[1734] in cryptography@c2.net mail archive
Re: Crypto in real life
daemon@ATHENA.MIT.EDU (David HM Spector)
Fri Oct 10 19:51:51 1997
To: Rick Smith <smith@securecomputing.com>
cc: John R Levine <johnl@iecc.com>, cryptography@c2.net
In-reply-to: Your message of "Thu, 09 Oct 1997 17:01:16 MDT."
<v03007809b063075f87db@[172.17.1.150]>
Date: Thu, 09 Oct 1997 23:30:52 -0400
From: David HM Spector <spector@zeitgeist.com>
IMHO, from what I've seen the crux of the biscuit is that no one has
come up with an analogy that lay-people understand about why a captain
marvel secret decoded ring is not as useful/secure as a fully tested
and peer-reviewed peice of crypto software, or why interoperability is
a "good thing.".
Most of the folks who call me couldn't do long division, let alone
define a prime number or tell you why triple-DES is more secure than
the password dialog box on WindowsNT. They "manage technology,"
Whatever that means, and they need some way to explain this to the
people who manage THEM.
Perhaps we need to draw on a more famialr analogy to explain this to
folks -- here's, more or less, how I explain it to clients:
Good, safe, well-tested cryptographic security software is like
a flu vaccine. It must be extensively researched and tested
to know in what kinds of situations (in the case of a vaccine,
what strains of flu) it is appropriate to use and whihc its
not. The ability of software to interoperate correctly other
similar software is one of these tests. Imagine a flu vaccine
that kills you if you've ever had a polio or tetanus shot.
Just like vaccines and other medicines, high-quality
cryptosystems go through a rigorous set of designs, reviews,
trials and peer-reviews before it should trusted with your
data (or in the case of a vaccine, your life!).
A security system is not something you buy off a the back of a truck,
nor is it something that non-experts (such as faith healers or
trade-magazine writers [or congressmen]) are likely to be
expert at, so taking security advise from these so-called
experts is a lot like going to a "psychic-surgeon"... you will
probably not get what you expect, and most certainly will not
get better if you are ill.
Finally, like medicines, cryptosystems need to be re-evaluated on a
regualar basis to ensure that they are still effective, and
are still safe to use. Since technology (and the flu) is
always on the move, it's a good idea to keep ones technology
(and ones flu shots) up to date.
regards,
David
--
-------------------------------------------------------------------------------
David HM Spector spector@zeitgeist.com
Network Design & Infrastructure Security voice: +1 212.579.8573
Amateur Radio: W2DHM (ex-N2BCA) (ARRL life member) GridSquare: FN30AS
-.-. --- -. -. . -.-. - .-- .. - .... .- -- .- - . ..- .-. .-. .- -.. .. ---
"New and stirring things are belittled because if they are not belittled,
the humiliating question arises, 'Why then are you not taking part in them?'"
--H. G. Wells
