[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On the definition of source

"Michael K. Edwards" <m.k.edwards@gmail.com> writes:
> If you're going to accept programs for inclusion in main that are
> written and maintained by people with an agenda -- which includes but
> is not limited to corporate backers who profit from the sale of tied
> produces and services -- you have to recognize that not everything
> about their design goals and inner wokings is fully disclosed.  The
> classic example is DES; the S-boxes were designed to be resistant to
> differential cryptanalysis, which was unknown in the public literature
> at the time (see
> http://en.wikipedia.org/wiki/Differential_cryptanalysis ).  Commercial
> users just had to take the NSA's (i. e., MITRE's) word for it that
> S-box tweaking was motivated by a desire to strengthen DES rather than
> to Trojan it.

I think you mean:

  The story that is circulated now about the tweaking of the S-box is
  that it was to make DES more resistant to differential cryptanalysis,
  which was unknown at the time.

Once you allow systems to exist with poor disclosure of the construction
process of their internals, you have opened up a back door wide enough
to drive a thousand exploits through.

If you are aware that the providers of the system have an agenda, then
it actually makes sense to work *harder* on the "full disclosure of all
components necessary to reconstruct" angle than you would otherwise.

(Yes, I *am* in the business of producing stuff that you can only
reproduce part of from the design data.)

cheers, Rich.

rich walker         |  Shadow Robot Company | rw@shadow.org.uk
technical director     251 Liverpool Road   |
need a Hand?           London  N1 1LX       | +UK 20 7700 2487

Reply to: