Security through obscurity
-
After asking a vendor (who shall remain nameless) about details of
their encryption scheme, this gem was offered (company and product
names have been anonymized):
Sorry but it's not Initech policy to inform any one [sic] of our encryption
methods. If we did it wouldn't be a secure encryption method.
All I can say is that I've been at Initech for several years and in all
the time that we've been selling the Widget I haven't had a single
customer saying they've cracked the encryption.
-
I think that they are using a customized ROT scheme, ROT-14, which no known code can hack.
Either that or they are XORing with the company name.
What sort of data are we talking about.
-
@bullestock said:
...
If
All I can say is that I've been at Initech for several years and in all
the time that we've been selling the Widget I haven't had a single
customer saying they've cracked the encryption.
they think it is secure because their customers cant break it they are
in a big suprise. Wait .. why/how did anybody buy the "Widget" without
finding out what algorithm it used ?
My guess is that the programmer though he was "So smart" and could
write an encryption scheme that was better than a AES ( or if it was a
hash then SHA ). Or maybe it is just [stupid] policy.
-
@bullestock said:
All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.<FONT face="Courier New" size=2>why bother to do testing? the customers pay us to do our testing for us! i'm trying to move my (current) company away from this philosophy.</FONT>
-
I once worked for a company that wouldn't tell your our encryption
algorithm. However this was because of US export regulations
(these are no longer in effect).
They would give the details to a customer who could comply with the
regulations. However customers who could complie with
regulations wouldn't care because they were allowed to buy the version
with standard algorithms that could not be exported.
I never looked at the algorithm myself, but the guys who designed it
knew something about encryption. It might have been flawed, but
the flaws were not beginners mistakes.
-
@bullestock said:
After asking a vendor (who shall remain nameless) about details of
their encryption scheme, this gem was offered (company and product
names have been anonymized):
Sorry but it's not Initech policy to inform any one [sic] of our encryption
methods. If we did it wouldn't be a secure encryption method.
All I can say is that I've been at Initech for several years and in all
the time that we've been selling the Widget I haven't had a single
customer saying they've cracked the encryption.
That type of answer just begs for someone to post the encrypted
string, along with the above response, and the name/address/contact
info of the company in question, on an IRC channel...
dZ.
-
@bullestock said:
All I can say is that I've been at Initech for several years and in all
the time that we've been selling the Widget I haven't had a single
customer saying they've cracked the encryption.
To me, this begs two questions.
Do the customers have a reason to try cracking the encryption? I'd
expect that if anyone has a motive, it won't be the people who paid for
it.
If someone cracked the encryption on your expensive widget, are you sure they'd tell you?
-
@slainangel said:
@bullestock said:
All I can say is that I've been at Initech for several years and in all
the time that we've been selling the Widget I haven't had a single
customer saying they've cracked the encryption.
To me, this begs two questions.
Do the customers have a reason to try cracking the encryption? I'd
expect that if anyone has a motive, it won't be the people who paid for
it.
If someone cracked the encryption on your expensive widget, are you sure they'd tell you?
And on a further note, would you trust someone who makes a living of a
program and its encryption to just say "Its been cracked X times"?
-
I guess these guys have never heard of SoftICE or IDA...
-
@Ulvhamne said:
And on a further note, would you trust someone who makes a living of a program and its encryption to just say "Its been cracked X times"?<FONT face="Courier New" size=2>it's like in the first episode of futurama, when fry walks into the cryogenic freezing room, and it says "no power outages since 1998" with the '8' taped on there. [:D]</FONT>
-
@emptyset said:
@Ulvhamne said:
And on a further note, would you trust someone who makes a living of a program and its encryption to just say "Its been cracked X times"?<FONT face="Courier New" size=2>it's like in the first episode of futurama, when fry walks into the cryogenic freezing room, and it says "no power outages since 1998" with the '8' taped on there. [:D]</FONT>
Actually, the sign says "no power outages since 1997"
-
@Albatross said:
Actually, the sign says "no power outages since 1997"
<FONT face="Courier New" size=2>i turned 93 and bought an 87 caddilac / taking my homies down to the dog track / when it's time, i reach for the dime bag / count them out, and bet on 'old rag-tag'</FONT>
<FONT face="Courier New" size=2>lost our money and we roll down to 'raton / kickin' the buffets for the noodles and the wontons / stuffed, puffed, we head to nightly dominoes / we got rust on the rims and boston pops on the stereo</FONT>
<FONT face="Courier New" size=2>the man keeps telling me i gots dementia / driving down the sidewalk - bitch, i'm gonna hit ya / i couldn't see a thing since 1989 / but it don't matter - you can't punk this ride</FONT>