I'm not sure exactly what you're talking about. When the initial constants for Dual_EC_DRBG were generated, the NSA had the opportunity to generate them in such a way that they would be able to predict all future outputs after observing just a few bytes of output. I don't see how this (1) doesn't qualify as a potential back door and (2) means that the NSA 'could not' insert a back door. The back door here is the knowledge of the 'secret key' that they could know (by virtue of the constant generation). Of course, it's just an alleged back door here; we don't know the truth.
By the way, the 'less-than-technically-competent journalist' here is Matthew Green, a cryptographer. So I think he's plenty technically-competent. Also, they're called elliptic curves, not 'elliptical' curves.
He wrote this in 1999; ECC was at the time sort of a novelty, it's headline being "a way to do cryptography with smaller key sizes", as if ECC was mostly a way to fit crypto into smaller memory software.
Schneier and Ferguson wrote _Practical Cryptography_ in 2003. It has virtually no mention whatsoever of ECC cryptography, despite ECC's already significantly increased importance by then.
In 2013, I think it's fair to say that the balance of expert opinion on ECC vs. RSA is sharply against Schneier's take on ECC. RSA is on the way out, and ECC is what's going to replace it. Equally significantly, crypto constructions that use signing and key agreement but not public-key encryption/decryption operations are modern designs; designs where a long-lived RSA key is used to wrap and unwrap secrets are dated. ECC is useful for the modern constructions and less so for the dated ones.
I don't think Schneier's writing has tracked these shifts well. I think his books are very light on, for instance, forward secrecy or deterministic signing. His research results never focused on public key encryption and never touched ECC (it's worth noting that much of his best known research was also done with John Kelsey, who is at NIST --- coincidentally, one of Schneier's best-known designs, with Kelsey, was the Yarrow CSPRNG).
Also: Schneier has a close working relationship with Niels Ferguson, who was one of the researchers that spotted the weirdness in Dual_EC. So it's possible that Schneier's concerns over the "constants" in ECC all stem from that. (It's hard to say; he could also be referring to the random seed in the P-224 and P-256 curves).
I don't think readers have any particular reason to believe that Bruce Schneier is an authority on ECC.
Cryptography is not one topic. It's actually a little silly to suggest anyone like Schneier could be authoritative on all crypto concepts. Look at the research output of famous cryptographic researchers (Schneier has some research, but is not really a top-tier researcher) --- it tends to specialize!
You're missing context because it was deleted by the comment's author. It was claimed that Linus Torvalds was "the authority" and that articles were written by non-technical reporters. Schneier is clearly not a non-technical reporter.
No claim was made by anyone that Schneier was the one-and-only security god either. Some people worship the ground person P walks on, but it's still just ground. Celebrity doesnt make 2+2 = 5, only for very large values of 2. I do think there is a common antipattern of wanting to rely upon one technology or one authority as a "security oracle," but this goes against holistic, defense-in-depth.
The other points are fine, just non-apropos.
But since you went there: Does the less elucidatbility (yep that's not a word, but a self-referencing pun) of ECC for the average joe programmer like myself make it any more secure than picking longer RSA keys? ECC seems so much easier to screw up in subtle ways that only leet mathematicians can grasp. Also, the change seems like change for churn's sake to sell more consulting. I used to work with big 4 folks, and there's always a joke a about the latest fad that needs selling, so I'm biased against popular, unjustified change.
(1) The reality is you probably don't understand all the implications of the RSA problem as well as you think you do either.
(2) "You" are just as likely to screw up RSA; the point is, "you" shouldn't be implementing cryptography directly at all, but rather using a well-vetted library. Both RSA and ECC have many viable free options for that.
(3) The reason RSA is going away and ECC is replacing it is that RSA is that RSA at acceptable levels of performance is getting too weak, and RSA at acceptable levels of security is too slow for mass deployment.
(4) It's hard to take "churn" seriously when change happens once over the course of 15 years.
(5) There is no cabal of consultants who get rich selling cryptosystem designs; for instance, for the most part, browser cryptography, email cryptography, and web site cryptography aren't implemented by consultants at all. (If you're wondering: we're not that kind of consultancy.)
Interestingly, Schneier sounds more reasonable in 1999 than now (with relation to ECC; don't hate me). That essay was pretty good: elliptic curves were relatively new on the block (but really, not even 10 years newer than RSA), and not particularly well-studied in the cryptographic setting (mathematicians were more interested in other elliptic curves, e.g., Fermat's Last Theorem).
It's been almost 15 years since then. No new classes of weak curves were discovered since then (the last one was anomalous curves, around 1998), nor advances towards a general notion of smoothness in the general setting §, despite intense study. It seems unlikely that Solinas would have been able to, in 1999, slip a weak curve past everyone for so long, given the attention the problem has gotten in the last decade. All in all, I think Schneier may be doing more harm than good with those recent ECC comments.
§ Summation polynomial-based approaches are the exception, but they are not general. They only work over extension fields, including binary fields, and are mostly impractical attacks.
