[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Let the Snake Oil Flow



[email protected] (Timothy C. May) writes:

 > Predictably, others are asking/expecting "the Cypherpunks"
 > to break their systems. Just as predictably, many of us are
 > patiently (and impatiently) explaining that breakages cost
 > money and resources. And so the "developers" gleefully
 > respond that this proves the "Cyperpunks" [sic] are helpless
 > before their software.

Which is patently silly, of course.  Unless some TLA writes me an
obscenely large check, I am unlikely to try and break anything
that hasn't achieved significant market penetration and
widespread use, whether it is an operating system, or an
application which utilizes encryption.

I'm not even interested in breaking the individual building
blocks of such things, such as block ciphers and RNGs, outside of
the context of their use in a specific application.  Unless
something is obviously braindead on delivery, it makes little
sense to attack it in the abstract, and the nicest weaknesses in
systems often depend upon the little details, as the Netscape and
Kerberos folk have discovered.

All of this means that challenges by the snake oil peddlers, and
even well-advertised public floggings of new ciphers, like RC5,
really don't do much to discover design flaws or weaknesses. It's
like the ten people who post "I have invented an unbreakable
cipher" to sci.crypt each week, and when no one cares, proudly
declare victory and go home.

 > A few highly publicized failures could be educational, and
 > ultimately help to strengthen the Net. You don't get better
 > bridges without some highly-visible bridge collapses. Raises
 > consumer awareness of what good design really is.

Yes - one neat hack against Netscape or Microsoft is worth an
infinite number of dull papers in "Cryptologia" as far as public
relations are concerned.

 > Personally, I'm much more worried about the
 > behind-the-scenes goings on with key escrow, the pressures
 > being applied to Netscape, Lotus, Microsoft, TIS, etc., than
 > I am in Yet Another Clueless Crypto Product (tm).

Let a thousand Clueless Crypto Products bloom today. :)

--
     Mike Duvos         $    PGP 2.6 Public Key available     $
     [email protected]     $    via Finger.                      $