It's honestly been a long time since I've encountered this attitude around cryptography, where not even Schneier can be trusted and you have no hope of actually understanding cryptography so don't even try (yes, I'm referring to your math comments too). Welcome back!
For those feeling like this guy is being a dick, that's a normal reaction, but try to understand that this attitude was cultivated and used by enlightened individuals back when many people thought they were making secure software without even salting and hashing their users passwords. People thought md5 was good enough, https was barely being used, people had to be convinced to use ssh instead of telnet and ftp, and so forth. Drilling the idea into people that cryptography and security is difficult and that you should listen to experts had to be done. Don't take it personally.
So yes, as you study cryptography, do keep in mind that it's extremely unlikely that you'll learn enough to come up with something better on your own, that you will very likely make mistakes if you try to write your own implementation of any cryptographic algorithms, and that you should still just use existing libraries and the recommendations of experts on best practices.
I understand this sentiment but don't know what to do with it. "Not even Schneier can be trusted" is "not even wrong". Schneier has very little to do with modern cryptography! But a long time ago, someone created a "Bruce Schneier facts" meme site, and now it's like an article of faith that he's a cryptography engineering expert. No, not so much, and I don't think he'd disagree.
He's a perfectly nice guy with a lot to say about information security and its intersection with public policy. But I think it's been plural decades since he basically declared himself outside of modern cryptography (you could call it at the point where he said he didn't "trust the math" of elliptic curves, which he left out of Practical Cryptography, over 26 years ago).
It's not so much that you should or shouldn't take "Applied Cryptography is bad" personally; rather: if you think Applied Cryptography is a useful reference or learning tool, it's pretty important to know that it is not.
Just that book. The followup (Practical Cryptography, now called Cryptography Engineering, though it's the same book) is much, much better --- though it's also totally out of date at this point, and would also get you in trouble.
It's a book that is much more interested in presenting an almanac-esque survey of everything that was happening in cryptography at the time it was written (also unhelpful: it was written at a particularly un-rigorous point in the evolution of cryptography) than it is in teaching readers how to accomplish anything safely.
It's honestly been a long time since I've encountered this attitude around cryptography, where not even Schneier can be trusted and you have no hope of actually understanding cryptography so don't even try (yes, I'm referring to your math comments too). Welcome back!
For those feeling like this guy is being a dick, that's a normal reaction, but try to understand that this attitude was cultivated and used by enlightened individuals back when many people thought they were making secure software without even salting and hashing their users passwords. People thought md5 was good enough, https was barely being used, people had to be convinced to use ssh instead of telnet and ftp, and so forth. Drilling the idea into people that cryptography and security is difficult and that you should listen to experts had to be done. Don't take it personally.
So yes, as you study cryptography, do keep in mind that it's extremely unlikely that you'll learn enough to come up with something better on your own, that you will very likely make mistakes if you try to write your own implementation of any cryptographic algorithms, and that you should still just use existing libraries and the recommendations of experts on best practices.
I understand this sentiment but don't know what to do with it. "Not even Schneier can be trusted" is "not even wrong". Schneier has very little to do with modern cryptography! But a long time ago, someone created a "Bruce Schneier facts" meme site, and now it's like an article of faith that he's a cryptography engineering expert. No, not so much, and I don't think he'd disagree.
He's a perfectly nice guy with a lot to say about information security and its intersection with public policy. But I think it's been plural decades since he basically declared himself outside of modern cryptography (you could call it at the point where he said he didn't "trust the math" of elliptic curves, which he left out of Practical Cryptography, over 26 years ago).
It's not so much that you should or shouldn't take "Applied Cryptography is bad" personally; rather: if you think Applied Cryptography is a useful reference or learning tool, it's pretty important to know that it is not.
This is news to me. Is it him in general or just that book?
Just that book. The followup (Practical Cryptography, now called Cryptography Engineering, though it's the same book) is much, much better --- though it's also totally out of date at this point, and would also get you in trouble.
Can you elaborate?
It's a book that is much more interested in presenting an almanac-esque survey of everything that was happening in cryptography at the time it was written (also unhelpful: it was written at a particularly un-rigorous point in the evolution of cryptography) than it is in teaching readers how to accomplish anything safely.