The Kleptography Expert
Cryptography is impressive. Cryptography means security, and as an expert in security you are at the lofty peak of design authority. You can look down on the plebs discussing scalability, design patterns, and optimization. You can flex your authority and shoot down anything that doesn’t meet your rigorous standards.
Little wonder that many junior developers share this wet dream. Our Klepto Expert had taken the fast-track course of his own devising. He read My First Guide to Cryptography, and then declared himself an expert. Simple!
WTF is a Three Letter Agency
I first met Mr Klepto when he was assigned to a government project I was working on. He had junior level skills, but knowing the manager helped him slide into a design role. I only noticed him rise above the ambient government asshattery when he set about “improving” security by replacing all uses of the RSA CSP with his own half baked homebrew algorithms.
Apparently RSA is insecure because all that peer review and intensive scrutiny means everyone knows how it works. Looks like the world’s PKI will be coming down like a house of cards. Better call your bank and make sure those lazy bastards are on the case.
Fail Starts With F
In the words of those clever chaps at SANS & MITRE: “CWE-327: You Suck At Crypto More Than Adi Shamir”. You fail extra hard when you base your shitty algorithm on a turning grille cipher, used to teach cryptanalysis because its so crap. You are gunning for bonus points when you add random data to the output stream to make it “harder”. You win the prize when you don’t know how to spell the field you claim to be an expert in.
Noobs are wrong when they think I do the security consulting because its fun, glamorous, and I get to tell people what to do. I enjoy drinking beer, and I wish they would fuck off and fail somewhere else. The only reason I get involved in this shit is because I can use scary and complicated words to extract more cash from your manager.