From: Pearson Shane <Shane.Pearson@tafensw.edu.au>
Date: Wed, 28 Jan 1998 13:12:10 +0800
To: "'David Honig'" <whgiii@invweb.net>
Subject: RE: FW: Symantec Norton, Your Eyes Only.
Message-ID: <01ISWZV6P6C200AYSF@hmgwy1.isd.tafensw.edu.au>
MIME-Version: 1.0
Content-Type: text/plain



Hi guys,

If I could get access to the source,
understand all of it fully, and understand
how it will act under Win95 with whatever
compiler they used, I could probably write
my own.

So I guess it comes down to trust.

Thanks for the replies.

Bye for now.

> -----Original Message-----
> From:	David Honig [SMTP:honig@otc.net]
> Sent:	Saturday, January 24, 1998 5:08 AM
> To:	Pearson Shane; 'William H. Geiger III'
> Cc:	'cypherpunks@toad.com'
> Subject:	RE: FW: Symantec Norton, Your Eyes Only.
> 
> At 03:46 PM 1/23/98 +1100, Pearson Shane wrote:
> >Hi William,
> >
> >Many thanks for the reply.
> >
> >I was hoping it was ok having Blowfish,
> >but I guess it could be their own
> >"efficient" version.
> >
> >Bye for now.
> >
> 
> WHGIII gave you the most conservative answer.  That is, in cryptology,
> the
> correct answer.
> 
> A more detailed analysis would say:
> 
> * the blowfish algorithm is considered strong for various reasons
> 
> * IFF the Norton program were written correctly
> (not just the algorithm implementation, but key hiding,
> worrying about getting swapped onto disk by the OS, etc.)
> then it would be a useful tool for security.
> 
> * Without examining the source, any assumption of security
> from using the tool relies *absolutely* on your trust of the
> implementor.
> 
> (In a Turing award paper, Ritchie described how you
> implicitly must trust your compiler-writers too.. the 
> compiler could have clandestine functions like inserting
> extra code when it recognizes patterns)
> 
> So you see how WHGIII was correct, although for practical
> purposes (depending on the value of your data and the 
> attackers you anticipate, plus the security of the rest of your
> system (only as strong as the weakest link)) you may find this tool
> acceptable
> in the non-exportable version.  Keylength-limited versions are
> worthless
> from a security viewpoint.
> 
> But on this mailing list, you won't find the yes/no answer
> you probably want.  Which is probably correct behavior for this list.
> 
> Cheers,
> 
> 
> ------------------------------------------------------------
>       David Honig                   Orbit Technology
>      honig@otc.net                  Intaanetto Jigyoubu
> 
> "The tragedy of Galois is that he could have contributed so much
> more to mathematics if he'd only spent more time on his marksmanship."
> 
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> 
> 
> 
>