[cryptography] Non-governmental exploitation of crypto flaws?

John Young jya at pipeline.com
Mon Nov 28 03:45:17 PST 2011

>From list cryptography:

At 05:00 PM 11/28/2011 +1300, Peter Gutmann wrote:
>Steven Bellovin <smb at cs.columbia.edu> writes:
>>Does anyone know of any (verifiable) examples of non-government enemies
>>exploiting flaws in cryptography?
>Could you be a bit more precise about what "flaws in cryptography" covers?
>you mean exploiting bad or incorrect implementations of crypto then
there's so 
>much that I barely know where to start, if it's actual cryptanalytic attacks 
>on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) 
>then there's very little around.  If it's something else, you'd have to
let us
>know where the borders lie.

A fundamental characteristic of non-toy (especially unbreakable!)
encryption is that any failure is due to implementation or some
other fault beyond the cipher.

This indefensible circularity is audacious but necessary for
the illusory claims for a strong cipher.

In more recent times, another necessary illusion is that 
if a cipher has been broken it will be publicly revealed.
Despite the ancient concealment of vulnerabilities of
ciphersystems in order to exploit trust in them.

Then there is the argument that different standards of
cipher protection must be declared in order to determine
whether a cipher meets a standard. And this leads to
an ever receding standard for the best and a pile-up of
lesser promises unmet.

And there is a presumption that the best encryption will be 
expropriated by national governments and their selected
agents and must be kept out of the hands of the governed.
Hence, best ciphersystems are never revealed or disappear
from public view via official secrecy classification or NDA.

These evasions are used by cipher (and security)
snake oil peddlers to maximum advantage such that it is 
probably wise to consider all cipher (security) systems 
snake oil, or more precisely, toys requiring sophisticated 
marketing and exculpations of failure -- at which crypto
and official security wizards may be expected to excell.

More information about the cypherpunks-legacy mailing list