Hacker News new | comments | show | ask | jobs | submit login

I agree with all your points. When I said treat this in a "responsible disclosure" method, I did really mean a grace period, for the authors sake[0]. Clearly the reasoning is not the same as a security issue, as you pointed out. I was trying to be a bit clever. My mistake.

That all said, I still think we can treat each other better. Honest question: was it necessary to destroy it in such detail? Was it necessary for the effort of attack on the "crypto box" front? It seemed personal.

[0] Contacting the author first doesn't necessarily preclude timely notice "this book is flawed" out to readers.




Yes, of the criticisms in that review, I think the "Crypto Box" one was among the most useful. He can fix that problem simply by renaming his library. The problem with calling it that is that there's also a library that provides a very carefully designed crypto_box: NaCl. NaCl was designed by someone who is simultaneously one of the world's best software security people and one of the best cryptographers. Repurposing the name like that is a little like a guy named Alan writing his own cipher and calling it "Alan's Encryption System".


What do you mean, "was it necessary to destroy it in such detail"?

If tptacek hadn't destroyed it in such detail, his review would have consisted of saying "Hey, this book is pretty bad; it's got some very serious issues, and makes some pretty terrible or misleading recommendations. My suggestion: do not read it".

Would that be better? Or would you be complaining that "Well geeze, it's not helpful to say that the book isn't good; you have to go into some detail about what the problems are so that everybody can learn!"

The idea of asking for LESS DETAIL in a criticism of a topic is bizarre. How much detail would you prefer?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: