At 1:41 AM 9/23/96, steven ryan wrote:

At 05:27 AM 9/22/96 -0700, you wrote:

...

My view is that people interested in buying and using crypto are either bright enough to learn, or are not. A "Snake Oil FAQ" is largely unnecessary, for either category. For the first, because they're bright. For the second, because they're not.

My view is that there is a large third group of people who are bright enough to learn, but don't have the time or inclination to read books or do extensive research on the subject. There are a lot of people using PGP for the wrong reason, not because they read the books or did the research. Nor do they even understand how it works as opposed to how it is used. They are using it because they cruised the net and read good things about it or heard it was cool.

Well, there are a bunch of books out on PGP, which they can read. And there are already some good FAQs out on the basics of cryptography--surely concise enough and yet detailed enough to warn folks away from some basically flawed programs. But just how far can one go? Some people just won't be taught, despite the several very-accessible books on PGP and crypto. So? And I don't really think there's a problem. Just how many of these "Snake Oil" crypto programs are people really _buying_? And does it matter if they buy a reasonably-competent program (*) like "DiskLock" instead of using 3DES or one of the good disk encryption programs? (* By "reasonably competent" I mean not "snake oil," and roughly able to do the job for which it was intended. Many people just want casual-grade crypto, to stop casual attempts to look at what they've written. We may disagree with them, but, hey, it's their choice. I maintain that these people are unlikely to read something called "The Snake Oil FAQ.") To coin a phrase, you can lead a person to strong crypto, but you can't make him drink.

A Snake Oil Faq could help prevent these people from choosing wrong products. It would also be very helpful to have all the arguments in one place in one concise faq. Before I joined this list and read Applied

At some point this become YACB (Yet Another Crypto Book). If you and others want to donate time to help educate the (small, I think) class of users who won't read the PGP books, or the PGP articles in the magazines, and yet who you think are smart enough...blah blah...well, go ahead and write such a thing. (BTW, Schneier has a book out on "Security for the Macintosh," a kind of watered-down intro to crypto and security....he makes the points a "Snake Oil FAQ" might make...again, I think this is an overcrowded market.)

Cryptography I was in a discussion in a previous job about securing one of our products. The programmer wanted to protect the key with a convoluted series of transpositions. I knew it was dumb but couldn't successfully argue the point why. A faq would have been helpful.

Wouldn't arguments out of the standard textbooks have been just as effective, and perhaps even more "credentialled" than words from a FAQ? I hope you are not expecting that a FAQ would have the precise magic words dealing with your programmer friend's situation? At best, it would contain seom reworded arguments out of the well-known textbooks. I just don't see the point. But if it keeps folks busy, and happy, I guess it's harmless. (:-}) --Tim May We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."