Author

Topic: another look at 'security through obscurity' (Read 463 times)

b!z
legendary
Activity: 1582
Merit: 1010
September 07, 2013, 01:43:22 AM
#4
Go make your own crypto then? See? It's difficult.
Making good crypto is difficult. The majority of people today do not use cryptography intentionally at all. Bad crypto is better than no crypto, with added benefit of straining the resources of the mass-surveilance machine.

most software with crypto we have (pgp, bitcoin) is probably good crypto.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
September 07, 2013, 12:04:56 AM
#3
Go make your own crypto then? See? It's difficult.
Making good crypto is difficult. The majority of people today do not use cryptography intentionally at all. Bad crypto is better than no crypto, with added benefit of straining the resources of the mass-surveilance machine.
b!z
legendary
Activity: 1582
Merit: 1010
September 06, 2013, 11:25:20 PM
#2
Go make your own crypto then? See? It's difficult.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
September 06, 2013, 10:55:21 PM
#1
Most of you are by now hopefully familiar with the latest revelations of the U.S. government agencies planting backdoors in software, hardware, and 'standard' algorithms; stealing and using corporate encryption keys; intercepting, decrypting, and storing SSL traffic.
Read here, for example:
 http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption#odni-response

Time after time we were told to avoid attempts to develop own crypto methods and instead use published standards. There are compelling justifications behind this advice.
Standardized crypto, on the other hand, obviously enables standardized, automated surveilance by a sufficiently powerful agency that has either built subtle weaknesses into the standards, or has discovered them later on. The surface of their attack is small and well defined, and resorces at hand are enormous.
In a security-through-obscurity world, this universal threat would be eliminated, as no agency has sufficient resources to figure out each and every implementation - no matter how clumsy the implementations are. This would require lots of manual labor, and would in effect force them to use resources for targets that are actually of the national security interest, instead of spying on everyone and everything, inevitably leading to the abuse of collected information for the non-national-security purposes.
 What the free world needs now is the popularization and proliferation of a variety of cryptographic, steganographic, and security techniques, DIY projects, and generally a crypto culture. We should avoid mainstream, standardized solutions, and always opt for the new and obscure, preferably with a DIY mods. If you feel you need to establish a secure channel of communication - why, just build one as an appropriate mix of code, steganography, encryption, one-time pads, fragmentation, etc. If you don't feel you need secure channels - why, still use any of  the methods just for the spamming pleasure.

Jump to: