this is a very common pattern in tptacek's comments, but it's not worth calling out as he absolutely refuses to recognize it, always falling back to a similar response you see here.

with a quick google of "3des broken" and reading the first paragraph of wikipedia on 3des, i was able to guess (correctly!) what they original commenter was referring to.

It's pretty self-indulgent of me to respond to this comment, but just real quick: the pattern you're seeing is me in fact not being one of the top-tier experts in cryptography on Hacker News (just one of the loudest), and not knowing who this person is, and not having had a reason to think about 3DES in quite a long time. What you're reading as snark or lawyering is, rather, me meaning exactly what I said, and being uncertain about what that person was talking about.

if i were to guess, they are referring to CVE-2016-2183, which lead to deprecation of 3DES by NIST in 2019 (announced in 2017) and disallowing all uses in 2023. openssl also stopped including it in default builds starting in 2016 because it is considered weak.

This is Sweet32, an attack on any block cipher with an 8-byte block size. We don't consider those ciphers "broken"; they just can't be used safely in some common modes. You shouldn't use 3DES or IDEA or Blowfish, of course, but I don't think they're considered "broken", not in the same sense that, say, RC4 is.

It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.

There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.

I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.

Granted, a 2^32 block limit is pretty severe by modern standards.

Si (2^32)*8 works out to 34GB for TDES. How many applications involve encrypting that much data in one go?

This semantic argument was more plausible before the original commenter claimed 3DES can be "broken with little effort".

That's fair, I won't defend "broken with little effort".

Not to be rude, but it seems to me that you are engaging in some hairsplitting. In general, security people do not recommend to use 3DES or RC4 - even if RC4 is broken in other ways than 3DES.

RC4 is actually broken. It's fundamentally broken. As you run it, it's face melts off like the guy at the end of Raiders. It's genuinely weird nobody noticed how bad it was, in a practical sense, until the late aughts.

The 64 bit block size in 3DES (and Blowfish and IDEA) limits how much data you can encrypt under a single key. I think the real "tell" that this isn't hair-splitting is that people don't ever generally talk about Blowfish being "broken", just obsoleted.

People just don’t talk about Blowfish.

They do, but indirectly, the b in bcrypt stands for blowfish.

to any non-cryptographer, i think that's a distinction without a difference. it's disallowed from use by the major standards institute due to a vulnerability where people can recover the plain text.

that sounds "broken" to me, but i'm not a cryptographer. so, i'll defer to you when you say it's not broken. (i dont know what the cryptographer-specific definition of broken is -- it'd be great if you would shed some light on that)

Again: not a vulnerability in the cipher.

><obscure set of random words>

"language server" is probably not particularly obscure (or random) to the audience of people who know what "mecrisp-stellaris" is (i.e. the audience of the post).

i actually doubt "language server" is obscure to pretty much anyone who has done any programming recently.

my mom can use signal no problem. she doesnt know what half the words in your comment mean, though.

>if your first instinct is to defend it

the reminder of "theres a human there" is not "defending" the actions. its a call back to reality, because people on the internet take little things way too fucking seriously all the time.

and yes, this is a little thing. extremely tiny. i promise you'll forget about it in a few days whenever the next thing in the outrage cycle bubbles to the top of your feed/HN

>A world without Microsoft.. no telemetry or backdoors.

thank god microsoft is the only entity on the planet that uses telemetry or violates privacy. get rid of them and we're in a new age!

heres the second paragraph in full:

"Here, amidst the repurposed neoclassical columns and wooden pews of a building constructed to worship a different kind of permanence, lies the physical manifestation of the "virtual" world. We tend to think of the internet as an ethereal cloud, a place without geography or mass. But in this building, the internet has weight. It has heat. It requires electricity, maintenance, and a constant battle against the second law of thermodynamics. As of late 2025, this machine—collectively known as the Wayback Machine—has archived over one trillion web pages.1 It holds 99 petabytes of unique data, a number that expands to over 212 petabytes when accounting for backups and redundancy.3"

can you help my small brain by pointing out where in this paragraph they talk about deduplication?

>10 hours of outage in a year affecting a team of 10 would cost north of $70k

10 hours x 10 developers x $70 per hour = $7000, not $70000.

Thank you for the correction! This indeed completely changes the picture :-\

but you can be smug when theres a github incident, and thats hard to put a price on

You can do that with gitlab.

like most rap videos do with cars/jets/mansions, just rent the ram sticks for a few hours!

And the cinema equipment to make the video itself.