If you are interested in cryptography, you are confronted with a growing field to explore. But how to keep track of all the latest developments, scientific research papers, and thoughts? Researchers, developers, journalists, IT security professionals: A lot of people are writing about crypto-related issues and are publishing articles and analyses in their blogs. But help is on the way to arouse or satisfy our crypto-curiosity! David Wong created a list of Blogs about Cryptography/Security to follow for any RSS feed reader.
We spoke with David Wong about his collection of crypto-related blogs, while he was at Black Hat, teaching a crypto-course together with others. He maintains his list of crypto-blog for years now and shares it with everybody interested.
David Wong is Security Consultant at the Cryptography Services practice of the company „NCC Group“. He has been part of several publicly funded open source audits such as OpenSSL and Let’s Encrypt. He has conducted research in many domains in cryptography, publishing whitepapers and sharing results at various conferences including DEF CON and ToorCon as well as giving a recurrent cryptography course at Black Hat. He has contributed to standards like TLS 1.3, Strobe and the Noise Protocol Framework. David graduated from the University of Bordeaux with a Master in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics. And he’s on Twitter.
There is also a German version of this interview.
Crypto articles to save somewhere
netzpolitik.org: You have collected a long list of crypto-related blogs and you are sharing it via Github with everybody interested. Why did you start that collection?
David Wong: I was studying for my master in cryptography three years ago, and I was slacking a bit too much. So I thought about using my obsessive character to get better at it. A long time ago I got hooked on RSS feeds and subscribed to hundreds of news feeds so I would get a new notification every five minutes. I needed to read it all, I was completely obsessed and sleeping or doing a social activity would make me miss too many posts which would drive me crazy.
It got to a point where I just said „Screw it!“, and deleted my accounts on Google reader and the various softwares I were using at the time. And I moved on. But I thought about it maybe seven years after my master, and I decided I needed something like that again in my life.
So I started following a bunch of blogs that I would read every day, mostly in the transit. It worked out pretty well for me and I still read a huge amount of blog posts every day. I keep a list of the interesting ones here actually: https://www.cryptologie.net/links.
netzpolitik.org: You add and delete blogs, what are your criteria?
David Wong: I add blogs that I find interesting and that I think will yield good blogposts in the future. Sometimes I add blogs that I know to be dead, but I want to have the articles saved somewhere, mostly because of how good those were. This is kind of sad because these blogs will most probably never have anything new but I don’t want them to get lost in the void.
As for deleting, I tend not to delete blogs, I might delete duplicates, or blogs that were actually not that good in retrospect…
netzpolitik.org: How do you find new crypto-blogs worth reading?
David Wong: Mailing lists, blog posts, links from blogs I’m reading, hackernews and reddit. That’s about it. Blogposts are usually the best way to learn on the go, because they don’t require a huge time commitment and they usually do a better job than books by being less informal and having more diagrams or pedagogical attributes.
„I need to learn something out of it“
netzpolitik.org: So you started out of curiosity. But why did you begin to share it with the world?
David Wong: Oh, well that’s something I’ve constantly done in my life. I’ve always understood the value of sharing what can be valuable for others. The only times I haven’t published something are solutions to wargames or on-going Capture the Flag games and running code I’m too scared of being riddled with bugs.
netzpolitik.org: You work and teach in the field. Do you have the time to read all of them?
David Wong: Unfortunately not, I have this list of pocket articles (a plugin in Firefox to bookmark articles) which has grown exponentially over the years. I tend to reduce it when I go without internet for length of time, but usually not as fast as it expands.
I’ve also tried to read more books as opposed to blogposts lately, and I think there is a point where you need to switch towards books if you want to get depth instead of breadth.
netzpolitik.org: Which blogs are your favourite ones? Do you have any insider tip for a crypto-blog from the list which is highly underrated?
David Wong: This is a good question, I’ve actually wrote this for 2016 but I should more consistently bookmark what I really like. Hopefully I’ll have a better list by end of 2017.
This blogpost also includes what I think make up a good blog:
- Interesting. I need to learn something out of it, whatever the topic is. If it’s only about results I’m generally not interested.
- Pedagogical. Don’t dump your unfiltered knowledge on me, I’m dumb. Help me with diagrams and explain it to me like I’m 5.
- Well written. I can’t read boring. Bonus point if it’s funny. :)
netzpolitik.org: I like to ask you some more broader questions: Four years ago, the Snowden revelations started. Do you see changes in the way scientists, developers, or journalists write about cryptography or crypto-related security holes? Did you notice any topic shifts in the four years?
David Wong: Definitely, people in general are more aware of security issues, companies are more aware of security issues as well, and even though a lot of them will use that as a marketing advantage on the whole it helps them get secure. At NCC Group, where I work, we see a lot more clients coming to us for help to start protecting their application. And „start“ is the keyword, they realized security was not an option thanks to the current climate and decided to get some help from the outside. Now another problem is to make them understand that security is a continuous process and not a one-time thing.
As for scientists, Phillip Rogaway released this piece called „The Moral Character of Cryptographic Work“ (pdf) and a lot of research has shifted towards securing the internet, messaging, etc. Notably, Google Chrome has been pushing really hard for that over the last years and websites have moved towards HTTPS in mass. See Let’s Encrypt here, and I quote:
When Let’s Encrypt’s service first became available, less than 40 % of page loads on the Web used HTTPS. It took the Web 20 years to get to that point. In the 19 months since we launched, encrypted page loads have gone up by 18 %, to nearly 58 %. That’s an incredible rate of change for the Web. Contributing to this trend is what we’re most proud of.
Changing the landscape of the applied crypto-world
netzpolitik.org: Your twitter line says: „Breaking crypto for a living“. Did you encounter any crypto lately that you could not break? Care to share?
David Wong: Everyday, I see AES-GCM, SHA-3, HMAC, ECDH, and other cryptographic primitives that seem well implemented. Now are they used correctly in the application surrounding it? That’s another question and the answer is not always positive. If I had to give a shout out to one or two things that have impressed me over the past, I would go with Noise, SHA-3 and BearSSL. The first one is the solution for people that need TLS but do not want to use TLS. I see a lot of proprietary custom-TLS protocols that make me sad, so projects like Noise make me smile. SHA-3 is a wonder, its design is just logical in many aspects and the things it brought us (SHAKE, Tuplehash, KMAC, KangarooTwleve, Strobe, …) are changing the landscape of the applied world. BearSSL is the most well written TLS library out there, it doesn’t use any mallocs and it is my go-to library when I need to understand something about TLS in general.
netzpolitik.org: Thank you very much for the interview!