Junk Science
In a new article, Dr. Andy Farnell had this to say about NIST: "One motive is that the US American National Institute of Standards and Technology (NIST) recently published its weighty (> 30k words) SP 800-63-4 Digital Identity Guidelines. [...] Seeing that NIST is finally championing common-sense is encouraging. But there is actually more to it. NIST is shifting to a recognition of the power dynamics in security and that it is the user who must determines passwords and take responsibility for them. What we'd like to do is extend that to talk about how computer security in general needs to come back to the user. [...] NIST is recognising that a lot of security folklore harms users. What we want to look at here in broader strokes here is what we call iatrogenic technology. Because faceless "bullies" turn out to just be misguided administrators trying to do their best and many of the problems with passwords boil down to our addiction to "convenience". [...] To make things worse, there's loads of misinformation out there; cybersecurity folklore, marketing spew, lobbying efforts - and these feed-back into government too, including organisations like NIST, so perpetuating the cycle of poor security. This time NIST specifically set out to undo some of that misinformation and folklore. [...] Now, it is nice for us to be able to write some positive things about NIST since the last time we spoke about them was negatively in the context of allowing encryption standards to be compromised by NSA influence. That said, this article will stay on-point that organisations and standards are only as good as their integrity and good-faith. [...] I think that even in the new NIST standard, which has more precise and consistent language, its language around security models remains woolly and fundamental concepts that relate to power and responsibility remain unclear. [...] Partly it's because we've been using passwords wrong for about the past 40 years. The new NIST document partially puts that right. It's also because there's a massive "security industry" that sells things - and you can't sell people the ability to think up a new password in their own head. Where's the profit in that?"
As Dr. Farnell explained many times before, science is being compromised for business purposes and even the NSA looks to undermine science, not just the "S" in the acronym "NSA".
The Free Software Foundation (FSF) has just said that it would serve on NIST, but it seems to involve buzzwords ("Free Software Foundation to serve on "artificial intelligence" safety consortium").
Let's hope the FSF will send RMS, who opposes the buzzwords and refuses to call LLMs "artificial intelligence" (their main concern might be whether he might ask someone on a date). Parroting buzzwords is part of the problem and the ongoing assault on science. █