BEWARE of SnakeOil (tm)

[Michael Motyka]

Jean-Francois Avon wrote:
> 
> SNAKEOIL ALERT:
> Cc: Cypherpunks at toad.com
> 
> - beware of any product that has not been *extensively* peer-reviewed, with *all* the
> source code made public.  Security breaches are *very* easy to overlook and no software
> should *ever* be used unless it was peer-reviewed.
> 
I'm a bit surprised that I don't see quite as much concern expressed
about hardware. If security is the goal isn't HW part of the chain?
Yeah, yeah, I know, there was a blip a while ago about Intel chips, 
Microsoft kernels and keyboard snooping but it had a depressingly short
half-life. Seems to me it would be pretty easy to create rfi on a chip
and get products through FCC approval with NSA blessing. Hell, you could
probably put a good amount of FLASH on a chip and give the OS a nice
safe place to store snooped stuff. The security gaps that could be
created in an operating system are as numerous as scoundrels in
Parliament.

> They try pursue anybody who violates ITAR in a public way.  If I were to walk with a
> PGP diskette across the border outside Cana-USA, I would be liable under ITAR even if I
> never wrote a line of software in my life.
> 
Literally true but we all know the analogy of borders and speedbumps...

> All the govts have vested interest in disseminating pseudo-strong cryptography.  This
> statement is not paranoia, it is recent and regularly recurring history.
> 
Doesn't this seem to point to the need for products with a CP seal of
approval? HW/SW/Tools?

Mike

I think that in the secure communications world I would rather be a wolf
amongst sheep in wolfskins than a wolf in sheep's clothing. It would
reduce the chances of my hide being nailed to the barn door. What I'm
trying to say in a less than literate way is that the issue will only be
closed when there are $99 consumer products that implement secure
systems.