tcmay@got.net (Timothy C. May) writes:
Predictably, others are asking/expecting "the Cypherpunks" to break their systems. Just as predictably, many of us are patiently (and impatiently) explaining that breakages cost money and resources. And so the "developers" gleefully respond that this proves the "Cyperpunks" [sic] are helpless before their software.
Which is patently silly, of course. Unless some TLA writes me an obscenely large check, I am unlikely to try and break anything that hasn't achieved significant market penetration and widespread use, whether it is an operating system, or an application which utilizes encryption. I'm not even interested in breaking the individual building blocks of such things, such as block ciphers and RNGs, outside of the context of their use in a specific application. Unless something is obviously braindead on delivery, it makes little sense to attack it in the abstract, and the nicest weaknesses in systems often depend upon the little details, as the Netscape and Kerberos folk have discovered. All of this means that challenges by the snake oil peddlers, and even well-advertised public floggings of new ciphers, like RC5, really don't do much to discover design flaws or weaknesses. It's like the ten people who post "I have invented an unbreakable cipher" to sci.crypt each week, and when no one cares, proudly declare victory and go home.
A few highly publicized failures could be educational, and ultimately help to strengthen the Net. You don't get better bridges without some highly-visible bridge collapses. Raises consumer awareness of what good design really is.
Yes - one neat hack against Netscape or Microsoft is worth an infinite number of dull papers in "Cryptologia" as far as public relations are concerned.
Personally, I'm much more worried about the behind-the-scenes goings on with key escrow, the pressures being applied to Netscape, Lotus, Microsoft, TIS, etc., than I am in Yet Another Clueless Crypto Product (tm).
Let a thousand Clueless Crypto Products bloom today. :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $