Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crypto Snake Oil

Posted by ryuzaki0 on from the never-trust-a-man-selling-something dept.

An anonymous reader writes "Luther Martin of Voltage Security has published an article about the perception of cryptography today with regards to quality and honesty in vendors. From the article: 'Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography. Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.'"

3 of 215 comments (clear)

  1. Snake Oil by Anonymous Coward · · Score: 5, Informative

    Snake oil is a traditional Chinese medicine used for joint pain. However, the most common usage of the words is as a derogatory term for medicines to imply that they are fake, fraudulent, and usually ineffective. The expression is also applied metaphorically to any product with exaggerated marketing but questionable or unverifiable quality.

    'nuff said

  2. Re:Still not too bad by Lord+Ender · · Score: 5, Interesting

    I would say that there is an inverse relation (at least somewhat) between price of crypto software and real security.

    The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness. The more open the software, likewise.

    Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.

    I recently was asked to recommend a way for my CEO and several other executives to securie thier IMs. I recommended gaim + gaim-encryption because it was all open source and free, so if there were a flaw in the crypto implementation, it would likely have been discovered already.

    I also made sure the CEO knew that he was using open source software, and I told him why. He was totally down with it :-)

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Re:or by TCM · · Score: 5, Interesting
    Any vendor that relies on a custom algorithm for their encryption technology shouldn't be trusted.
    Of course.

    But even then there are vendors who claim to be using AES and end up introducing implementational flaws that are not obvious to the user. It's not just algorithms that need to be reviewed but complete implementations.

    Nice read: http://www.schneier.com/crypto-gram-9902.html#snak eoil
    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6