viruses, but their actions predictably lead to the creation of viruses anyway, since virus-writers watch them closely.)
Keep in mind that usually, people just hacking on an idea for a few hours (who aren’t coding celebrities who expect all their repos to be well-trafficked just because they’re their repos) don’t bother to put up a huge warning in the README of a slapdash exercise, to point out that it isn’t for production use.
This used to be a bigger deal back when GitHub was the code-host but also didn’t offer free private repos; it effectively forced independent developers and students into working in public. But it’s still somewhat of a big deal, because people will still choose to make their repos public in order to more easily collaborate on them in the context of e.g. school exercises. (Because forming a GitHub org and adding ACLs is extremely onerous when you could just make the repo public and share the URL.)
IMHO, code-hosting companies would be well-served by adding a checkbox to the repo setup process (sort of like the ones for adding a .gitignore or a LICENSE) to indicate that the repo contains code written as a learning exercise for $thing; such that checking that box would insert a big flashy warning on the page that the repo is not to be used as a reference for the idiomatic way to use $thing. (And maybe, on top of that, make it impossible to clone the repo through HTTP until the username you’re cloning as has pressed a confirmation button on that warning.)
yes there's certainly an issue with the current trend of developing everything in public, and the lack of clarity about what is and is not safe to use.
There's also the land-grab issue where as a new language/ecosystem appears, the first people to write libraries for any given purpose get all the installs and thus all the attention & potentially profit, leading to perverse incentives to shit out tons of undertested code when a new platform gains traction.
Presumably the mechanism of preventing people from relying on bad code is the typical behaviour of "add the dependency from npm/rubygems/crate/etc that is most popular for the subject", where most learning-exercise code doesn't get pushed to a distribution platform, and if it does, doesn't get widely dispersed. Of course this doesn't protect against people /trying/ to distribute code that is not up-to-press, but that's a social rather than a technical hurdle to overcome.
Yes, you've absolutely summed it up. The blog post about Zed's ego is a massive overreaction and also probably a bruised ego. Zed gets accused of gatekeeping when the author themselves was gatekeeping at the start. There's lots of projection going on here.
This is why we shouldn't entertain personal attacks period, regardless of who it is.
> Zed's behavior towards newcomers to computer programming.
You mean his behavior of offering newcomers education resources to get their careers started that for many years he offered completely for free? I think it's pretty clear from the tweet that he wasn't attacking some newcomer but calling into question professional credentials.
His comment was a response to your post. Your post discouraged people from writing crypto, because they aren't qualified. This is where you were gatekeeping.
His response was, effectively: "well, you're so qualified, but you never said anything about how the industry standard library for crypto was swiss cheese for 20 years". He's basically saying that even the qualified people don't do a good job and that nobody should be discouraged from at least trying.
The point is that everyone is fallible and you went out of your way to prove him right.
> His comment was a response to your post. Your post discouraged people from writing crypto, because they aren't qualified. This is where you were gatekeeping.
Re-read the post carefully. I included examples of people unwittingly trying to gatekeep me in the past.
The negative part of that post was about scammers and crackpots who, when confronted with constructive feedback about their designs, doubled down insisting they were smarter than their critics.
Being a neophyte doesn't make you a crackpot.
From the article:
> If you’re reading this blog post and feel like learning about cryptography and cryptanalysis and feel put off by the “don’t roll your own crypto” mantra, and its implied gatekeeping, I hope it’s clear by now who that phrase was mostly intended for and why.
(i.e. "NOT YOU" was the implication of that sentence)
The post in question is a lot of things, but it's not a gatekeeping piece.
You can be mostly correct about things and still be worthy of criticism (we all are, really). You're taking some mild criticism from Zed way out of context and making it out to be an act of villainy.
That's way too much drama for what's going on here. I know and don't particularly enjoy Zed very much, but honestly he's pretty neutral. He's done a lot of good in his community and has had some nuclear hot takes that have received outsized attention. If you really feel he's as toxic as you say, you shouldn't be giving him more of it.
I read it as a test for someone who wants to judge the attempts of others - I don't think it qualifies as gatekeeping since newcomers rarely ever judge other newcomers.
Regarding the vulnerabilities exposed in SRP, notably the `u` value being calculated as H(A|B), one of the referenced documents (Thomas Wu's Stanford paper) [1] mentions the following:
> Since u is communicated publicly, it is possible to ``piggyback'' it on top of another public value, thus transmitting it implicitly. For example, both sides can compute u as a simple function of B, in which case Steve must wait for Carol to send out A before he sends back B and reveals u.
Assuming A and B are issued from secure RNGs, is the paper recommendation still safe against attacks (assuming the zero-case is handled) ?
With how often people on here say to focus on merits and not attitude, it's weird how so many comments focus on the writer's attitude and not the analysis of Mr. Shaw's crypto.
Disclaimer: I learnt Python from one of Zed Shaw's books in my teens.
I followed Zed Shaw on Twitter for a long time and, while he comes across as a colourful guy who rants a bit too much, his books have been boycotted for years and he has been personally attacked several times in an unprovoked fashion.
His C book was even placed in some "don't read" lists and had snippets cherry picked as examples of bad advice. Some people in the industry have tried to bully him out of his livelihood for a while, just because they don't share some of his technical opinions, and they have some grudge going back to the days when he maintained some old projects. That's just unacceptable.
There's nothing unacceptable in calling for boycotting a toxic asshole. There's also nothing unacceptable in warning people against a book containing bad information.
Thing is, people end up looking up to the author of books they read, following them on twitter, reading their blogs, etc... So when those authors start spouting nonsensical rhetoric, it has a very chilling and negative effect on the community. Gatekeeping in this way leads to a less diverse group of people feeling empowered to speak up and contribute their knowledge.
FWIW, I did also learn python using Learn Python the Hard Way. And on its own, I do believe it to be a great book. But I don't recommend it anymore because I don't want my peers to end up looking up to some toxic asshole and getting disillusioned because of it. There are other great resources that don't come with this unnecessary baggage.
> But I don't recommend it anymore because I don't want my peers to end up looking up to some toxic asshole and getting disillusioned because of it.
Or you know, allow people to make up their minds about how much of an asshole someone is, instead of deciding for them with some superior paternalistic bullshit of your own. There is value in someone's work outside of their fringe personal opinions.
> I followed Zed Shaw on Twitter for a long time and, while he comes across as a colourful guy who rants a bit too much, his books have been boycotted for years and he has been personally attacked several times in an unprovoked fashion.
This wasn't unprovoked.
I'm not a very reactionary person. I don't know the dude's history or any drama he's been involved in. My conclusion to boycott follows from the evidence and arguments raised in the post.
I believe he's actively harmful to newcomers (which are the target audience for his books).
E.g. Learn C The Hard Way is so bad that it’s on the list of stuff to avoid on iso-9899.info, the most popular C wiki [1]. Experts in the #c channel on Freenode IRC also recommend against it.
[1] http://www.iso-9899.info/wiki/Main_Page#Stuff_that_should_be...