We don't have to read tea leaves about what Schneier does or doesn't think, because the engineering issue here is straightforward. Ferguson wrote a paper about the CBC+diffuser construction, and what it's goals were. On a previous thread, 'pbsd even pointed out that the performance issues made sense: the CBC+diffuser construction couldn't easily benefit from hardware AES instructions, which harmed performance.
I'm only trying to be rigorous in my evaluation of the evidence, since I'm in no position to judge the actual strength of the diffuser. Yes, this is probably just academic, as I wouldn't trust a disk with suspected tampering. (Or if that was required, like storing VHDs on a hosted block device, I'd store a hash of the disk or executables.)
Anyways, my reasoning:
1. The diffuser didn't really help for serious threat scenarios, and hurt perf, so no one should be upset by its removal. This seems to be true.
2. But MS previously called the diffuser critical and has made no statements as to the security impact of the removal. (Indeed, there are easy attacks without the diffuser, but no known attacks with it.)
3. A well-known cryptographer (Bruce's actual cryptography credentials are undoubted, correct?) cites the removal as a reason to be suspicious.
If 1 is true, which I think it is, then 2 and 3 are at odds with how reality should be. No matter how confident I am in 1, points 2 and 3 require a shift in the probability of 1. Or, I am misunderstanding 2 and 3.
How else should I evaluate these things? Sorry for being dense or wasting your time.
Bruce Schneier has said other dubious things about crypto in the past; for instance, about not using elliptic curve crypto, and preferring instead conventional DH.
Again though: if the lack of a "diffuser" is a reason to be "suspicious" of Bitlocker, it should be possible to explain why that would be. I tried to address that concern head-on. It bugs me that we keep having to flee back to "but Schneier is concerned".
Especially egregious was the episode where he misunderstood the "xkcd password scheme" and lashed out against it in his blog, and then kept on defending his flawed opinion against all explanations.
That did a lot of damage to all attempts to teach password security to laymen.
OTOH he was one of the first "famous" security people to publicly recommend writing down passwords.
Cryptography Engineering is a good book (with some flaws).
Schneier is much less of a factor in real-world crypto than generalist developers think he is.
I feel bad blaming him for it; it's not his fault that people who don't do serious work in cryptography have made him a cryptographic folk hero. On the other hand: there are still people using Blowfish because his name is on it, so maybe I don't feel bad blaming him.
Oh, certainly (I was just talking about passwords)!
Cryptography Engineering is something I hold very dear and have lent out to colleagues. Very well written, so it's an enjoyable read. And a good length, not a thousand pages tome.
My main problem with Schneier at this point is that he pivotted (Ha! This is HN after all...) from cryptography and technical analyses to political commentary. And I haven't found him very convincing in that regard. Even annoying at times.
OK reading the rest of this subthread, I believe I understand it now. He's probably just misguided or simply incorrect. And I admit that most of my crypto knowledge comes from reading his and Ferguson's book, Practical Cryptography (and the 2nd edition, Cryptography Engineering - I'm not sure there is a better "popsci" crypto book.)
To make a simple comparison: if someone smarter than me says 2+2=5, my probability of 2+2=4 will move go down from (1 - epsilon) to something a bit lower.
This is the worst kind of controversy. Schneier is not wrong: removing the diffuser did, technically, reduce the security of Bitlocker.
Unfortunately, it reduced the security of Bitlocker in a way that is only marginally relevant to Bitlocker's goals, and in a way that is very, very difficult to explain to people who don't routinely work with cryptography.
So it's hard to crisply refute Schneier on this point, even as we have to watch the alarming spectacle of him recommending a rando disk encryption program that offers Blowfish, CAST, and GOST encryption.
