1997-12-17 - Re: Comparing PGP to Symantec’s Secret Stuff

Header Data

From: Vin McLellan <vin@shore.net>
To: Adam Shostack <adam@homeport.org>
Message Hash: 7ee68f2b38239b7f50398a105b181c16b9bb0c7db5a2329a4ae20015f4f8ac93
Message ID: <v03007802b0bcaf4660a9@[198.115.179.81]>
Reply To: <v03007800b0bc0c9a7689@[198.115.179.81]>
UTC Datetime: 1997-12-17 05:42:37 UTC
Raw Date: Wed, 17 Dec 1997 13:42:37 +0800

Raw message

From: Vin McLellan <vin@shore.net>
Date: Wed, 17 Dec 1997 13:42:37 +0800
To: Adam Shostack <adam@homeport.org>
Subject: Re: Comparing PGP to Symantec's Secret Stuff
In-Reply-To: <v03007800b0bc0c9a7689@[198.115.179.81]>
Message-ID: <v03007802b0bcaf4660a9@[198.115.179.81]>
MIME-Version: 1.0
Content-Type: text/plain



	Adam Shostack <adam@homeport.org> wrote:

>	Having worked for those multinationals and defense
>contractors, I've seen them buy new products with serious weaknesses
>in key generation, with year 2000 problems, with stream ciphers used
>to protect stored data--keyed the same way each time.  I've seen them
>use code that sent cleartext where it should have been encrypting on
>the wire.
>
>	I could retire a rich man if I never wanted to come back to
>the US.
>
>	Do due dilligence yourself.  Read the snake oil faq.  Insist
>on speaking to someone at the vendor with two brain cells to rub
>together.  If they claim Acme bought it so you should, too, insist on
>speaking to the security folks at Acme who did the eval.  Its your
>money.  Its their security product.  Feel free to evaluate it right.
>If the vendor won't cooperate, go elsewhere.

	Now how could anyone disagree with that;-)

	The problem is: how does someone like my online correspondent from
Jakarta, a self-described innocent in cryptography, deal with his need to
purchase a commercial crypto product now.  I was suggesting helpful
guidelines for a guy with a decision to make, not an optimal solution for a
crypto-savvy buyer in a consumers' paradise.

	If he can get the odds in his favor as far as the basic security of
the products he is choosing among, what he (most managers) will look for is
ease of use, even transparency.

	Come the Revolution, we'll make them all show their stuff, publish
the source code, and dance in the streets.

	Then, of course, we'll have to force other guys to study it and
report to us.

	Once we develop some system of retribution for those who review in
ignorance or exhibit bias, I'm certain we'll have the problem licked.... ;-)

>	The product I'm building uses 'brand name' cryptography--
>libraries and tools from well known sources.  It takes a bit of speed
>away (I'd have prefered to use X9.17 over SSL for our bits on the
>wire, but I couldn't find a peer reviewed X9.17 library out there.)


>Vin McLellan wrote:
>
>|    The lack of published source code is an issue, but if you see such a
>| product being purchased by multinationals or US defense contractors you
>| can be certain the implementation -- which is the real arena of
>| vulnerability, once the algorithm is chosen -- has been carefully studied
>| by informed cryptographers. (For non-American product, look for similar
>| purchases by government-connected agencies in the vendor's nation.)
>
>
>
>--
>"It is seldom that liberty of any kind is lost all at once."
>					               -Hume


      Vin McLellan + The Privacy Guild + <vin@shore.net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                                  -- <@><@> --







Thread