Schneier Discusses Ethics of Crypto PR Tactics

vaxzilla writes "There's a really great article in Bruce Scheiner's January 15th CRYPTO-GRAM newsletter. He questions the ethics of various security companies who use announcements of security problems to bolster the sales of their products and services. When I read about the recent articles talking about the weakness of the current web browers, I pretty much thought, "Yeah, so what?" But nCipher looks to be pushing the hype to help push their product. The article is worth reading. "

Bruce Schneier & publicity

[Anonymous Coward]

A colleague of mine was once at a crypto conference when Bruce Schneier went upto him. After a cursory "what did you think of that talk" BS immediately went on to ask him if he was going to buy his book. (This is when the first edition had just come out).

BS is also the nominal head of a number of security companies (e.g. Syndata), cos they look good with him there, and it doesn't exactly not benefit him now, does it?

Not only that, but he regularly mails what seems like half the world his opinions on various things (e.g., this nCipher article) and sometimes some more interesting stuff (e.g. the attack trees, but models of attacks such as this are well known in security research anyway).

Always wonder what the writer of the article has to gain from it -- Bruce Schneier I'd say -- always publicity.

my opinions are nothing to do with my employer.

DVD Companies

[Anonymous Coward]

"I don't want the digital cellphone industry, or the DVD industry, to foist bad security off on consumers." Gee, Naw, wouldn't want the DVD industry selling me poorly encrypted video discs. Imagine the horrible things it could do to me!

Hmm, sounds familiar

[Anonymous Coward]

A couple of hours ago Bruce Schneier's Cryptogram reported an old "publicity stunt". This was a follow-up to a poll on SecurityFocus.com which said that security companies over-exaggerate the importance of having secure systems. This is borne out by companies like cdUniverse who ignore these gimmicks, and rightly so.

The person Bruce Schneier demonstrated that stories that aren't headline-grabbing tend to get ignored, and that the best way to publish your research is to do it quietly without any reward. Bruce Schneier's Cryptogram talked of a "blatant attempt ... to get some free publicity". Huh? Why is this news? It's not the fact that we aren't all aware of advertising. That's obvious, companies have to do it. It's not the fact that Bruce Schneier was running out of things to say. That's obvious, too. It's not the news that companies that sell anti-virus solutions (that scan for competitors products) want to sell their products. We've seen dozens of these attacks in 1999. But wait ... Bruce Schneier sells a solution to the same problem that nCipher does. Okay, now I understand.

I call this kind of thing a publicity attack. It's a blatant attempt by Bruce Schneier to influence thousands of people against buying hardware crypto, and instead relying on "security professionals" to provide an "integrated and adaptive set of information security services". You don't want a secure webserver where the keys can't be compromised. You want a comprehensive assessment of your information security environment and tailored, integrated intrusion detection. It's a blatant attempt by Bruce Schneier to remind us all that he is the foremost authority on cryptography, information security and writing security bulletins (forget Fred Cohen!), and to scare e-commerce vendors into not purchasing other solutions. And people fall for this, again and again.

This kind of thing is happening more and more, and I'm getting tired of it. Here are some more examples:
* Follow the Money (Score 3) by DreamerFi basically restates Bruce Schneier's last sentence.
* Zigg asks Bruce Schneier to "preach on, brother"
* okay, I'm bored, but you get the point

Now this is not meant to be a total troll, just to remind you of what Bruce Schneier was trying to say.

And above all - never trust anybody.

---
My employer is not responsible for anything I say here.

Bruce's Allegations About Me

[Anonymous Coward]

I wrote the New York Times article that Bruce attacks in his CryptoGram. His piece would have been fairer if he had mentioned the fact that the NYT article explores the ethical quandries of the nCipher attack. I discussed,_at length_, whether nCipher's announcement amounted to blackmail and I reported, _at length_, about their reponses. I asked all of these questions weeks ago and printed their explanation, which I thought was rather reasonable. They felt that publicizing the details were more ethical than keeping silent. It's also important to realize that there was something NEW in what they reported. They had implemented their key finding attack and coupled it with a number of standard hacks around the memory protection schemes of major OSs. You might argue that there's nothing novel about a frightening practical demonstration of a theoretical concept, but I want you to try that argument out on the folks from Hiroshima and Nagasaki first. Anyone can check this out for themselves. Alas I can't give you the exact URL because I'm at the RSA conference. But if you go to www.nytimes.com and log in (sigh), actually find the search screen (sigh), and search for past documents containing the word nCipher, you'll be able to read it. Feel free to write me if you have any concerns or thoughts on this matter. Peter Wayner pcw@flyzone.com pwayner@nytimes.com

Re:PGP for furriners (slightly off-topic)

[phil reed]

There's always PGPi [pgpi.com], which is the official legal exported version. It was sent out of the U.S. as printed material, which is legal, then retyped in. It also doesn't have any patent issues. And, it's fully interoperable.


...phil

Food for thought

[jd]

I'll agree that nCipher's tactics are questionable in the extreme, and that the "solution" suggested offers more to nCipher's accountants than to their customers.

However, I think that the underlying threat has a measure of validity, too. Insecure memory does leave the door open to a lot of potential vulnerabilities. (Actually, IMHO, nabbing the key as it goes through is probably the least of these.)

IMHO, it's important to see where a security company is using scare tactics, but it's also important not to dismiss the tiny (sometimes infinitesimal) kernal of truth that's in there, in the process of throwing away the lies.

(Sometimes it's just so much easier to throw away everything, but if that leads you away from something important, it might be worth spending the extra time and effort.)

What was the topic again?

[copito]

If they can call us Les Etats Unis then we can call them Fraynce.
--

A few points

[Kris_J]

I have a few issues with the article, mostly ignoring the hypocritical aspects that others have touched on...

• Most people are so stupid and trusting that they self-panic at the first sign of a security breach or if someone breaks a trust. Unless you read the original press release, your experience of the event is coloured by, at least, honest mis-understanding and fear.
• Explaining tecnical things, like obscure computer security problems, to the managers that actually hold the purse strings is impossible. You have to bully and scare them into buying your product. Heck, no-one buys a security product if they feel safe.
• Why shouldn't these companies make money providing better security? Most of the ways people earn a living are borderline dishonest, or actually involve breaking the law (to just take people on the roads: truck drivers taking drugs to pull illegal hours, taxis speeding, buses changing lanes in intersections and running red lights, workmen parking illegally because they "need close access to the site", tow-trucks parking on freeways/motorways...) If all they're doing is scaring people into buying better security, then that's harmless in the grand scheme of things. Ask yourself when the last time you did something morally questionable, or even illegal, in the process of doing your work - I bet it was in the last week, probably today, and possibly in the last hour.

I think that this article has simply been a soft option to fill a slot in an e-mail newsletter who's primary purpose is to draw people (back) to a security company's web site...

Media Ignorance => Hype.

[The Dodger]

Basically what these companies are doing is taking advantage of the fact that the media, as a rule, are pretty clueless when it comes to technology in general, and security in particular.

Many, many media outlets simply rehash the press releases they receive, either because they're ignorant and are trusting that the companies who produced them aren't being misleading, or through simple laziness. Unfortunately, companies like nCipher have begun to realise this, and that, by putting the right spin on a pres release, they can achieve media exposure.

It basically amounts to free advertising, and as long as media outlets (i.e. publications, websites, etc.) don't bother checking out the stories they print, it will continue.

The way I've tried to deal with this is to offer media outlets the opportunity to bounce stories off me, before they print them. When I used to see a story like this, I would email the writer/journo and his editor, setting out what was wrong with the story and how they had been mislead, quoting independent sources of information, etc. The key thing is to avoid flames. They just get deleted. Just be civil and polite, and offer to help them out.

The only problem I've found is that you can end up getting quoted, so be sure to tell them that you don't want to be quoted, and point them towards other "experts" who can supply quotes.

D.
..is for Debauched.

Re:Bruce should write about himself

[um... Lucas]

Maybe he genuinely feels that Twofish and/or Blowfish are sufficient alternatives to the already existing algoryhms. Maybe it's his ego that gets boosted. And I don't know for sure, but after reading all of his articles, i would be suprised if he stood to make a dime from any implentation of his algorithms. Why? He's always pushed for royalty free, patent free cryptosystems, saying that since they already exist and work fine, there's no incentive for anyone to spend money licensing a new technology.

So, yeah, his ego gets stroked a bit, and he's definetly sided with his algorithms in the AES submission process, but in the end his only motivation is for pride's sake, rather than blatantly chasing the dollar signs.

Pot, meet Kettle?

[Gavin Scott]

While I think Bruce's ethics are probably much better than the people he's complaining about, I have noticed a marked increase over the last year or so in the degree to which Bruce's writings sound like advertisements. :-(

G.

The Real Problem...

[Royster]

is that someone who has the power to read arbitrary memory or server binaries/configs on disk has the power to replace the server with a trojan that (a) stores the secret information and then (b) calls the original server or (c) just reads the credit cards right out of the database. There ain't no hardware encryption solution that is going to protect you in that case. The "security vulnerability" which this supposedly reveals in order to sell their hardware, actually hurts them too. But you didn't read that in the article.

Let me go off on a tangent for just a sec

[Kaufmann]

and as much as we all love being closet-Socialists here

Whoa. Now you got me on rant mode. Run for your life. :)

<rant>
I've yet to meet a geek, nerd or hacker who is a socialist in this sense. Fervorous libertarianism seems to be the norm around here. This is good.

And before you get all "where was your beloved free market when the DoJ had to intervene to stop Microsoft?", let me say that I never, not once, advocated the DoJ's meddling with. As much as I hate what Microsoft does, at least I'm consistently radical.
</rant>

Re:Let me go off on a tangent for just a sec

[Kaufmann]

Okay. So now I know a geek/nerd/hacker who is a socialist. Thanks for the correction; sorry for any inconveniences. Peace!

Historical anecdotes

[LL]

Back in the days when personal security safes were still new, the manufacturers would stage publicity stunts to discredit the competitors and promote their "superior" solution. So someone (e.g. Chubb) would go through a line of opposition safes, look through the keyhole, file a wooden subsitute for the key, then unlock it in front of newspaper media (with the added bonus of cutting a notch off the wooden key then locking it so that the original key wouldn't work). As you could expect, the media hype and claims/counter-claims would rival anything happening in today's world of e-commerce and security scares. I just thank the gods that so far, it is still a tiny fraction of the world's economy and no really serious commercial system is exposed. Can you imagine the panic if somebody revealed they created and flogged/forged transfers of synthetic treasury bonds or currency exchanges? It is unfortunate that the customer bears the brute of untried systems and the cost of replacement and if history is any evidence, will take some time for technology to stablise and trust to develop.

LL

Re:Bruce should write about himself

[YoJ]

He makes his money running a computer security company that provides security solutions. He might not make a dime when someone implements his algorithm, but how valuable is it to the company to be able to say that they developed a major cryptographic standard?

There is nothing wrong with being proud of your ideas and advocating them. The problem is when he uses his cryptography newsletter to advocate his own pet algorithms. Nothing wrong with that, but maybe he should be more open and mention when he's talking about products he developed.

-Nathan Whitehead

Re:A question

[Muffhead]

1. Check if it has already been found. Security Focus & the Bugtraq archives [securityfocus.com] are a good place to start.

2. If it is a new vulnerability notify the vendor responsible.

3. Wait an appropriate amount of time (opinions vary on this part). If the vendor fails to respond post the info & the exploit if you have one to Bugtraq or similar list.

4. If the vendor does release a patch/notice release your details as well.

At no point should leaking it to the press to make a fuss be an issue. Full disclosure is a good thing, but in the appropriate forums. Some vendors are very cooperative & release patches (or at least a notification) very rapidly. Others never get around to addressing security holes.

Legislating ethics...

[CryptdotX]

Sorry Bruce, you can't force people to be ethical. When businesses see that they can make a whole lot of money by exploiting news about a security hole to sell their product, they will do it.

I think difficult solution to the problem is educating consumers and media professionals so that they don't get taken advantage of in these ways.

Not sure I agree

[Hobbex]

I usually agree completely with everything that BS writes (and I was pleased to see that his first paragraph validated my Slashdot post in the nCipher string), I do think that he is being a little hypocritical about this subject. While the whole nCipher thing was obviously just "hacksationalism", it seems to me that the dividing line between cases where he is and isn't OK with publishing cracks depends competely on where party is making money or not.

Ethics to the side, and as much as we all love being closet-Socialists here, capitalism is what makes our world go round. I wish all research could be funded for altruistic reasons, but in the real world the lure of profit IS often necessary. This is why we stand the fact that medical patents often keep poor people from being able to afford treatment, its for the greater good of having the medicines developed at all.

It might not be perfect to have companies researching for security holes so they can validate the sales of there products, but at least the holes are being found and published, which, IMHO, is a hell of lot better then letting them linger until somebody who would rather use them than publish them finds them. Use Open Source and you can be sure you can patch around before the hackers hit you when the problem hits the press.

I also see no mention in the article about BS own new Internet security company, Counterpane Internet Security, and how he plans to change his behaviour now (though he points fingers at LOFT for doing the same). He might have discussed this before though.

If anything, I think one of the biggest faulty parties here is Slashdot. A lot of journalists read this site, so when the editors post a story like the nCipher one, it does a great deal to spread it further. May I recommend that the /. staff consider taking a Cypherpunk onboard to weed through stories about such issues to make sure they are real and not just sensationlist.


-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

"Hackers, Crackers and Lamers"

[GMontag]

Scheiner was interviewed for an upcoming documentry (working title is Hackers, Crackers and Lamers) and makes fantastic down-to-earth sense about the subject of ethics in just a few seconds of screen time. I hope he is in the finished product longer, I only saw an 11 min. promo).

Release later this year I hope.

Re:Not sure I agree

[DaveHowe]

I do think that he is being a little hypocritical about this subject. While the whole nCipher thing was obviously just "hacksationalism", it seems to me that the dividing line between cases where he is and isn't OK with publishing cracks depends competely on where party is making money or not.
Not too sure I agree with that <grin>. What he seems to *me* to be saying is that he disagrees with either

1. Pushing out a "scare" advisory that, if a given set of circumstances occur, AND an attacker does something that would eat CPU time, AND he gets lucky, he MIGHT be able to read a SSL key, and therefore gain access to a SSL conversation that he shouldn't have - assuming he can capture and identify the packets as well, of course - or spoof his way in on that conversation provided it hasn't closed by the time he found the key. The fact that , in bang-for-your-buck terms, it would be more effective to try and grab the packet stream and brute-force the 40-bit key (which is a different issue of course) is being ignored by this company... why? because they don't sell a hardware solution for this. The other obvious issue (that if the key might get leaked into free memory by the webserver, then the plaintext might also) is similarly ignored.
   I think what it comes down to is this - if a major bug is reported to the world that can't be patched out of existance, and you appear with a hard or soft solution that fixes it without introducing more problems, then everyone will stand behind you and applaud. If *YOU* came up with the problem report, and everyone else thinks it is such a long-odds occurance it gets a backburner-status until more pressing problems are sorted, don't be *too* surprised if everyone looks a bit suspicious when you trot out your "solution".

2. Advisories being pushed out in a blaze of publicity, with the developers of whatever was targetted not given a fair amount of time to come up with a solution (I am in two minds about the eEye one - if their side of things is to be believed, they didn't even get the courtesy of an acknowledgement of their bug report from MS - however, the main thrust of their PR campaign was based around the fact that THEIR magical new scanner found the vunerability, and that it WASN'T known out in the script-kiddie community yet. If it wasn't public knowledge, why not give the programmer's an extra week or so? because someone else might find it and spoil your nice PR coup?) It is more common to find this sort of advisory in the Bugtraq mailing list, with a careful description of the vunerability, as limited an exploit as you can make that will demonstrate the problem without causing more damage, and (if you want the brownie points) a workaround or patch.

<...block snipped...>

If anything, I think one of the biggest faulty parties here is Slashdot. A lot of journalists read this site, so when the editors post a story like the nCipher one, it does a great deal to spread it further. May I recommend that the /. staff consider taking a Cypherpunk onboard to weed through stories about such issues to make sure they are real and not just sensationalist.
Not too sure about that either - most readers of /. know to take a PR release with a grain or two of salt, and given most of the time one of the people respected in whatever field the post is in will either confirm or debunk a story within a few dozen posts (and rapidly get moderated up) why not just let /. take it's normal course and add an UPDATE: tag to the story if it looks too far out from the dock? With the possible exception of petrified females, the /. Delphi effect seems to work much better than a paid staff member could hope to, and it's cheaper too :+)
--

Re:Let me go off on a tangent for just a sec

[Zan Thrax]

I'm one of the socialists you claim never to notice. And I don't have the problem spoting them in the slashdot crowd amongst the "fervent libertarians" that are supposedly the "norm around here". Oh, and while other's amongst us may be closet-dwellers, (not that I blame American socialists for hiding from anti-commie progaganda victims) I'm very open about my views. About the only place I agree with libertarians is for all agencies to stay the fsck out of my private life.

Lack of experience in the media

[1984]

There's a critical problem with a general lack of security expertise in the media. It has lead to an unfortunate slant 'on the side of safety', where anyone highlighting an apparent security problem is instantly believed.

This is often regardless of credentials, and I've seen some journalists maintain a tenacious grip on a flawed notion of bad security because bad security makes a good story. Copy gets churned out that all too often recites doomsaying of the original source, without reference to any independent expertise.

It's even worse when there's actually a story in there, but it isn't the story that they're choosing to write.

Sensible, timely reporting of security issues, and pentrating questions aimed at those who seek to deflect them are sensible and useful. Grabbing the latest 'see here security disaster!' hype isn't.

Starts insightful and degrades from there

[Zigg]

I'm a subscriber to CRYPTO-GRAM; I suggest anyone who cares at all about security subscribe as well. Bruce is a true luminary in his field and usually when he points something out, it's worth looking into.

That said, I quickly read the nCipher bit this morning when CRYPTO-GRAM arrived. The first few paragraphs had me nodding and saying ``preach on, brother'' (under my breath of course; when I do it out loud my wife looks at me strangely...) But the remaining examples led me to believe that perhaps Bruce had written himself in a corner and was desperately trying to close his essay with nothing else to say.

nCipher is an example of an extreme that is easy for everyone to point out and understand. But the rest of Bruce's article left me saying ``so what?'', especially when peppered with constant ``I am probably the last person to say this, but...''s and ``I normally don't condemn this, but...''s. It left me feeling that the problem he highlights really isn't as widespread as he wanted to make it out to be.

My advice, Bruce: continue to highlight the insane for our benefit; but don't beat a subject after it's dead. (``We will kill you until you are dead!'') :-)

Follow the Money

[DreamerFi]

What you should always keep in mind is Follow the Money when reading articles anywhere. Bruce makes this point very clear, but you should not limit this to cryptography. Always wonder who stands to benefit from an article.

Including on Slashdot

-John

Re:PGP for furriners (slightly off-topic)

[bmc]

GnuPG [gnupg.org] is a good replacement for PGP, developed outside the US, and unencumbered by patents.

Re:False Authority Syndrome (Offtopic Comment)

[Nipok Nek]

As always, a great read from Bruce.

ARGH! This annoys me to no end. Unless you heard Bruce somewhere reading it, it wasn't any kind of "read". When I hear someone say this, I get a mental picture of the guy in the TV commercial that insists on pronouncing France the foo-foo way. (Fronce) Try going into your favorite restaurant, and after dinner, tell the chef it was "A Great Eat". See him swell with pride. :)

That rant has been building for some time. Don't take it personally. Yours was just the final straw, so to speak. :)

Nipok Nek

Re:False Authority Syndrome (Offtopic Comment)

[Nipok Nek]

Main Entry: France
Pronunciation: 'fran(t)s, 'fr[a']ns
country W Europe between English Channel & the Mediterranean; a republic capital Paris area 212,918 square miles (551,458 square kilometers), population 54,257,300

Tomato, Tomotto....

Nipok Nek

A question

[JamesSharman]

The author makes some valid points to the degree of contradicting himself. I would hope that most of the people on slashdot can spot posturing and sensationalizing when they see it.

"I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again."

Yes nCipher didn't really point out anything new, yes it's a blatent attempt to get free publicity and yes it does stink of the whole virus scare thing we went through 10 years ago. However the issue here is where do you draw the line between a publicity stunt and genuine alerting the world to a problem. I feel that just telling those with a responsibility to fix a problem is not the solution, as the writer correctluy points out:

"Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers."

However this causes a problem, if the only way of attacking a true problem is to make it public with all the fuss involvoed how can you expect the public to tell the difference between this and someone grabing for publicity, we maybe able to tell the difference but joe public is usualy a little out of their depth when dealing with cryptography.

What I would like to know is if you (the person reading this post) found a gaping security whole in something large like Explorer or Navigator what would you do:

• Just report it to the vendor.
• Leak it to the press and make a fuss.
• Work it into an exploit and make yourself rich
• Something else.
• Depends whose software it is.

Ad hominem.

[gargle]

In response to a reader's essay comparing Elliptic Curve Cryptosystems and RSA (near the bottom of the newsletter), Bruce Schneier writes: "((This is a good essay, but remember the author's bias. He works for Certicom, and it is in his financial interest for you to believe in elliptic curves. --Bruce))"

This is just lame. If there're problems with the essay, point them out. Otherwise shut up.

Re:False Authority Syndrome (Offtopic Comment)

[radish]

I apologise unreservedly for my use of a common phrase :-)

BTW...did you see the new BMW yet? I heard it's a great drive. And Q3 on a Xeon? That's what I call a great frag.

False Authority Syndrome

[radish]

As always, a great read from Bruce. Others have commented on this phenomenon, which seems very common in security/virus areas. Rob Rosenberger runs a great site called Virus Myths [kumite.com], which deals with all the "Good Times" stuff, as well as investigating other security stories, with the aim of getting rid of the hype and looking at the real story. He also has an article on what he calls False Authority Syndrome [kumite.com], basically the habit loved by certain parts of the media to totally believe someone because they assume them to be an "expert" on the subject. Essential reading...

PGP for furriners (slightly off-topic)

[pingflood]

I know this is a tad off-topic, but since a buncha crypto people are bound to read this -- last I read about PGP, you could only use it if you were an american citizen. Does this still hold true? I'm a permanent resident in the US but not a citizen; if PGP isn't available for me, what alternatives do I have? TIA.

-pf

Re:Bruce should write about himself

[Hikage]

Actually, Bruce recommends 3DES over Blowfish or Twofish or any other block cipher, citing the fact that DES has been around for so long and still no major weaknesses have been found. In his comment in the Cryptogram that you refer to, he uses Twofish as an example of one of the fastest block ciphers, which it is. He makes no claims about its security. And I don't know exactly how long Twofish has been around, but I know it's been longer than 4 months. As another reader pointed out, it's been around at least since the AES candidates were announced in August of 1998, and I very clearly remember reading about Twofish and the fact that Bruce was planning on submitting it in mid '97.
j

"It's not whether or not you're paranoid. It's whether or not you're paranoid enough."

Re:Bruce should write about himself

[Hikage]

Actually, Bruce recommends 3DES over Blowfish or Twofish or any other block cipher, citing the fact that DES has been around for so long and still no major weaknesses have been found. In his comment in the Cryptogram that you refer to, he uses Twofish as an example of one of the fastest block ciphers, which it is. He makes no claims about its security. And I don't know exactly how long Twofish has been around, but I know it's been longer than 4 months. As another reader pointed out, it's been around at least since the AES candidates were announced in August of 1998, and I very clearly remember reading about Twofish and the fact that Bruce was planning on submitting it in mid '97.
j

"It's not whether or not you're paranoid. It's whether or not you're paranoid enough."

Re:Lack of experience in the media

[p-k4]

There's a critical problem with a general lack of security expertise in the media. It has lead to an unfortunate slant 'on the side of safety', where anyone highlighting an apparent security problem is instantly believed.

You mean like Y2K and credit card information theft?

Regarding credit card theft, I'm tired of hearing about the theft of the information. I don't care who steals my credit card number but who uses my credit card number. The information of the fraudulent charges racked up on stolen CC numbers is painfully missing in most stories telling how 250k CC numbers were stolen from random-site.com.

CRYPTO-GRAM

[Hoo00]

By the way, this is true too: "I [also] call this kind of thing a publicity attack. It's a blatant attempt by [CRYPTO-GRAM] to get some free publicity for the [article at /.]..., and to bother [/. readers to moderate down some comments like this one]. And [he critizes] this, again and again." Anyway, since the problems are so obvious as the author said, nobody is going to buy the nCipher's story.

Re:A question

[WinTired]

I would:

• 1 - Report it to the vendor;

  2 - One week later, post it somewhere so as to make it public;

  3 - One week after that, release an exploit, if I were capable to, just to make sure the vendor *does* something about the hole.

-------------------------

Re:Bruce should write about himself

[DrXym]

Twofish might have weaknesses yet to be discovered, but it also has one great strength - it is GPL'd and patent free.

Not Surprising.

[Postmaster General]

This is typical marketing/advertising. If I was in the ad business, I'd be doing the same thing.

It's their job to increase sales, and this is an appropriate method to do so given what they are trying to sell.

To put it another way, when we were kids and they'd show those action figure commercials where the figures seemed like they were really flying, you didn't really believe they could actually fly, did you?

It's advertising, plain and simple. If a person gets suckered into purchasing something simply by viewing the ad, they really have nobody to blame but themselves. Likewise, if a person is willing to spend their money without doing their own research, then perhaps they deserve to be suckered.

advertise
Pronunciation: 'ad-v&r-"tIz
Function: verb
Inflected Form(s): -tised; -tising
Etymology: Middle English, from Middle French advertiss-, stem of advertir
Date: 15th century
transitive senses
1 : to make something known to : NOTIFY
2 a : to make publicly and generally known b : to announce publicly especially by a printed notice or a broadcast c : to call public attention to especially by emphasizing desirable qualities so as to arouse a desire to buy or patronize : PROMOTE intransitive senses : to issue or sponsor advertising

In case anyone is interested, here are some further readings on the subject of psychology as it is involved with advertising:

The Power of Words: Advertising Tricks of the Trade [wsu.edu], Richard F. Taflinger, PhD
Psychology of Consumer Behavior [wsu.edu], Richard F. Taflinger, PhD

Re:Bruce should write about himself

[tens]

All over AC he explains that you should waits years, not weeks to see what kind of attacks the algorithm withstands.

I definately agree that Blowfish is a reasonable algorithm, but Twofish just hasn't been tested like Blowfish, and the other myth, that Twofish is an improvement of Blowfish is not true at all. Twofish is an entirely different algorithm.

He might not be making any direct money from his implementations, but being able to say "Counterpane, the guys that invented the new AES standard, implemented in all new major encryption products", is worth quite a bit of money..

Re:Bruce should write about himself

[tens]

a few months after he released Twofish certain big crypto libraries got requests from Bruce to include Twofish in their mix of algorithms :)

That was a long time ago.. way before even the end of the first round of AES.

Bruce should write about himself

[tens]

I think Bruce should be pointing a huge finger at himself as well. We all know that encryption algorithms aren't considered even remotely secure after a long period of time. Bruce recommends years in his AC (which is the way to go) but 4 MONTHS after releasing his Twofish he's pushing it to be included in all major encryption packages. Can you say OpenPGP for example? And what's the comment "(that's Twofish, the fastest AES submission)" about? He's mixing up his own interest just as must. I don't think Bruce is any better than nCipher or any of the other guys.