[1891] in cryptography@c2.net mail archive
Re: [Comdex] aka "The late, great Snake Oil Parade"
daemon@ATHENA.MIT.EDU (tamaster@technologist.com)
Tue Nov 25 13:13:09 1997
From: tamaster@technologist.com
Date: Tue, 25 Nov 1997 01:37:39 -0600 (CST)
To: cryptography@c2.net
In-Reply-To: Message-Id: <v03007802b09f540e3d89@[172.17.1.150]>
On 11:01 AM 11/24/97 -0600, Rick Smith wrote:
-Quoted-Reply->
>
>Ion Marketing has asked us to do a security assessment of their product.
>The review has not occurred. If it does occur, the assessment will
>consist of a checklist that compares their product's alleged features
>against appropriate product requirements taken from my book "Internet
>Cryptography."
>
The brochure indicates that the analysis of Secret Envoy by Richard E.
Smith is available for reading on the Ion Marketing Web site. Indicates
that this is the author of Internet Cryptography (yes, that IS you) and
currently in the employ of Secure Computing. Sounds like the brochure
publication might be a little premature...
>
>The guy at Ion did say that their algorithm was proprietary and they're
>not releasing it for review. He knows that this isn't going to earn any
>points in the review we do.
>
All the harder to prove the claims made when the algorithm is not peer
reviewed. My "bone of contention" was with "the facts" and implication
that public domain algorithms by their very nature are somehow less fit
for use in a security product. It is my firm belief that the more open
the design is for public examination, the less likely a flaw will remain
undiscovered. For all I know, Secret Envoy may be, in fact, a very good
software package. But the brochure reads like a sideshow pharmacy...
>
>As far as "defending my name" this reminds me a bit of the old Pogo comic
>strip where the local cop was in trouble for "consorting with known
>criminals" (i.e. chasing them, investigating them, arresting them,
>maintaining an office in a building that housed them, etc.). If crypto is
>going to be used by the mainstream, then we need to find ways of dealing
>with developers, even when they smell of snake oil. Sometimes it simply
>masks the smell of honest ignorance, which is a curable disease.
>
I pretty much agree with you here. Secure Computing does assessments.
The paying clients could span a wide range of capabilities. Including
the "honestly ignorant". No shame in that. But jumping the gun on a
yet to be published technical review (among other things) seems a tad
slippery to me...
>
>Rick.
>smith@securecomputing.com
>
<-Reply-Thusly-Ended-
