From: "Perry E. Metzger" <pmetzger@lehman.com>
Date: Thu, 27 May 93 08:15:14 PDT
To: cypherpunks@toad.com
Subject: Re: VinCrypt
In-Reply-To: <9305270233.AA27245@triton.unm.edu>
Message-ID: <9305271514.AA26019@snark.shearson.com>
MIME-Version: 1.0
Content-Type: text/plain



> > In addition, merely having been a systems hacker hardly qualifies
> > one for writing complex crypto software.  Without any assurance as
> > to the authors' qualifications for writing a crypto package, or
> > their integrity.  Even if I could trust their integrity, I'm very
> > leery of black-box software.
> 
> You seem to know something about them that I do not.  Care to share your 
> knowledge?  Thanx in advance.

Oh, come on.

Every decent cryptoweenie knows that you don't trust black box
cryptography software. Most amateurs (and the average person writing
crypto code is NOT a professional cryptographer) have no idea of what
they are doing and produce crap. If you don't know how the program you
are buying works, odds are that its one of the majority of programs,
i.e. its crap.

Throughout the last two thousand years, fools, often individuals who
were otherwise rather intelligent, have repeatedly invented new
cryptosystems over and over again which were completely worthless.
Indeed, virtually everyone thinks that they know enough to build a new
cryptosystem -- and virtually no one has bothered to learn how real
cryptosystems are broken.

This even bites the best of us. Phil Zimmermann tells the story of how
he once invented a cryptosystem only to open up a college text on
cryptography and see that the problem of breaking his new cryptosystem
was so trivial that it was a homework exercise at the end of the first
chapter.

I, for one, will never use any crypto system for which the algorithm
hasn't been extensively published and scrutinized.

Perry