Talk:Daniel J. Bernstein

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Computer Security / Computing  (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (marked as Low-importance).
 
WikiProject Biography / Science and Academia (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Biography, a collaborative effort to create, develop and organize Wikipedia's articles about people. All interested editors are invited to join the project and contribute to the discussion. For instructions on how to use this banner, please refer to the documentation.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
Taskforce icon
This article is supported by the science and academia work group (marked as Low-importance).
 
WikiProject Chicago (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Chicago, which aims to improve all articles or pages related to Chicago or the Chicago metropolitan area.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
 
WikiProject Computing (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 

Poly1305-AES hash[edit]

Needs to be added to article: http://cr.yp.to/mac.html

Salsa20, DJB's semi-finalist for ECRYPT stream cipher recommendation, is probably more interesting than Poly1305. —Preceding unsigned comment added by Tqbf (talkcontribs)

Licenses[edit]

  • I would like to see some discussion of djb's stance on software licenses, since this seems to be at the core of any controversy about using his software on Linux. I can't add this myself, simply because I'm not informed on the situation. --138.236.250.141 16:38, 28 Feb 2005 (UTC)
    • (I'm not very informed either!)...djb appears to have a very individual position on software licenses; the interpretation of whether his software is "free" or not seems to have been the cause of at least one flame war, between djb and Rick Moen: [1], [2]. — Matt Crypto 17:13, 28 Feb 2005 (UTC)
      • Follow the hyperlinks from this very article to qmail and djbdns, and thence to the Licence-Free Software article already sitting right here in Wikipedia, and you will both become informed. ☺ Uncle G 19:19, 2005 Feb 28 (UTC)
        • Great! I've added a link to it from this article. — Matt Crypto 21:48, 28 Feb 2005 (UTC)
I dispute the accuracy/validity of the "license free software" article in its entirety, but I'm not crazy enough to go tilting at that windmill and disrupt someone else's work. In this article, I'll make the point that DJB has never referred to "license free software", and that DJB's copyright strategy involves more than just thinking that licenses are redundant: DJB takes away the right to redistribute modified source or binaries in order to maintain compatibility. That's more than a superficial difference from the GPL, no matter what the "license free" article says. Do I believe qmail and djbdns are open source? Of course I do. But there's a nonnegligable difference between the OSI def and the terms on djbdns. I'm guessing DJB doesn't give a $&^@ that that's the case.
There's an interesting graf to write about Bernstein's copyright strategy, but no facsimile of it appears in the edit history for this page.

I've added a new Software licensing section to the article. The content is OpenBSD-heavy right now, and is taken from that article since Bernstein played a significant role in a high-profile licensing issue of that project. There may non-OpenBSD content we can include in this section also, but at least this is a start and it's well referenced. --Ds13 18:52, 10 April 2006 (UTC)

The licensing section was removed by an anonymous editor but I have replaced it. Facts and claims in the section are referenced (as before), so if you have an issue with something, rather than deleting the entire section, let's engage in discussion here. Cheers. --Ds13 15:56, 15 July 2006 (UTC)
I'm not the anonymous editor and I don't have time to fix it right now, but the section is highly-misleading. The article implies that Bernstein's code was found scattered throughout the system and removed; instead what happened was they removed the installers for his software from the ports tree. AaronSw 23:17, 15 July 2006 (UTC)
Sounds good. Feel free to update as necessary. My intent behind the section certainly isn't to mislead, but to acknowledge that Bernstein has some notability (and a notable position) in a sofware licensing skirmish. Aiming for a neutral picture of what happened, but most importantly, that the facts are linked or referenced so they're verifiable. --Ds13 23:26, 15 July 2006 (UTC)
There is no way to make this section make any sense. It has almost nothing to do with Bernstein's take on software licensing. Portions of OpenBSD reject GPL code, to the point where it's end-user-visible, for similar practical reasons. Do I have a problem with these decisions? No.
Bernstein's take on licensing is nuanced. It is very different from the BSD license and the GPL. You could write a section on it. But you can't do it by consing up an anecdote about why qmail isn't in the ports tree (I mean, really --- qmail. the ports tree. OpenBSD. ALL BETTER SECTIONS FOR THIS CONTENT THAN THE DJB ARTICLE.) Especially! not when you get the details wrong (the Netscape comment on DJB's website is about LINUX, not OpenBSD). tqbf
The section is a start. If it makes a claim that's not referenced (or incorrectly referenced), let's talk about it. One at a time. Which claim is false? Blanking a section because you think it could be done better isn't a good solution. --Ds13 03:26, 20 July 2006 (UTC)
Sorry. When you "finish" what you've "started", then I'll bet the section will be defensible. Right now, there is more valuable information in this talk page than there is on the article itself. Worse, the article is not NPOV. It creates the impression of a conflict between OpenBSD and DJB when a neutral perspective would hold that simply not allowing software to be bundled into OpenBSD is not the equivalent of a conflict, and that a single circumstance in which qmail was not bundled with an operating system does not constitute an entire perspective on software licensing.
I'm happy to wait a day to see what you can do with this section, but failing any changes, the article is MORE VALUABLE WITHOUT THIS SECTION than with it, and I'll keep pushing to scrub this material out.
Not for nothing, but the NPOV marker on the page and the wholesale reverts over the past few weeks deter any serious writing on my part for this page, which is why you see more commentary from me on the talk page than contributions on the main page. When I get a better sense of why people are messing with this article so much, I'll stop talking here and start contributing in the article. — tqbf
Sorry. When you "finish" what you've "started", then I'll bet the section will be defensible.
Being "finished" is not a criteria for remaining in WP. Being verifiable and NPOV is.
Worse, the article is not NPOV. It creates the impression of a conflict between OpenBSD and DJB when a neutral perspective would hold that simply not allowing software to be bundled into OpenBSD is not the equivalent of a conflict,
I've removed the word "clash" and emotional speculation as POV. Is your "conflict" impression coming from somewhere else? The references (here's one) show that there was a philosophical and/or semantic disagreement there. That's pretty clear. It's history and represented accurately. It's relevant and notable to Daniel J. Bernstein that one of his greatest works ran into philosophical issue which prevented its inclusion in a notable OS. Nothing more is implied, just a verifiable fact. I'm sure others will contribute more to paint a wider picture of Bernstein.
Here are things you are unable to verify: (1) that software written by DJB was actually used by the OpenBSD project, (2) that "hundreds of files" related to DJB's code were found with ambiguous licensing, (3) that DJB's code has ambiguous licensing, (4) that "all software" produced by DJB was removed from the tree (DJB has produced public domain software that likely remains in the tree), (5) that complying with DJB's copyright requirements were an issue of "time" or "effort", rather than the BSD-license principles of the project, (6) that DJB was accusing OpenBSD developers of hypocricy (he clearly accused Theo of it, echoing a web page he wrote criticizing Red Hat), and (7) that Netscape's license was "much" easier to deal with than DJB's.
Talking about OpenBSD's ports-tree issue with qmail is implicitly POV, because (1) lots of other software isn't distributed with OpenBSD, and the circumstances of all that isn't recorded here, (2) because the paragraph doesn't put the OpenBSD situation in perspective (and couldn't do so without spending 4-6 more grafs of information about qmail licensing in an article about a famous cryptographer and mathematician, known better for other things), and (3) because the qmail/OpenBSD situation is not representative of DJB's stance on copyright, despite the section title.
I am going to revert the section. Sorry. I'll listen to any responses you might have. — tqbf
there is more valuable information in this talk page than there is on the article itself
Okay, so move it into the article. I don't know what valuable information you're talking about, but I'm in favor of more content in the article, just as you are (as long as it's all sourced to a publication and verifiable). --Ds13 17:01, 20 July 2006 (UTC)

Controversial figure[edit]

I've restored the section that was deleted describing Bernstein as a "controversial figure". I'm open to seeing it significantly re-written, but the article is pretty incomplete without some mention of the way that he's not scared of controversy and strong words in online discussion. I have to say, though, he is absolutely charming company in person. — ciphergoth 08:13, 29 April 2006 (UTC)

Find a way to write it directly, instead of letting the article imply things. I killed the section because it was badly written and vague. I don't disagree with the premise. But if the best thing you can write is, "DJB gets in arguments with people who disagree with him", where "s/DJB/A man" produces a semantically reasonable sentence, maybe the point is better left unmade.
My other problem is that the examples are really bad. There's a cool graf in there somewhere, but it certainly doesn't include Rik Moen (wtf is Rik Moen and why is he in the same sentence as Arjen Lenstra). DJB's argument with Vixie isn't about BIND's quality, it's about vendor-biased standardization. I'm not sure an argument with Schneier about "computational cost" is the same as an argument with Lenstra. I could go on and on and on, but who cares? —Preceding unsigned comment added by Tqbf (talkcontribs)

qmail security[edit]

So obviously this is where the POV issue comes from.

Two problems with these grafs: (1) the notion that there has ever been an exploitable bug in qmail is heavily disputed (you'd need to specify a 64-bit arch/os in which qmail installs in a vulnerable configuration), and (2) the weight that this debate puts on qmail security in a biographical article. —Preceding unsigned comment added by Tqbf (talkcontribs)

Just a sidenote: the exploitability of the bug seems to be disputed even assuming all those preconditions. Since i'm not knowledgeable enough to personally verify the claim, i've been scouring the web for any definitive citations on the issue, but all i can seem to find are people questioning Guninski's claim. (See the references i added to the article for example, as well as Len Budney's this mini-essay.) What people do seem to agree on is that (a) the bugs are real, and can be used to mount a DoS, and (b) they might allow privilege escalation in theory, but Guninski has yet to demonstrate a sufficient exploit in practice.
To the anonymous editor(s) who seem convinced that this bug is actually exploitable (62.231.175.204, 124.51.45.37, 193.170.41.235, 217.10.60.85): can you settle the question by providing a credible citation, or demonstration? --Piet Delport 23:43, 24 July 2006 (UTC)
In fairness, the bug is definitely exploitable in theory (it's a textbook integer overflow). The problem is that it requires the server to consume more data than the standard/default install of qmail on any well-known platform. Unless it doesn't, in which case I'll have been corrected, and we can work out a way to get the claim into the article.
Meanwhile --- why bother with the conflict? There are more important things in DJB's bio than qmail security. Tqbf 01:06, 25 July 2006 (UTC)

NPV[edit]

Apart from edit history relative to the obscurity of the topic, is there a reason why this article is marked NPOV? —Preceding unsigned comment added by Tqbf (talkcontribs)

Seems reasonably NPOV to me -- tag removed. Neilc 06:26, 28 July 2006 (UTC)


Qmail, the Os distros and the license model[edit]

Someone would care to relate these 3? As djb forbids qmail binary releases, either with or without patches, for security reasons, it doesn't seam to me that OS vendors are willing to distribute the qmail sources along with their OS distros. Can someone get some official info on this, with references in this page? --Netshark 02:07, 11 February 2007 (UTC)

regarding removing 'objective stuff'[edit]

user User:Allansteel asks in his edit summary "(Reinstate section on particular thing about DJB. This time with a source to keep someone happy (sigh!!!). Why do people remove objective stuff and not the vast subjective drivel on wikipedia?)".

why? because we're trying to build an encyclopedia. everything is subjective in some sense or another. what matters on wikipedia is not truth but verifiability. check the edit history, and you'll see the BS that preceded my removal. then you'll have an idea of the context. yes, there's tons of useless drivel on wikipedia. it's a battle between those who love to spew drivel, and those who have to follow along behind the circus elephants with a shovel. the latter is harder work.Anastrophe 03:37, 17 August 2007 (UTC)

On the same principle, every sentence in Wikipedia which is not sourced MUST be deleted. I'm not saying I wouldn't want that (:-)), but would be very interesting to see that done in practice consistently. DJB's dress style is quite distinctive and well known so is not "drivel". It's funny how absolutely everything in the intro to this article (like DOB, degrees, school, subjective statement about being "controversial", etc.) have no sources, but have never been deleted by a zealous editor according to that above principle. Oh well, c'est la vie... Allansteel 02:39, 20 August 2007 (UTC)
a clarification. my comment regarding those who 'love to spew drivel' was emphatically not directed at you, i want to make that clear. i was speaking in general terms. see my user page for perhaps a taste of that.
to the matter at hand, i apprecate what you're saying....but...since neither of us can single-handedly fix wikipedia, and since we as yet do not live in utopia, we must confine ourselves to the issue at hand, as best i can see. on that basis, all i can tell you is that your edit constitutes trivia (generally frowned upon but not a policy issue), it is original research, and it can't be verified by a genuinely reliable source. as i've said before, i don't doubt you heard it straight from the horse's mouth, but that doesn't meet the qualifications necessary for inclusion. the other stuff, such as his DOB, degrees, school, etc - should be able to be verified, and the intrepid editor does a service to the encyclopedia by providing a link to a reliable source as a reference for those items. absent an obviously fraudulent edit, say, 'djb graduated from East Bumfuc, Idaho Community College', the info doesn't stand to be removed - it stands to be verified. if you can find someone else who has published - via a reputable source - the specifics of what you experienced, then go ahead and add it back, by all means. as it stands, i, as a disinterested third party, have no means of verifying that what you are saying is true. all i can do is trust that you aren't pulling my leg. trust is wonderful, but as i said, this isn't utopia yet. "i love you, but cut the cards". Anastrophe 02:55, 20 August 2007 (UTC)

DJBDNS security guarantee bounty paid[edit]

http://article.gmane.org/gmane.network.djbdns/13864

This seems like it's the first time in quite a while that DJB has acknowledged a bug in DJBDNS 9and paid his promised reward). How should this be integrated into the article? The DJBDNS article probably needs some alterations too. XenonofArcticus (talk) 22:00, 4 March 2009 (UTC)

Security claims[edit]

It's a little, err, exaggerated to state that DJB's software has never had a security problem. This isn't true. Qmail has a broken bounce model that allows a random spammer/joe job to mailbomb someone by sending forged email to a known non-existent email address on a Qmail server.

Also, dnscache does not correctly catch the SIGPIPE that it will get when a TCP connection gets an RST packet, causing the program to terminate (and be restarted, if managed by DJB's other tools), which is a denial of service attack.

That in mind, I have reworded his software section to point out his software has not had privilege escalation security problems. Which,may I point out, puts it in the same ballpark as Postfix, BIND 9, my own MaraDNS, etc.

Indeed, Postfix is a good deal more secure than a stock Qmail (no joe jobbing, for example), and both BIND 9 and MaraDNS are more secure than a stock Djbdns (no known DOS attacks in the latest versions, compared to the known DOS attack against Djbdns).

Reference for qmail problems: [3] [4], and a reply from a DJB advocate: [5]. Self-ref for summary of djbdns problems: [6] Samboy 16:38, 19 September 2007 (UTC)

  • I'm likely to revert this change. In the approved, documented configuration, the "DoS attack" that you're describing has no impact. It's also not true that these problems put DJB's tools in the same category as Postfix, BIND, or MaraDNS. All three of those tools have had memory corruption and remote code execution vulnerabilities (I found one such flaw in Postfix). I'll wait for you to respond before reverting. --- tqbf 18:14, 19 September 2007 (UTC) (edit: didn't cite sources for MaraDNS vuln; was referring to page, but that doesn't make a strong enough case.)
Ahem! There are no (known) remote code vulnerabilities in MaraDNS. There are no (known) memory corruption vulnerabilities in MaraDNS. There was only one remote code execution vulnerability in BIND 9, caused by a bug in the OpenSSL library, of all things. BIND 9 no longer uses that library. I can't vouch for Postfix, but I can vouch for BIND 9 and MaraDNS. Seriously, you're confusing a memory leak error with a memory corruption error; those two things are different beasts. Samboy 15:14, 20 September 2007 (UTC)
I'm not referring to memory leaks. A variety of memory corruption conditions in BIND 9 will trigger assertions, which are doc'd as "DoS vulnerabilities"; no evidence or analysis is presented to scope the impact of those problems to DoS only (series of pointers can routinely go wild, where targeted values for intermediate pointers can yield unprotected memory overwrites; the analysis to rule out these conditions is expensive; see page for an example in supposedly-secure OpenBSD).
This stuff is mostly inside baseball. I'm not proposing we sort out the head-to-head of MaraDNS vs. Djbdns; obviously, I side with Djbdns on that issue, but if we can agree that both are vastly superior to the alternatives, and come up with an NPOV wording that establishes that fact in this article, I'm fine. What I'm not comfortable with is taking the primary selling point for the #2 independent DNS server in the world and diluting it with innuendo. Let's agree on wording that doesn't implicate MaraDNS. --- tqbf 16:05, 20 September 2007 (UTC)
By the way, if you don't think security history distinguishes Djbdns from BIND 9, you should update your own advocacy page to say that BIND 9 is as safe an option as MaraDNS. --- tqbf 16:09, 20 September 2007 (UTC)
OK, thank you for the retraction. Now, if you have found, or know of a security hole in MaraDNS, I very much want to know about it. Indeed, I had no problem crediting Rani Assaf and João Antunes with finding remotely exploitable memory leaks in MaraDNS, and Michael Krieger for helping find a remotely exploitable memory corruption DOS bug in MaraDNS (minor; you can make authoritative data invalid for some kinds of DNS records, but not in a way that allows people to inject code). My contact page is here.
In terms of the djbdns SIGPIPE bug (which yes, lets people remotely restart djbdns), here are some references: ref 1 ref 2 patch
I am half-tempted to make an exploit for this bug and post it to bugtraq. It might give DJB the much-needed kick in the butt to update djbdns; the code hasn't been touched (by him) in years. Based on my experiences with him, I feel that he would deny the bug, alas.
Anyway, "ballpark" is a subjective figure. My general impression is that the ISC is honest about BIND bugs, and I can't find any remote code execution bugs besides the OpenSSL one on their security statement. Yes, there was the problem with query IDs on some systems--the ISC really should have read DJB's docs on DNS (I did, which has helped a lot with MaraDNS' security).
I think the main advantage djbdns currently has over MaraDNS is dnscache; MaraDNS' recursive code is multi-threaded and has problems with stressing heavily loaded DNS servers, particularly on BSD systems which don't do threads well. My next MaraDNS project will be to re-write the recursive code to be, basically, an OSI open source djbdns replacement (with some ipv6 code to boot).
My feelings are expressed in the advocacy document [1]. Basically, DjbDNS (and Qmail) were a much-needed kick in the ass that the internet needed in the late 1990s when the default SMTP and DNS servers were members of a "remote root code execution bug of the month" club. Since then, code has gotten a lot better with DJB's competitors, and the combination of DJB's license and abandonment of lack of updates for both Qmail and DjbDNS make deploying these programs on new systems, IMHO, a questionable proposition.
Thanks for the correction concerning Postfix. Samboy 17:37, 20 September 2007 (UTC)
[1] P.S. I think I make my feelings clear that BIND is in the same ballpark security wise as MaraDNS (and, yes, DjbDNS) with statements like "BIND9 and MaraDNS have a proven security record". Samboy 18:11, 20 September 2007 (UTC)
"Abandonment" is a hugely subjective, volatile, NPOV, and false claim to make about qmail and Djbdns. You're a competent developer and you know that the condition of a body of code isn't measured by how often its commited to. You should make it clear on this WP page that that comment was inappropriate, or revert it completely. --- tqbf 18:50, 20 September 2007 (UTC)
(i think you mean "POV" rather than "NPOV", but it's understood from the context what you mean). Anastrophe 18:55, 20 September 2007 (UTC)

it seems to me that you are too 'close' to these topics to be editing the articles (djb article, and your own maradns article). your advocacy for your own software over other software (and the attitude expressed above in your comments about djb) makes it difficult to assume good faith. Anastrophe 18:44, 20 September 2007 (UTC)


OK, let me back up my "abandonment" quote. I have reworded this as "lack of updates for". Quite frankly, as described in my MaraDNS advocacy document, there are five bugs that DJB should fix with DjbDNS:

  • There are problems resolving some domains with DjbDNS' resolver. This is the 'akamai djbdns' problem. reference
  • DjbDNS does not correctly periodically check upstream DNS servers to make sure a given domain has not moved. reference
  • The list of root servers included with DjbDNS is out of date. reference
  • There is a denial of service problem where a remote attacker can clear DjbDNS' recursive cache by sending a single "packet of death" to a dnscache server. (This is the SIGPIPE bug I mentioned above). ref 1 ref 2 patch

I understand a lot of DJB advocates feel that DjbDNS/Qmail are somehow "perfect" and do not need to be upgraded, but, quite frankly, I think it's obvious that DJB needs to fix the above five bugs with djbdns. And, really, the wording before I edited this article was "no functional exploits of any of these programs have been produced"; I revised this to "no privilege escalation exploits of any of these programs have been produced", since, yeah, the SIGPIPE issue seems to be a pretty "functional exploit". Sorry I don't have a working exploit; I will have to do some research with TCP to figure out how to send an RST packet to trigger the SIGPIPE and restart djbdns.

As for my objection to the "memory corruption and remote code execution vulnerabilities (in MaraDNS)" line, "memory corruption" in this case implies an attacker being able to control MaraDNS' memory. The "remote code execution" line is downright FUD, and, after six years of development and real-world use, not true (but if you find this kind of bug, let me know).

As for WP:COI, I agree. This is why I am careful about the MaraDNS edits (note that I asked permission in the corresponding talk page), and why the only edits on this page is to remove what is demonstratively an untrue fact (and getting rid of some negative speculation about DJB's behavior, as per WP:BLP). And, yes, it is hard for me to assume good faith with any DJB advocate: See this blog posting describing some of my unpleasant experiences with DJB advocates. Samboy 19:45, 20 September 2007 (UTC)

  • Thanks for clarifying. I'm going to retain "security-aware", which I agree is a better term than "highly secure", but I'm reverting "privilege escalation", which is a misuse of a term of art in security testing and is inaccurate. Thank you for agreeing to ask on the talk page before making edits to pages that you have COI issues with. --- tqbf 19:50, 20 September 2007 (UTC)
OK, if you can think of a neutral term that means "A minor DOS issue but in no way puts the rest of the system at risk", let me know. My expertise is writing C code, and trying to avoid security problems. A non-trivial task with DNS. I can see why DJB threw his hands in the air and said, in so many words "To heck with the DNS standards. They're broken." Yes, I made mistakes with MaraDNS, and some of my mistakes took literally years to uncover (The memory corruption issue was sitting in the code for over five years before I finally unearthed and removed it three weeks ago). My next plan is to to a complete rewrite, starting with the recursive code of MaraDNS. I agree that DJB software is good software; I just wish it was under an OSI-compliant license. Samboy 22:37, 20 September 2007 (UTC)
this is ranging into metadiscussion, but, from your advocacy page, it states
"The most recent release (of maradns) was done on August 14, 2006."
in other words, it's been more than a year since there were any updates to maradns. why have you abandoned it? what is the formal interval after which software becomes "abandoned"?
also, it states
"MaraDNS currently spawns a thread for every recursive request that is not in the cache. In other words, MaraDNS needs a good thread implementation in order to process a large number of recursive requests. Make sure your operating system has a robust threading library before using MaraDNS to process a large number of recursive request."
in other words, would it not be quite possible to DoS a machine due to this shortcoming in your software? doesn't that put your software on 'equal footing' with the DoS you claim for dnscache? i realize these are phrased contentiously, but under the circumstances and the basises of your arguments, i think we have a case of the pot calling the kettle black. Anastrophe 02:54, 21 September 2007 (UTC)
Hopeless discussions like this are why WP has WP:COI. "Security-aware" is an improvement to the article, but I think we all agree that Sam shouldn't be writing negative things about competing software. We should take any further points about MaraDNS to the MaraDNS article, which should be true'd up. --- tqbf 03:21, 21 September 2007 (UTC)

Source for Bellport High[edit]

Would this [7] be an adequate source placing djb at Bellport High? I don't work on Bio pages much, so wasn't sure what would be required. I attended classes with him there, but I'm assuming that comes under WP:OR. Dstumme (talk) 21:03, 16 July 2008 (UTC)

SYN Cookies[edit]

Wasn't djb the first one to popularise the idea of SYN Cookies? - http://cr.yp.to/syncookies.html 87.112.66.37 (talk) 23:10, 13 September 2008 (UTC)

No functioning exploits. Really?[edit]

The article had this sentence in it: "Bernstein offers a security guarantee for qmail and djbdns [...] no functioning exploits of any of these programs have been published". Not true, as shown by these sources:

  • DJB himself admitted that the Dempsky bug was a security problem with djbdns ref Indeed, this is part of the next sentence in the article.
  • There is an issue where people have been able to spoof the dnscache part of djbdns ref

The "no functioning exploits" line was never backed up by a reference, and I have just posted two references showing that djbdns has had security issues that have been exploited. Is there any reason why this article should still have the "no functioning exploits" line? I have revised the line to state that no functioning exploits have been found for qmail. This, in spite of the fact that qmail has the backscatter spam problem, which can very well be considered to be an exploit.

Disclaimer: I am the author of MaraDNS. Samboy (talk) 14:35, 30 June 2009 (UTC)

Prime number factorization[edit]

"...perhaps current views about how large numbers have to be before they are impractical to factor might be off by a factor of three. Thus as 512-digit RSA was then breakable, then perhaps 1536-bit RSA would be too."

If it's off by a factor of 3, then it would be 514 bit RSA that might be breakable, not 1536. If the intended meaning is that triple the number of bits of encryption could be broken, then it is off by a power of 3, not a factor of 3. Either way, the current wording is wrong. Aleph Infinity (talk) 17:41, 5 November 2009 (UTC)

I just noticed this issue, and came to the talk page to report it, only to discover it was noticed 5 years ago. The paper linked as citation reports that breaking a 512 bit encryption might result in 1536 bit being broken; therefore I deduce that power of three is in fact what is meant. 81.159.253.79 (talk) 20:51, 18 July 2014 (UTC)

Bernstein v. United States[edit]

Really now, how nice it would be if the article stated whether the court's ruling was *for* Bernstein or *against*. If it is "implied" that the ruling was in favor (or against?), well, implied is just not good enough. Toddcs (talk) 21:00, 27 January 2012 (UTC)