From: an38793@anon.penet.fi
Date: Mon, 11 Oct 93 16:41:41 PDT
To: cypherpunks@toad.com
Subject: Re: Security through obscurity
Message-ID: <9310112341.AA18180@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain


> You are not going to be able to keep your algorithm secret, period.
> Those who are determined enough will be able to dig it out of any
> programs or chips you use to implement your algorithm.  Security through
> obscurity is stupid because no matter how smart you may think you are
> in hiding your method, there is always someone smarter who will dig it 
> out and changing technology constantly lowers the barrier of how smart 
> people need to be to dig information out of old locks using new tools.
I agree with this 100%.

The interesting fact is, a lot of commercial programs rely on security
through obscurity. Often, anyone who takes the time to disassemble
the interesting routines, can crack the encryption.

Yes it is stupid. But, a lot of people and companies rely on 
"security through obscurity" to protect their applications/data. 

Part of this is due to export restrictions, but a large part is just
due to lack of awareness.

One of my favorite applications has embedded in its license
agreement:

"...nor shall the Licensee attempt to decrypt
any Passwords that may enable the Software's functionality..."

This is not a substitute for real security.
-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.