Even as a former 'hacker' myself, the second to last person I would trust not to install a backdoor (next to the NSA) is a hacker. In addition, merely having been a systems hacker hardly qualifies one for writing complex crypto software. Without any assurance as to the authors' qualifications for writing a crypto package, or their integrity. Even if I could trust their integrity, I'm very leery of black-box software. ---- Robert W. Clark Just Say No! to the rclark@nyx.cs.du.edu Big Brother Chip
Even as a former 'hacker' myself, the second to last person I would trust not to install a backdoor (next to the NSA) is a hacker.
Are you meaning to imply that there is a backdoor in this package? If so, how do you justify this claim?
In addition, merely having been a systems hacker hardly qualifies one for writing complex crypto software. Without any assurance as to the authors' qualifications for writing a crypto package, or their integrity. Even if I could trust their integrity, I'm very leery of black-box software.
You seem to know something about them that I do not. Care to share your knowledge? Thanx in advance. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl@triton.unm.edu | But, I was mistaken. |available| | mike.diehl@fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" <Me> | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+
In addition, merely having been a systems hacker hardly qualifies one for writing complex crypto software. Without any assurance as to the authors' qualifications for writing a crypto package, or their integrity. Even if I could trust their integrity, I'm very leery of black-box software.
You seem to know something about them that I do not. Care to share your knowledge? Thanx in advance.
Oh, come on. Every decent cryptoweenie knows that you don't trust black box cryptography software. Most amateurs (and the average person writing crypto code is NOT a professional cryptographer) have no idea of what they are doing and produce crap. If you don't know how the program you are buying works, odds are that its one of the majority of programs, i.e. its crap. Throughout the last two thousand years, fools, often individuals who were otherwise rather intelligent, have repeatedly invented new cryptosystems over and over again which were completely worthless. Indeed, virtually everyone thinks that they know enough to build a new cryptosystem -- and virtually no one has bothered to learn how real cryptosystems are broken. This even bites the best of us. Phil Zimmermann tells the story of how he once invented a cryptosystem only to open up a college text on cryptography and see that the problem of breaking his new cryptosystem was so trivial that it was a homework exercise at the end of the first chapter. I, for one, will never use any crypto system for which the algorithm hasn't been extensively published and scrutinized. Perry
Even as a former 'hacker' myself, the second to last person I would trust not to install a backdoor (next to the NSA) is a hacker.
In addition, merely having been a systems hacker hardly qualifies one for writing complex crypto software. Without any assurance as to the authors' qualifications for writing a crypto package, or their integrity. Even if I could trust their integrity, I'm very leery of black-box software.
I think the line about "not trusting DES or RSA because those algorithms have been given to the NSA" about says it all. -- Ian S. Nelson I speak for only myself. Finger for my PGP key. If you are a beautiful woman, it is mandatory that you reply to this message.
This even bites the best of us. Phil Zimmermann [...]
PGP 1.0 had Phil's Bass-o-matic cipher, which he subsequently dropped. When I first saw that, I thought to myself, "snake oil," but not in those words. I'm glad that lesson got learned.
I, for one, will never use any crypto system for which the algorithm hasn't been extensively published and scrutinized.
I am in total agreement. Eric
This raises a question... I don't think this has been addressed yet (I am a bit behind in my mail) and might be worthwhile putting in the FAQ... If I just dreamed up a new gee whiz "new" cypher, should I post it to the list for comments, or is this frowned on? (As it happens, I happen to have what I **think** is a new approach to cyphering, and the answer to this question will determine wheter anyone hears about it or not...) Is there a comprehensive list of short "already been done" types of cyphers? (Whether failed or "still" succesful.) A good book? --- Nick MacDonald | NMD on IRC i6t4@jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger On Fri, 28 May 1993, Eric Hughes wrote:
I, for one, will never use any crypto system for which the algorithm hasn't been extensively published and scrutinized.
I am in total agreement.
If I just dreamed up a new gee whiz "new" cypher, should I post it to the list for comments, or is this frowned on? (As it happens, I happen to have what I **think** is a new approach to cyphering, and the answer to this question will determine wheter anyone hears about it or not...)
This list is, IMHO, for the discussion of privacy enforced by technology in the hands of the user.. New approaches (like remailers or money algorithms) are within the domain of this group. New encryption algorithms are better discussed in the newsgroup sci.crypt. I admit that I'm a bit skeptical. So far, every new encryption scheme someone has proposed here has either been trivially defeated, or done before. I'm tired of showing how most schemes are reducible to a one-time pad or codebook :-) In any case, I think there are more experienced cryptographers on sci.crypt than on this list, but I could be wrong. Marc
Nickey MacDonald says:
This raises a question... I don't think this has been addressed yet (I am a bit behind in my mail) and might be worthwhile putting in the FAQ...
If I just dreamed up a new gee whiz "new" cypher, should I post it to the list for comments, or is this frowned on? (As it happens, I happen to have what I **think** is a new approach to cyphering, and the answer to this question will determine wheter anyone hears about it or not...)
My suggestion is this. Its perfectly appropriate to post the cypher to the list PROVIDED you take the right attitude, which is to say something like: "The following is something I just thought up. I'm not a pro, and I worry that this thing has holes. Anyone care to give me hints on what they might be?" My objection has never been to people developing new cypher systems. Its always been to people claiming, in the absense of very strong attempts to break their system, that their system is secure. Provided you aren't trying to encourage people to use a new system you are developing, what harm can discussing it possibly do? On the other hand, great harm can be caused by fools pushing systems they have designed in the absense of expertise -- that was specifically the sort of objection I had to the whole "Dolphin Encrypt" thing. Sci.crypt is likely a better place to post a query about a new cypher, of course.
Is there a comprehensive list of short "already been done" types of cyphers? (Whether failed or "still" succesful.) A good book?
I would suggest looking in the sci.crypt FAQ -- its got lots of good intro material and reading lists. Perry
(As it happens, I happen to have what I **think** is a new approach to cyphering,
Post away. If you upload a copy of the source to the directory pub/cypherpunks/incoming on the ftp site, I'll make it available to everyone. I would like to see this regardless of whether it actually is secure. It is a well-founded maxim that no one should design a cipher without having broken a few first. There is a need, apropos of training the desginers, for insecure ciphers, not so they can be deployed, but so that other insecure ciphers will not be. Eric
Perry Metzger writes on the matter of posting newly-invented ciphers to the Cypherpunks list:
My suggestion is this.
Its perfectly appropriate to post the cypher to the list PROVIDED you take the right attitude, which is to say something like:
"The following is something I just thought up. I'm not a pro, and I worry that this thing has holes. Anyone care to give me hints on what they might be?"
Good advice! Some hubris might pique the interest of readers.
Sci.crypt is likely a better place to post a query about a new cypher, of course.
Yes, except that they for the most part hate it when folks post "I dare you to break my new cipher" messages. Understandably so, for the reasons Perry gave (smugness, etc.) and also because: a. usually not enough ciphertext can be posted to allow a reasonable cryptanalysis b. the odds of a newbie inventing something really new are slim (yes, it _may_ happen, but it's not likely) c. people have better things to do that spend hours or days trying to break a system which has these problems (and may just be deliberate garbage). (Cryptanalysis is economics, as some folks like to say. If a message is important, or a particular cryptosystem has passed some initial tests--such as the algorithm being published, the basic mathematics presented as plausible, etc.--then more effort can be justified. But not on Joe Cipher's latest effort.) (this quote is from Nicky M.)
Is there a comprehensive list of short "already been done" types of cyphers? (Whether failed or "still" succesful.) A good book?
Kahn's "The Codebreakers" for a historical perspective, the various crypto books referred to here for mathematical background (Denning, Brassard, Salomaa, Simmons, Patterson, etc.), and "Cryptologia" for insights into amateur cryptanalysis and cipher-building. Be aware that most amateurs--and I hardly speak from experience, just reading of the literature--end up reinventing the old _types_ of ciphers....the new ones, with s-boxes, or based on hard math problems (like RSA), typically require a lot of background in math. Hope this helps, and hope this eases any hard feelings folks may have when their Super Duper Encrypter is not analyzed by a dozen Cypherpunks. Or even one. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it.
participants (8)
-
Clark Reynard -
Eric Hughes -
Ian S. Nelson -
J. Michael Diehl -
Marc Horowitz -
Nickey MacDonald -
Perry E. Metzger -
tcmay@netcom.com