[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Snake-Oil FAQ

At 1:41 AM 9/23/96, steven ryan wrote:
>At 05:27 AM 9/22/96 -0700, you wrote:
>>My view is that people interested in buying and using crypto are either
>>bright enough to learn, or are not. A "Snake Oil FAQ" is largely
>>unnecessary, for either category. For the first, because they're bright.
>>For the second, because they're not.
>My view is that there is a large third group of people who are bright
>enough to learn, but don't have the time or inclination to read books or do
>extensive research on the subject. There are a lot of people using PGP for
>the wrong reason, not because they read the books or did the research. Nor
>do they even understand how it works as opposed to how it is used. They are
>using it because they cruised the net and read good things about it or
>heard it was cool.

Well, there are a bunch of books out on PGP, which they can read. And there
are already some good FAQs out on the basics of cryptography--surely
concise enough and yet detailed enough to warn folks away from some
basically flawed programs.

But just how far can one go? Some people just won't be taught, despite the
several very-accessible books on PGP and crypto. So?

And I don't really think there's a problem. Just how many of these "Snake
Oil" crypto programs are people really _buying_? And does it matter if they
buy a reasonably-competent program (*) like "DiskLock" instead of using
3DES or one of the good disk encryption programs?

(* By "reasonably competent" I mean not "snake oil," and roughly able to do
the job for which it was intended. Many people just want casual-grade
crypto, to stop casual attempts to look at what they've written. We may
disagree with them, but, hey, it's their choice. I maintain that these
people are unlikely to read something called "The Snake Oil FAQ.")

To coin a phrase, you can lead a person to strong crypto, but you can't
make him drink.

>A Snake Oil Faq could help prevent these people from choosing  wrong
>products. It would also be very helpful to have all the arguments in one
>place in one concise faq. Before I joined this list and read Applied

At some point this become YACB (Yet Another Crypto Book). If you and others
want to donate time to help educate the (small, I think) class of users who
won't read the PGP books, or the PGP articles in the magazines, and yet who
you think are smart enough...blah blah...well, go ahead and write such a

(BTW, Schneier has a book out on "Security for the Macintosh," a kind of
watered-down intro to crypto and security....he makes the points a "Snake
Oil FAQ" might make...again, I think this is an overcrowded market.)

>Cryptography I was in a discussion in a previous job about securing one of
>our products. The programmer wanted to protect the key with a convoluted
>series of transpositions. I knew it was dumb but couldn't successfully
>argue the point why. A faq would have been helpful.

Wouldn't arguments out of the standard textbooks have been just as
effective, and perhaps even more "credentialled" than words from a FAQ? I
hope you are not expecting that a FAQ would have the precise magic words
dealing with your programmer friend's situation? At best, it would contain
seom reworded arguments out of the well-known textbooks.

I just don't see the point.

But if it keeps folks busy, and happy, I guess it's harmless. (:-})

--Tim May

We got computers, we're tapping phone lines, I know that that ain't allowed.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1,257,787-1 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."