(now i realize i likely misread, strange-read/reply-functioned your post, not quite or completely grokking the distinction between crypt.crypto and implementation, separation or distancing of these though still the relation to nature itself as example appears retained, as if providing proof-of-concept and demonstration models for how to go about it,w watching various creatures, ecosystems, crystals, particle dynamics) John Young <jya@pipeline.com> wrote:
The earliest and most enduring form of infosec -- crypt-crypto -- is non-EM, non-language, non-homo-erectus. Current versions contain vestigals of those primitives in what is disingenuously termed implementation. And it is in implementation where most comsec failures occur and where most successes succeed. Code is closer to whistling in the dark, baying at the moon, offering newborns to hungry wolves.
Implementation is 99.99+% of infosec-comsec, perhaps 100%. Code hardly scratches the surface and might be constructively seen as a ruse, a strategem, concocted and promoted to delude.
Delusion is the prime purpose of implementation. Code inebriation creates phantasms of security by ignoring signs of predators aprowl where coders live, work, sleep, chat OTR and post.
David Kahn, among others, amply desribes the range of implementation, its short-term successes and long-term delusions. Nothing finer in Carolina than belief in an invulnerable cryptosystem. Less noticed is the effectiveness of promulgating an invulnerable comsec or cryptosystem to encourage widespread use. As seen today, not only in the fantastic rise of the comsec industry but also in the frantic efforts to keep the ball rolling to counter Snowden's disclosures of delusion.