If I want to be a cypherpunk, or at least effectively use their software, how important is it that I learn to program?
February 10, 2012 12:08 AM Subscribe
If I want to be a cypherpunk, or at least effectively use their software, how important is it that I learn to program?
If you want to be able to confirm from first principles some code is secure, or vice versa, you will need to programme to a very high skill level. Otherwise, you are at the mercy of other coders to confirm a cypher is trustworthy or not.
posted by bystander at 2:55 AM on February 10, 2012
posted by bystander at 2:55 AM on February 10, 2012
If I want to be a cypherpunk
What does this mean? What do you actually want to achieve?
posted by pharm at 4:34 AM on February 10, 2012 [2 favorites]
What does this mean? What do you actually want to achieve?
posted by pharm at 4:34 AM on February 10, 2012 [2 favorites]
Do you mean "cypherpunk" in the sense that Wikipedia defines it?
"A cypherpunk is an activist advocating widespread use of strong cryptography as a route to social and political change."
If so, no, that has nothing to do with programming. Studying networking and systems administration would be more to the point, I think, if you want to acquire relevant technical knowledge for activism.
posted by thelonius at 5:56 AM on February 10, 2012
"A cypherpunk is an activist advocating widespread use of strong cryptography as a route to social and political change."
If so, no, that has nothing to do with programming. Studying networking and systems administration would be more to the point, I think, if you want to acquire relevant technical knowledge for activism.
posted by thelonius at 5:56 AM on February 10, 2012
First step is to stop saying you want to be a cypherpunk. It's an unfortunate term more often associated with wannabes than anyone legitimately interested in cryptography. Most of the folks on Wikipedia's cypherpunk list would probably chuckle if someone described them as a cypherpunk to their face.
A lot of this depends on what part of cryptography you are interested in. If you really want top-to-bottom knowledge, you need a good understanding of mathematics (particularly linear algebra) to analyze cryptographic algorithms. You need a good understanding of programming to ensure that a cryptographic algorithm is securely implemented in software. And you need a good understanding of security architecture to ensure that a given software implementation is securely implemented in the real world. If you're dealing with any hardware encryption, you'll need to add some electrical engineering skills on top of that.
This gives you 4 jumping off points to start learning.
As you go down this rabbit hole, you're going to find that in most cases you can't confirm that a system is secure; you can only have assurance it is secure. We use cryptographic algorithms because no one has effectively broken them _yet_. We trust our cryptographic software because the maintainers quickly respond to and patch vulnerabilities, not because it is provably secure (note, there are some provably secure software implementations, but they come with their own set of limitations, which is why you don't see widespread adoption). We trust our security architecture because no one has published a successful attack on the protocol.
If you haven't yet read Bruce Schneier's more accessible books (Secrets and Lies, Beyond Fear, the upcoming Liars and Outliers, and his blog archives), that would probably be the place to start learning how to think about trust.
Finally, if anyone suggests a product, OS, deployment method, or anything else to you, remember that you are inheriting their decisions on trust. At the beginning, this may be very necessary to avoid being overwhelmed, but at some point you owe it to yourself to go back and evaluate why you are trusting your selection more than another.
posted by bfranklin at 5:57 AM on February 10, 2012 [5 favorites]
A lot of this depends on what part of cryptography you are interested in. If you really want top-to-bottom knowledge, you need a good understanding of mathematics (particularly linear algebra) to analyze cryptographic algorithms. You need a good understanding of programming to ensure that a cryptographic algorithm is securely implemented in software. And you need a good understanding of security architecture to ensure that a given software implementation is securely implemented in the real world. If you're dealing with any hardware encryption, you'll need to add some electrical engineering skills on top of that.
This gives you 4 jumping off points to start learning.
As you go down this rabbit hole, you're going to find that in most cases you can't confirm that a system is secure; you can only have assurance it is secure. We use cryptographic algorithms because no one has effectively broken them _yet_. We trust our cryptographic software because the maintainers quickly respond to and patch vulnerabilities, not because it is provably secure (note, there are some provably secure software implementations, but they come with their own set of limitations, which is why you don't see widespread adoption). We trust our security architecture because no one has published a successful attack on the protocol.
If you haven't yet read Bruce Schneier's more accessible books (Secrets and Lies, Beyond Fear, the upcoming Liars and Outliers, and his blog archives), that would probably be the place to start learning how to think about trust.
Finally, if anyone suggests a product, OS, deployment method, or anything else to you, remember that you are inheriting their decisions on trust. At the beginning, this may be very necessary to avoid being overwhelmed, but at some point you owe it to yourself to go back and evaluate why you are trusting your selection more than another.
posted by bfranklin at 5:57 AM on February 10, 2012 [5 favorites]
Best answer: Read and experiment. Learn to use linux from a command line. (There are thumb drive security distros that are perfect for this kind of thing.) Learn how Tor and proxies work. Learn how hard drive encryption and PGP work. Figure out what https is and why you'd use it. Set up a second computer, and run some basic exploits against it. Hack your own wifi. Crack your own password. Read. Play on your own machines.
Just resist the urge to ah, play on other people's machines. People are rarely amused to learn that they have exploitable software, and the police are even less amused.
Have fun, and learn. Beyond that, it's impossible to answer without knowing what your own history is, but as a previous poster alluded to system admin skills will probably be more important than serious coding skills.
It sounds like you want to read and talk with people that are excited about this kind of thing more than you want to master the computer science side. There's plenty of room for those people too, IMHO. Just... go for it. Be excited.
posted by Stagger Lee at 8:32 AM on February 10, 2012
Just resist the urge to ah, play on other people's machines. People are rarely amused to learn that they have exploitable software, and the police are even less amused.
Have fun, and learn. Beyond that, it's impossible to answer without knowing what your own history is, but as a previous poster alluded to system admin skills will probably be more important than serious coding skills.
It sounds like you want to read and talk with people that are excited about this kind of thing more than you want to master the computer science side. There's plenty of room for those people too, IMHO. Just... go for it. Be excited.
posted by Stagger Lee at 8:32 AM on February 10, 2012
Response by poster: I mainly just want to have assurance that my communications are secure. It would be nice to understand why, but I do not want a career in computer science. I don't know if I'm willing to sacrifice time studying other interests if I don't need to.
posted by vash at 8:47 AM on February 10, 2012
posted by vash at 8:47 AM on February 10, 2012
That kind of answers your own question then.
Yes, you can run a secure browser, use a proxy and run https without having to learn anything. Go grab some firefox plugins.
posted by Stagger Lee at 8:58 AM on February 10, 2012
Yes, you can run a secure browser, use a proxy and run https without having to learn anything. Go grab some firefox plugins.
posted by Stagger Lee at 8:58 AM on February 10, 2012
Response by poster: What I'm worried about is being clueless in situations outside the specific ones dealt with by common solutions. I often feel like the main power against government is now the internet, and I'm doing myself a disservice by not studying computers more. I was in computer science as a major for a very brief time, and I was kind of disenchanted with it. I decided I didn't want to spend my life debugging(if this is a gross exaggeration, it just shows my ignorance) and have since become more passionate in other areas. Maybe what I really want to know is if there are people who are proficient in this stuff who haven't devoted their lives to it.
posted by vash at 10:13 AM on February 10, 2012
posted by vash at 10:13 AM on February 10, 2012
Best answer: I mainly just want to have assurance that my communications are secure.
Start on the security architecture side. I'd still recommend starting by reading Bruce Schneier. Stagger Lee is on the right track with getting started, but you need to understand how the plugins you choose are meant to be used and what risks go along with them. The documentation for specific security products would be a good next step for gaining understanding.
I decided I didn't want to spend my life debugging
Incidentally, this is exactly what set me down a career path for information security. I trust the community to police the code in the tools I use. I trust me to implement them properly in the real world.
Maybe what I really want to know is if there are people who are proficient in this stuff who haven't devoted their lives to it.
Depends how you define proficient. As an information security professional that has been responsible for hiring decisions, my definition of proficient is probably necessarily significantly higher than yours.
It really comes down to what are you defending against? Your average script kiddy can be evaded by patching your computer, not clicking on email attachments, and judiciously using SSL. The government is a multi-trillion dollar entity. If you are high value to know about, you as an individual have almost no chance of defending yourself against it.
You are trading your time for the ability to defend against a superior attacker. Only you are going to be able to make the decision about what risks are acceptable to you. If you just want to satisfy your paranoia, I'd suggest learning to run an open operating system off of a USB stick, fully encrypting the volume, understanding the risks associated with online communication _and_ online presence (e.g., know when to use Tor, but also know that if you posted this comment through Tor, I can, with statistical certainty, identify you based on word choice), and never letting your trusted OS image out of your sight.
posted by bfranklin at 10:24 AM on February 10, 2012 [1 favorite]
Start on the security architecture side. I'd still recommend starting by reading Bruce Schneier. Stagger Lee is on the right track with getting started, but you need to understand how the plugins you choose are meant to be used and what risks go along with them. The documentation for specific security products would be a good next step for gaining understanding.
I decided I didn't want to spend my life debugging
Incidentally, this is exactly what set me down a career path for information security. I trust the community to police the code in the tools I use. I trust me to implement them properly in the real world.
Maybe what I really want to know is if there are people who are proficient in this stuff who haven't devoted their lives to it.
Depends how you define proficient. As an information security professional that has been responsible for hiring decisions, my definition of proficient is probably necessarily significantly higher than yours.
It really comes down to what are you defending against? Your average script kiddy can be evaded by patching your computer, not clicking on email attachments, and judiciously using SSL. The government is a multi-trillion dollar entity. If you are high value to know about, you as an individual have almost no chance of defending yourself against it.
You are trading your time for the ability to defend against a superior attacker. Only you are going to be able to make the decision about what risks are acceptable to you. If you just want to satisfy your paranoia, I'd suggest learning to run an open operating system off of a USB stick, fully encrypting the volume, understanding the risks associated with online communication _and_ online presence (e.g., know when to use Tor, but also know that if you posted this comment through Tor, I can, with statistical certainty, identify you based on word choice), and never letting your trusted OS image out of your sight.
posted by bfranklin at 10:24 AM on February 10, 2012 [1 favorite]
Maybe what I really want to know is if there are people who are proficient in this stuff who haven't devoted their lives to it.
You can't be proficient at anything without devoting a significant percentage of your life to it. Cryptography, playing guitar, baking bread, whatever. If you want to understand first hand how something works, you have to put in the time and effort required to learn how it works. That's sort of a universal thing.
posted by ook at 3:10 PM on February 10, 2012
You can't be proficient at anything without devoting a significant percentage of your life to it. Cryptography, playing guitar, baking bread, whatever. If you want to understand first hand how something works, you have to put in the time and effort required to learn how it works. That's sort of a universal thing.
posted by ook at 3:10 PM on February 10, 2012
Response by poster: Obviously I wasn't asking if it takes time to learn things. I was asking if there are people in careers outside computer science who are proficient in this, or if it is too technical for anyone who doesn't work with it everyday.
posted by vash at 4:27 PM on February 10, 2012
posted by vash at 4:27 PM on February 10, 2012
Best answer: I was asking if there are people in careers outside computer science who are proficient in this, or if it is too technical for anyone who doesn't work with it everyday.
This is a non sequitur. There's nothing keeping you from learning anything. "Too technical" is an excuse to not start learning. I get the feeling you're really asking if this will be easy for you. There is all of one way to find out.
posted by bfranklin at 5:30 AM on February 13, 2012
This is a non sequitur. There's nothing keeping you from learning anything. "Too technical" is an excuse to not start learning. I get the feeling you're really asking if this will be easy for you. There is all of one way to find out.
posted by bfranklin at 5:30 AM on February 13, 2012
This thread is closed to new comments.
posted by Sparx at 1:17 AM on February 10, 2012