It's good to stick up for people. It's less good to be thin-skinned on someone else's behalf.
Here, your attitude causes two problems.
First, you know and apparently like Kyle Isom, and so I presume you're also ready to tell me that he's an adult and a professional. Professionals do one of three things with criticism: ignore it, rebut it, or learn from it. My assumption has been that Kyle is choosing options (1) and (3) from that list. But here you are, inventing option (4): "get indignant about it". I wonder if you've thought about the extent to which people will attribute that response not to you, but to Isom.
Second, whatever you might think about the tone of my feedback, it's clear that Isom needs additional technical review for his book. Whipping up a totally unproductive us-versus-them narrative about "jerks" versus "open source" does the opposite: it generates drama. Even if you think my review was itself dramatic, piling more drama on doesn't make Isom's work more attractive to experts.
I'm not sure how big of a deal either of these issues are, but they're a bad habit for message board denizens. The exact same thing happened to Willem when he wrote his critique of the Akamai allocator, and Hacker News had a totally unproductive drama storm for a couple hours before Akamai (a) thanked Willem and (b) acknowledged that he was absolutely correct. Read the Akamai comments on the HN thread, and apply them here, substituting "Kyle Isom" for "Akamai", and I think you'll see that they apply.
Finally, I'll admit to being personally irritated by the claim that I operate from "experts only" logic with regards to cryptography. There are at last count something like twelve thousand people who have reached out to us for our free crypto challenges, and thousands of those people have gone on to solve multiple sets of challenges (something like 60 people have finished the first 6). Every damn one of those people is an email exchange that me, Sean, or Marcin had to have directly, on our own time, with no compensation --- the opposite of compensation, in fact, because we donate to charity when people finish them.
There are a lot of people on the Internet to whom you could direct the "experts only elitism" criticism regarding crypto. I am not one of them.
What's more annoying about that bogus critique is how it muddles a real issue. I'd like many more people to understand crypto and, particularly, what goes wrong when it's implemented naively. But I'd like far fewer people to plow ahead and implement their own broken stuff. The track record on amateur cryptography is bad, and what developers don't like to acknowledge is that the badness that work generates is an externality to them. People have in the real world been hurt, physically, because of broken amateur crypto. It is hard for me to take the hurt feelings of developers all that seriously by comparison.
Isom should thank tptacek for providing thousands of dollars in free consulting/editing work. He'll probably be a better engineer because of this feedback and the next edition of his book should be a lot better.
Isom doesn't owe me anything, but the notion that he might arises straightforwardly from the factionalizing that follows ginned-up outrage, which is point #2 I was trying to make above.
Ironically, you yourself are choosing more 4 than 2 in response to someone's criticism of your criticism.
I made 3 straightforward points in my comment. Do you disagree with any of them? If not, let's just agree to disagree.
I disagree with your condemnation of a behavior while exhibiting said behavior. It shows that you're okay with drama so long as it's you creating it, but you're not okay with a dramatic response to your own drama-creating.
The accusation of elitism on your part is not a new one, I don't think, to you - I found myself levying the same accusation when you decided to single out the CryptoCat project as a distinctly "bad" project, due to the number of issues that came up during the most recent security review, despite the fact that it's one of a very select group of open source projects even undergoing such reviews.
You say things like, "amateur cryptography" when it makes little to no sense. This book wasn't written for free, it was actually professional crypto, even if it had fundamental problems; it's bad crypto, not amateur crypto. When you do things like that, it comes off as elitism, whether or not you're intending it to.
I think Cryptocat illustrates and affirms the points I'm making about amateur cryptography, and doesn't rebut them.
Yes, because amateur projects generally undergo third party security reviews.
I disagree, but I'm also not interested in discussing Cryptocat on this thread, and I don't think you'd be doing Kyle Isom any favors by pushing the comparison further.
I'm just getting sick and tired of people in the crypto community dismissing projects because they're not done by one of the "ordained few".
Your criticisms of the book are indeed valid, but the obvious derision you apply when calling professional efforts such as this book and Cryptocat "amateur" is precisely the kind of behavior and attitude that keeps the state of crypto so backwards and slow, and is exactly the kind of drama you (correctly) lambasted earlier in this comment chain.
Reread the original comment to which you're effectively replying for what I think is a complete rebuttal to this comment, and, again, let me remind you that your comparison of Cryptocat and this book is unfavorable to the book's author.
I know you think it's unfavorable to compare the two, but that's the entire problem.