Re: the wisdom of crypto "challenges" (was Re: $100,000 reward)

New Message Reply About this list Date view Thread view Subject view Author view

C Matthew Curtin (cmcurtin@interhack.net)
Mon, 22 Jun 1998 20:56:08 -0400


>>>>> "mab" == Matt Blaze <mab@research.att.com> writes:

mab> Why waste should we
mab> waste our time on, and give undeserved credibility to, crackpot
mab> challenges when there's so much interesting work to do right now?

You raise many good points. But I would like very much to play the
Devil's Advocate, if I may. I'm not entirely convinced that ignoring
the crackpots is always the best way to deal with them.

Cryptology, the science, is fascinating. I doubt anyone on this list
would disagree. But, what makes our science important is its
application. Comparatively speaking, the world has very few
cryptographers, despite the widespread appeal and value of
cryptographic applications.

This suggests that the importance of our work is largely going to be
up to the market of cryptographic products and services. Herein lies
our problem. In addition to furthering our science, and developing
worthy tools, we have another important job: educating nonscientists.

The crackpot challenges have already gotten attention. And not only
in the obscure corners of the net; I even read of Meganet's silly
contest in Dr. Dobb's Journal a few months back. Dr. Dobb's should
know better.

It's sad, really, that someone would attempt to take advantage of the
ignorance of their potential customers in order to make a sale, but
it's clear that there are quite a few people out there attempting to
do precisely that.

What makes it worse is that there are many companies out there who
don't want to deal with such "hard" problems as "what crypto to use".
So they rely on their "business partners", consultants, oftentimes the
folks who put up their Novell Netware or NT server. Joe Consultant
out there working for a system integrator from 8-5 doesn't pay any
attention to what goes on in the refereed journals; in many cases, the
stuff is just over his head.

We can even write not-really-technical documents like the Snake Oil
FAQ, which gets the main points distributed more widely, but still,
lots of folks are thinking about crypto without ever having seen the
document or learned any of the information therein.

The press should probably be the primary target of our "nonscientist
education" work, as what many people know is filtered through what
they see on television and read in newspapers.

When we brute-forced DES for the first time, it was important. We all
knew we would do it, but the mainstream doesn't pay attention to us
talking about what we can do; they only pay attention after we've done
it. (If you don't agree, ask yourself why news of our brute-force
effort wasn't carried in any major media until after the deed was
done. People don't care about calculations; they want to see
experiments and results for themselves.)

Now, we have a problem on our hands:

 o Snake Oil vendors can offer bazillion dollar prizes for the first
   person to "break their system" (under a very limited set of
   circumstances, such that they can essentially pronounce any
   successful effort invalid by virtue of "now following contest
   rules"). What I mean is that they don't even need to have the
   money they're offering.

   In so doing, Snake Oil vendors get press.

 o Many of the people buying cryptographic products are ill-qualified
   to make educated buying decisions. Most of these are completely
   unaware of excellent resources available to them which will help
   solve their ignorance.

 o The same people who are ignorant of cryptography, but are making
   the recommendations and purchase orders, do see what's in the trade
   press. Which means that the Snake Oil vendor's contest caught
   their eyes.

 o Warnings about bogus crypto products and even expert cryptanalysis
   goes unseen, unable to find its way into the mainstream trade
   press.

"Silicon Snake Oil Awards" are likely to get press, especially if
they're accompanied by examples of how to defeat the systems in
question.

Does it advance the science of cryptology? No.

Is it intellectually challenging? Not really.

But will it help more people avoid buying the things that will give
them nothing more than a false sense of security? Probably.

If that can be done on a broad enough scale, I think it might be
arguable that the value there, in practical terms, is at least as
great as developing our science further.

It's possible that the picture I'm painting is more bleak than
reality. Earlier this year, though, I was wearing the "consultant"
hat. It's really frightening how many corporate buyers will mention
things like "virtual matrix encryption" in the same sentence as RSA.

-- 
Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:52 ADT