Java Security

The moderators of this forum might deem this posting off-topic, arrogant and/or irrelevant, but I feel someone has to speak up before this forum disintegrates due to abandonment by the knowledgeable experts.

I have noticed recently, on this and other cryptography forums, that there are a large number of questions posted by programmers from the Indian sub-continent (being of Indian origin myself, its easy for me to recognize them) who want the answer to their crypto-problem-of-the-day, served up on a platter. Their questions indicate that they have either done little-to-zero research, or - more blatantly - they are not interested in doing the research, but just want an answer NOW for a project that is behind schedule.

I believe this trend portends danger for the forum, because after a while, the experts - who currently share their time and knowledge willingly out of the kindness of their hearts - might begin to feel they are being used, and leave the forum out of disgust. That would be a tragedy for everybody.

For every programmer who chooses not to do any research, there are many others who have done their homework, but are unable to connect the dots on one of the most complex and arcane topics in information technology: namely cryptography. (I will confess that despite having worked for many years in this field, I feel I know so little and continue to follow the comments of some of the true experts whenever I have the time, to learn more). If these experts left the forum, there would be nowhere to go for the answers to some of these complex questions - and that would be a terrible shame. The very people that the experts would like to help, would be unable to receive it.

With as much empathy as I can muster for beginning crypto-programmers, I would like to offer some advice so that this forum remains useful:

1) Please understand the fundamentals of cryptography before posting your question here. While it is definitely acceptable to post non-working code so an expert might point to the problem, to ask questions that are already answered in Sun's own documentation of the JCE and javadocs of the API, is to show extreme disrespect for the people from whom you are trying to learn;

2) There is an extraordinarily good book - Beginning Cryptography with Java, written by David Hook and published by WROX - that provides significantly more detail than the JCE documentation, on the fundamentals of cryptography, with working Java code-examples of some of the most common - and uncommon - uses of the JCE. Buy this book and study it. This will be one of the best investments you will make if you intend to do any JCE-related work in your career;

3) If your question is related to a vendor's specific implementation of the JCE, ask your vendor for support first. No one is likely to have a better answer for you than they will. If they do not have an answer, then come to the forum and indicate that you have spoken to the vendor and that they have not provided a satisfactory answer. You will enable two things with this: i) you will indicate to the forum that you did your due-diligence by talking to the right people first; and ii) you will let the world know that the vendor has crappy support - which will indirectly benefit the rest of the community as they will shun vendors who provide poor support, thus keeping terrible products off the market. (Just make sure you stay within your legal obligations on confidentiality, etc.);

I realize that many Indian firms may have gotten these crypto projects either as part of a larger project, or because they offer lower-cost resources than programmers in industrialized nations. While I personally think it is unethical for any company to represent they can perform a task and have their programmers go to a free forum to get the job done, I also realize that as individuals, you don't have a choice - you are just trying to do your jobs within the constraints you are given. However, if this trend continues, I believe it is only a matter of time before this forum will become just"noise" with very little "signal" to be of use to anyone. And, that would be a terrible loss for everybody.