Talk:Snake oil (cryptography)

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Talk
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
To learn how to fill out this checklist, please see CZ:The Article Checklist. To update this checklist edit the metadata template.
 Definition Describes the manufacture and sale of information security products which instill in the consumer a false sense of security, because in reality the product does not make the information any more secure [d] [e]

Quality improvement and better linking to related articles

I'm concerned that this article quickly appeared, after I questioned some comments in cryptography, without any wikilinking from that article. The lack of such wikilinking makes it harder to give editorial reviews to a group of related articles and the structure among them, as well as specifics in this article. I now see propagation of problems in this article, cipher, and cryptography; I'm making some comments in the talk page of the last, and observe here as well that there is a sudden burst of articles that could be more useful with more of an idea of overall outline (multi-article) and appropriate wikilinking.

For this article, let's start at the beginning. First, I'd observe that while this is a vivid and potentially useful phrase and article, it's not widely used in the industry.

It is a standard term among cryptographers. One quick check. Searching an archive of a well known crypto list gives 262 hits for "snake oil". http://www.mail-archive.com/search?l=cryptography%40metzdowd.com&q=snake+oil Sandy Harris 17:22, 3 August 2008 (CDT)
May I ask who runs that mailing list? I've never run across the term on an IETF or NANOG list -- maybe I missed it. Could it be that it is well accepted in a certain community? I hesitate to call anything a "standard term among cryptographers" until I see it in a peer-reviewed journal, widely used textbook, or even a NIST/NSA glossary. It doesn't appear in the index of Scheier's 2nd edition Applied Cryptography, Mitnick's The Art of Deception (where it would seem apt), Meyer and Matyas' Cryptography, Steel-Nagappan-Lai Core Security, Kaufman-Newman Implementing IPSec, or Scheier's Secrets and Lies.
When I did a search on IETF (Internet Engineering Task Force) +"Cryptographic snake oil", I got 8 hits, most of which either referred to S/WAN, or to the FAQ. Do I understand correctly that you wrote S/WAN? There were no hits on "Cryptographic snake oil" with NANOG (North American Network Operators Group), RIPE (Réseaux IP Européens, the European IP forum), APRICOT (Asia Pacific Regional Internet Conference on Operational Technologies). There were 8 hits on SANS, again coming back to S/WAN or the FAQ.
Just looking for "cryptographic snake oil", I got 193 hits on Google. To put that in perspective about "well-known", I got 178,000 hits on "stream cipher", 13,300 on "index of coincidence," 366,000 on "Diffie-Hellman", 56,400 on "KG-13", 8,000 on "Feistel cipher", and 32,300 on "Zero-knowledge proof". How random a group is the mailing list you searched? Howard C. Berkowitz 18:22, 4 August 2008 (CDT)
As Larry says below, the actual term is "snake oil", not "cryptographic snake oil" and the article should probably be retitled the way Wikipedia does it, as "Snake oil (cryptography)". My error, there.
Googling "snake oil" gets 1,730,000 hits, only a small fraction of which relate to crypto. Adding "cryptography" cuts it to 23,200. Restricting the search to ietf.org gives 327 hits. On Sans, 111 but mostly in one thread. Oldest use I've found is in PGP documentation dated 1994 [1].
The list I referred to is run by Perry Metzger. It is cryptography@metzdowd.com; one archive is here: [2] Regulars include quite a few well-known people: offhand, I can think of Steve Bellovin, Matt Blaze, John Gilmore, and Peter Gutmann.

Second, the opening sentence

In Cryptography, the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims.
is not attributed, although there's a general comment about a 2001 book mentioning it.
Policy CZ:Article_Mechanics#Citations says "Citations are not usually needed for information that is common knowledge among experts." There are exceptions, but I cannot see that they apply. Sandy Harris 12:08, 4 August 2008 (CDT)

While I only did a quick search, the 2001 book (online 1st edition) by Ross Anderson,[1] which has a URL rather than an inline citation and any commentary on the work, does not appear to be the first coining of the term. I found a 1999 Bruce Schneier webpage on it[2].

It's been a relatively recent development, as in the last two or three decades, where cryptology has come out of the NSA closet, and many associate that coming-out party with the publication of David Kahn's first edition of The Codebreakers in 1967 [3]. I call attention to Chapter 21 (second edition, but Kahn didn't revise earlier chapters but appended a chapter on the British ULTRA disclosures), "Heterogeneous Impulses", which, while it does not use the term "cryptographic snake oil", extensively discusses the history of amateur-developed "unbreakable codes", which goes back for centuries.

Comments on introduction/lede

After my contributions to Internet Protocol Suite/Signed articles and Compartmented control system/Signed Articles, I am the last person to insist on encyclopedese. Nevertheless, I'm concerned about style here. I don't disagree with some of the opinion stated, but I might like to see a bit more formalism. As to the optimism of programmers, there might be some synergy here to a developing article on Brooks' Law, as well as some decent references to Weinberg.[4]

I suspect the article would not lose quality if some of the adjectives, such as "incurable optimism" or "extravagant claims" were lost, and perhaps more specific examples or citations were given.

Also, external reference to peoples' home pages or FAQs, in the main article, don't fit with my idea of good CZ style. In the main article, more explanation, and perhaps a bit of text to show relevance, would improve the value of the article -- the reader should not have to make a jump to an external link without being sure what value would be better there. Alternatively, such things, again preferably annotated, could go into the "External Links" subpage and perhaps be a little less jarring than as they appear in the main article.

At this point, I would ask for community feedback.

Howard C. Berkowitz 10:24, 2 August 2008 (CDT)

The Schneier article you cite says "Further reading: The "Snake Oil" FAQ is an excellent source of information on questionable cryptographic products, and a good way to increase the sensitivity of your bullshit detector. Get your copy at: <http://www.interhack.net/people/cmcurtin/...>." It is on faqs.org and probably other places, but I chose to cite the primary site. I consider that an essential link. Sandy Harris 17:22, 3 August 2008 (CDT)
Again, what problem are you trying to solve? I don't find that FAQ written, or demonstrably reviewed, that it is obviously an authoritative reference. If there are key points being made, then perhaps it would be best to include them in this article, written in a more verifiable style. "Improving the sensitivity of B*llsh*t detectors" may be OK on Wikipedia, but the phrase runs into one of the stated CZ rules of "family friendliness". I tend to interpret that to mean that unless a profanity is utterly necessary to making a point -- as in a review of Clark Gable's exit line in the movie Gone with the Wind, we don't use it.
I have yet to see anything "essential" that is unique at that site and could not be worked into this article, although I am increasingly of the opinion that this article should not be free-standing, but integrated into cryptography. Please convince me, within the structure of articles on computer/communications security at Citizendium, that an article of criticism of cryptography should be a separate article, with a considerably different writing style, than the main article on cryptography. Howard C. Berkowitz 19:48, 3 August 2008 (CDT)

Keep article or merge into cryptography?

This term is not widely used in the industry. I suggest that the key concepts of misconceptions about cryptography, and specifically one-time pads, be merged into those articles, and this article be deleted.

Perhaps this article could be salvaged with considerably better sourcing and slightly more formal wording. Howard C. Berkowitz 11:02, 3 August 2008 (CDT)

Prose form and naming

Sandy, already, in my completely unexpert, uninformed opinion, this page looks quite useful and talks about something I just never really knew about. I don't think the article necessarily needs to be merged into the parent article (cryptography)--I'm a splitter, not a lumper, so if somebody wants to create a more specialized article, I say let 'em. But don't consider that my official opinion because I haven't looked at the details here. But if we do have a separate article, then there should be some info in the cryptography article about "snake oil," probably (together with a link).

I do have two broader editorial comments:

  1. The article should be written in prose paragraphs, not in bullet-point form. The reasons and method of doing this are discussed/explained in some detail on CZ:Article Mechanics (at least, they are in the more detailed version, linked from the top of that page). I would like to point out that anyone may expand/adapt the current bullet-point format into prose paragraph format.
  2. If the exact three-word name, "cryptographic snake oil," is not a term of art in cryptography, the article should be moved to another name. But even if it were just commonly used, it is also a term of oppobrium, and even if there is a universal opinion among expert cryptographers that what you call "snake oil" really deserves to be called "snake oil," it does not follow just from that that it is an appropriate name for an encyclopedia article. That would be a fine name for a magazine article, perhaps, but we would prefer something that is not so emotion-laden. The reason for this isn't quite neutrality. It's instead the same reason that we'd call an article Flat Earth hypothesis instead of Flat Earth silliness, even when virtually everyone thinks the Flat Earth hypothesis is completely silly. So, instead of "cryptographic snake oil," one could use something like ineffective cryptography products or fraudulent cryptography products or cryptography product criticism, or something like that.
    • Note: point #2 above assumes (note that it begins with a big "if") that "snake oil" is not a term of art. But doing a Google search, I see evidence that it is a term of art, and not just a term of opprobrium. See here for example: "The term we use for bad cryptography products is 'snake oil,' which was the turn-of-the-century American term for quack medicine." This (and other evidence) seems to indicate that cryptographers really do use "snake oil" as a term of art specific to cryptography. I leave it to you (all) to debate that. Now, if you do decide to keep "snake oil" in the title, then I think I would prefer that you use the encyclopedia article title that Wikipedia uses: "snake oil (cryptography)." This seems better to me because, when you include the adjective "cryptographic" before "snake oil," you seem to imply that the exact three-word phrase is the term of art that you are elaborating. But it isn't. The term of art you are elaborating is only "snake oil," as used in cryptography. Hence snake oil (cryptography).

By the way, thanks for rejoining us, Sandy! --Larry Sanger 12:37, 4 August 2008 (CDT)

Larry, I've posted a draft outline under cryptology, which is a proposal to put in some structure. I have several concerns about this article. This may be a mea culpa, but I wrote fear, uncertainty and doubt (FUD) as a very common practice in the communications and computer industry. Cryptographic snake oil, to me, is FUD as applied to cryptography.
If there is a consensus that warning people about crypto FUD is a good thing, the question is whether such warnings are relevant in other technologies, and, if so, the FUD factor should be a separate article, or a FUD/criticism/snake oil system in the main topic article, where it is more likely to be seen. Believe me, I can come up with a great number of FUD examples for router, virtual private network, and many more computer-related terms. In many of those cases, however, I'd be more prone to describe the FUD as a different substance, more like that which is emitted from the south end of a northbound snake.
Incidentally, it's much harder to do that for military articles, because what might be FUD elsewhere is deliberate psychological warfare, as long as it isn't being foisted on the citizens who pay for it. Howard C. Berkowitz 13:21, 4 August 2008 (CDT)
Howard--I think that a wiki grows more quickly and efficiently if people feel empowered to write about more or less whatever they want to, as long as the topic is encyclopedic, and the topic is not directly redundant with an article already in existence. Generally, I say that if Y is a subtopic of X, especially if it is a small enough subtopic, then even if the X article mentions Y, it's perfectly fine to have an article about Y. That's how the wiki web is built; it does not help but actually hinders progress to propose lengthy outlines for top-level articles and then expect everyone working in the area to add only to that article within that outline. With all due respect, I'm opposed to having detailed outlines on article pages themselves; this is presumptuous. Maybe someone with more time than you will want to work on the article and take it in a direction different from your outline. Better to have the outlines on the talk pages, in my opinion, let everyone work to their hearts' content, and then negotiate about how various articles and article sections should fit together.
It is perfectly fine to have a prominent warning about "crypto FUD" ("snake oil") in the cryptography article too--isn't it? It's not an either-or matter, it seems to me.
Well, when you say that "snake oil" is FUD, you could mean either that when people sell bad cryptography software, they are engaged in FUD, or you could mean that the use of the term "snake oil" itself is FUD. I believe you meant the former. You say, then, that you can find instances of abuse and FUD in all sorts of technical stuff, and of course I don't disbelieve you at all. But you conclude from that that there should be only one article about all these different kinds of FUD. I'll bite--why? Why not an article about the different kinds, but also individual articles about each different kind?
If I implied there is one kind of FUD, I'll need to correct that. No, my point is FUD is a sales technique in a great many technical fields. To take one at random, the devices that forward traffic in computer networks are, in some respects, called router and bridge. At one point, one company made some legitimate improvements to these products, but nothing that fundamentally transformed them. They chose to rename them "Layer 3 switch" and "Layer 2 switch", and then spread FUD with "switch when you can, route when you must". There remains a widespread misconception that there is any significant difference between an L3 switch and a router.
I have an excellent relationship with my primary physician, who isn't bothered by discussing drug choices at the molecular level, and where I initiate a suggestion for risk vs. benefit. Fairly recently, there was a considerable media frenzy about one of two drugs in the diabetic treatment class of TZDs. I had been on the one that had the original alerts, and done very well, although we decided that there were other reasons to change. When I last saw him, he gave me some handouts from two different drug company representatives, laughed, and said "you'll enjoy the FUD the two companies are throwing at one another."
My argument would be that any technology has risks, benefits, and often FUD. In many cases, a brief introduction belongs in the lead, which can then link. Howard C. Berkowitz 14:03, 4 August 2008 (CDT)
Remember: wikis are not paper. You are not limited by space considerations. The web tends to grow best when seeds are planted liberally around the conceptual soil. --Larry Sanger 13:51, 4 August 2008 (CDT)
I've rewritten much of it to paragraphs and added some citations. It could still stand improvement, but I think it is now mostly a decent article. Larry's suggested name change seems a fine idea to me. Any editors care to comment, or make the change?
"Snake oil" security products are a real problem, not FUD (nice article, by the way), and usually not cryptographers with NIH syndrome. However, someone spreading FUD about crypto might call other products snake oil. In fact, as one sign of snake oil the FAQ has subheading under "Warning signs" titled "Algorithm or product X is insecure" [3]. Sandy Harris 16:03, 4 August 2008 (CDT)
I don't know if it should be cryptology or cryptography in parentheses... --Larry Sanger 17:28, 4 August 2008 (CDT)
Cryptology is a superset of cryptography. Now, there's not universal agreement on this, but many experts consider cryptography something that is done to human-understandable messages. The pulse patterns of radars and lasers may go through encryption, which helps them resist jamming. While it's not all that likely that someone who is out to buy a radar with countermeasures against electronic countermeasures will fall for snake oil, I suppose that might be an argument for cryptology.
I can only say I've spent a few decades with cryptology of one form or another, and I had never seen this term before it appeared here. Maybe it's a problem for people buying "consumer" crypto, and I've just never had anyone pull it on me. I've heard crypto salesmen accused of FUD, but, most often, when I've been around such a salesdroid, the audience is apt to drip sarcastic cryptologic theory. Perhaps snake oil is idiomatic for one community? Howard C. Berkowitz 17:46, 4 August 2008 (CDT)
It is idiomatic to me. A Google search in the sci.crypt newsgroup turns up 2510 hits, about twice as many as the 1270 for "traffic analysis" which is certainly a standard term. A web search for it at eprint.iacr.org, an archive of (non-refereed) academic papers, gets 4 hits. Sandy Harris 18:34, 4 August 2008 (CDT)
I am willing to say that it might be idiomatic in sci.crypt, or a archive of, as you put it, non-refereed academic papers. That is significantly different than saying things along the lines of "all cryptologists".
Sandy, I appeal to you that there are multiple views of these topics. Other than for narrowly defined theory or for historical examples, I try not to make flat generalizations that I can't back up. Some things may be true within your experience. I'd have far less trouble with the statements if they had some qualifiers, rather than being made seemingly ex cathedra. Howard C. Berkowitz 18:59, 4 August 2008 (CDT)

OK, if I understand the issue here, it is very simple: should there be an article under the title "snake oil"? Also, if I understand Howard's reason for saying "no," it is that "snake oil" is used primarily online and has no currency among serious professional cryptographers. In fairness to Howard, I would say that this wouldn't be the first time that in online discussions and among amateurs or dilettantes, people had invented their own vocabulary for things, which relevant experts rarely or never use. This has happened, for example, in my experience in philosophy, talking to amateur philosophers online.

This strikes me as an objective question. Either the experts use the term, or they don't. What Howard appears to concede above is that it is used in "non-refereed" academic papers. Howard, do you agree that it is used by some credible cryptography experts? If so, then what's the problem? If not, then what could Sandy provide to you in terms of proof that it is used by credible cryptography experts? After all, we all have something to learn about our fields, and in cryptography it is not unbelievable that some additions to terminology might have originated on the Internet.

Let's try to resolve this in a clear and mutually agreeable fashion. I personally don't have a dog in the fight. --Larry Sanger 09:30, 6 August 2008 (CDT)

"General and specific comments. Take any technology where things get oversold, be it cars or video games or weight-loss diets. All of these get articles about the core topic (e.g., video games), and, in some cases, there are enough examples of bad buying experiences (may be U.S.-specific) that there certainly are books on "how to buy a car". The focus is on the neutral function of buying a car, and a successful book gives suggesting for avoiding snake oil (have the real dealer price in hand, ask for the "fleet manager" and make a best-and-final-offer, go through credit unions or other consumer-oriented groups that have audited relationships with car sellors).
Now, there is an immense amount of snake oil, FUD, fraud, etc., in the U.S. car sales industry. To me, there is still a value in having an article on "car sales", with subheads about things that protect the buyer, and warning signs from the seller.
In this case, what would seem most useful is an article on "selecting a cryptographic section." In doing so, with open source tools with a good reputation, there are still performance-vs-security tradeoffs about key length, key distribution, Kerckhoff's principle, etc. Part of this article could definitely include, in a "criticism" or 'warning" section, things characteristic of "snake oil". The article or articles focus neutrally on pros and cons of the subject, and use a compare-and-contrast style, especially when a given claim is not black and white. For example, "just as good as a one-time pad" is suspect, but if someone said "the source of keying is a BBS algorithm. Here are peer-reviewed citations that this technique, with disadvantages such as needing lots of computer time, is highly secure. There are cited proofs that while it is not as clearly unbreakable as one-time pad, the computational complexity (not just "it produces really big numbers of keys) makes it reasonably certain that it gives protection that is practically immune." I personally haven't decided if this is true of BBS, but I haven't spent days on the math, and there are some authoritative, reviewed, academic sources that say it is.
The choices for high security include a modern implementation of one time pad, a very strong key generator, both of which have real issues of getting the secure keys to the end users. Here and in one-time pad (OTP), it has been said that's it's totally impractical, which simply is not true — even manual, and certainly a careful guarded key on CD-ROM and the like, are useful in niche applications. It remains the standard for short espionage messages when a cryptomachine may be hard to hide. At least originally, and as far as I know today, the Moscow-Washington "hot line" is a niche application where OTP makes sense. It is true that high-security methods exist that do not claim to be "as good as a OTP" or "a generated OTP", exist and are used on networks vetted by experts. Rather than a polemic alone, I'd like to see comments on how to recognize a high-security technique, and the equally important operational techniques on keeping it secure.
If there is are valuable yet informal "BS detector" polemics, they may be perfectly appropriate in a signed article subpage. Coming back to the main subject, it's one thing to have an article of pure criticism, and even unsourced polemics, about something experts agree is pseudoscience, such as the flat earth theory. In a case such as this, a compare-and-contrast discussion of strengths and weaknesses, and indeed warning signs of likely fraud as well as careful substantiation, makes more sense. Have the key issues of snake oil as a subhead, along with subheads on how the method of use can make a strong cryptosystem useless. Have a redirect to the main compare-and-contrast article that uses the term that's characteristic of one online community, but try for a neutral title.
Howard C. Berkowitz 11:07, 6 August 2008 (CDT)

I would like to try to bring the debate to a close; we've spent too much time on it when we could have been adding content. So I propose a compromise. Having read through your recent comment, Howard, I think you are not insisting that "snake oil" is not a term of art among cryptologists. Your point is rather that there is something like bias in any article that is specifically about a class of purportedly bad products. Indeed, we might not want to have an article called lemon (automobiles), but instead about automobile purchasing. I'm inclined to agree. I am inclined to disagree that the article containing most information about "cryptographic snake oil" should be cryptography--but you yourself seem to imply that it would be all right with you if the article were cryptography products or something like that. So the compromise I propose is this: we create cryptography products (or something similar), but within that article, we have a nice meaty (and of course balanced) discussion of the phrase "snake oil" as used by online cryptographers. What do you say, Howard and Sandy? --Larry Sanger 11:58, 6 August 2008 (CDT)

Yes, you do understand my key point: the title itself seems biased. "Selecting cryptosystems" or something along those lines might work better than "products", since I suspect open source people don't often think of their work as "products".
Actually, we agree that snake oil and anti-snake soap should not be in the main cryptography article, where there's enough work to define, precisely, the core terminology, still with branches to more detail. While I have more work to do on it, I put a "BGP Operations" subpage under "Border Gateway Protocol", and this discussion does give me some ideas about things to put there, both as Best Current Practice (a defined IETF term of art) and things that are considered Really Bad Ideas.
I have no simple answer to when something stops being a term of some in-group of people involved with a technology, and becomes a term of art in a discipline. Offhand, I can think of several terms related to U.S. military and intelligence cryptology, such as "gray phone", "key list", and "registered publication" that aren't widely used in general civilian or academic practice. "RED/BLACK engineering" probably does qualify as a fairly general, precisely defined, and useful term of art. The singular of data not being anecdote, I'll merely say I've been a journeyman cryptographer, mostly as an adjunct to networks and computers, for 40 years or more, and I literally never heard "cryptographic snake oil" before I saw it here. I prefer more specific terms, such as "key strength", which is well-defined as a superset of things including "key length". Nevertheless, I think it's a vivid and memorable term in the body of a balanced article, and possibly getting a version of a polemic on the signed articles subpage. Howard C. Berkowitz 12:18, 6 August 2008 (CDT)
I'd say it is a term of art, at least in my circles which include some serious cryptographers. Schneier uses and defines it [4]. Cheswick, Bellovin and Rubin use it in their Firewalls book, a standard reference [5]. Bellovin is about as credible as they get [6]. Gutmann also uses it, in an article I've cited in the paper, and he's another very credible source [7].
A better title, though, would be what Wikipedia uses and Larry suggests above, "Snake oil (cryptography)". Sandy Harris 23:29, 6 August 2008 (CDT)
My problem remains with separate articles, on a reasonably serious subject, that have a non-neutral title, and in which the criticism is either simplified or is at too many levels. Apropos cryptography, there are flat-out basic errors, like trying to suggest a straight (but long period) polyalphabetic solution, or, more complex, a weak key and unsubstantiated "OTP-like" keying for a stream cipher. Easily as common, however, if not more so, are badly thought-out or outright wrong systems for public key: they have no good certificate authority, a minimal or no certificate revocation list, and an insecure method of distributing keys.
There can be snake oil for the first, which is reasonably in a general cryptography article, but the snake's cousin has oil that belongs in the more technical public key infrastructure article subordinate to cryptography. Also, maybe not snake oil, but there are some legitimate choices in selecting PKI systems: certificate authority vs. PGP-style distributed trust authentication.
Take a different subject, router. I have no problem with having a section, although I'd prefer a more neutral title, of snake oil/FUD about, for example, "this is a L3 switch and thus better than a router". Even so, there will be sub-articles (e.g., Open Shortest Path First or Border Gateway Protocol where there are bad product choices, bad implementation choices, and bad operational choices. The latter three are all at a more detailed level than should be in router, and belong in the various routing protocols article subordinate to router.
I don't think we have a major difference about having information on snake oil, FUD, and just plain stupidity. Where we seem to differ is whether that sort of information, targeted at different levels, belongs in its own article, and perhaps some thought about the polemic- vs. non-polemic style; I think polemic but substantive articles are excellent signed articles. If you look at Border Gateway Protocol, there are subpages for "advanced" and "operations". Maybe those subpages should be subarticles, and, wherever route reflector and confederation show up, there needs to be coverage of the mistakes that RFC 3345 "Border Gateway Protocol (BGP) Persistent Route Oscillation Condition" tells you not to make -- but a simpler BGP error is ijecting all your IGP routes into your BGP, which isn't "advanced". Howard C. Berkowitz 11:13, 7 August 2008 (CDT)

Sandy, what do you say to Howard's point, which I believe I agree with--that there seems to be something wrong with the phrase "snake oil" in the title simply because it has a polemical suggestion? Similar objections might be raised to "lemon (automobile)" and "bad people" and "puerile pop music" and "brutal regimes." Of course there are lemons, bad people, puerile pop music, and brutal regimes, but using those terms in the title of the article makes the whole article, and CZ as a whole as a result, take a position of social criticism. That isn't the function of an encyclopedia. In other words, even if everyone agrees that there is a criticism to make of a class of thing, it does not follow that it is appropriate that we identify the class by the criticism made of it. In these cases, all the relevant facts can be related under such topics as "automobile purchasing," "ethics" or "virtue ethics," "pop music" or "criticism of pop music," and "military regimes" or "dictatorship." These titles might not be perfect, but they do avoid the impression that we are officially passing judgment on anything. --Larry Sanger 13:41, 8 August 2008 (CDT)

I'd like to propose that we move the article to Selecting cryptosystems, as Howard suggests, or something similar. Obviously we'd like to have general agreement on a name, but if it's not forthcoming, I'll just have to make a decision (or ask the relevant editor to make one). --Larry Sanger 13:44, 8 August 2008 (CDT)

It is not my call; I can certainly accept you deciding that, or leaving it to Howard and having him decide that.
That said, I still think there needs to be something on Snake oil (cryptograhy), as at WP and as Larry suggested earlier, because "snake oil" is a term of art in the field. I think I've provided enough citations to show that absolutely clearly.
That said, I've clearly got the scope wrong in my first shot at that article. Not all insecure systems, not even all boneheaded designs, are snake oil. It is the combination of appalling design with incredible marketing claims that distinguishes snake oil. A more general article such as Selecting cryptosystems might indeed be a good idea. The question then is whether Snake oil (cryptograhy) should be an independent article or a redirect to a section of the bigger article. I'd be happy either way, so hopefully that can be settled more easily that this was. Sandy Harris 14:35, 8 August 2008 (CDT)

Agreed. Here's what I suggest. We redirect cryptographic snake oil to snake oil (cryptography), and on the latter, have a very short article about the phrase "snake oil" (not the thing, but the words, who used them first and in what context, etc.). Then a pointer at the bottom of that article to selecting cryptosystems. --Larry Sanger 15:05, 8 August 2008 (CDT)

Let me add to that--Larry, is a signed article, full of sound and fury and snake oil, appropriate somewhere in this? Even before selecting cryptosystems, I'd like to put up an introductory article on secure communications, defining the general problem of defining communications security needs, for which cryptography is one of the many tools in the toolbox.
When I advise someone on security, I start with understanding the problem they are trying to solve. For example, a bank will be concerned with the privacy of accounts, phishing fraud from fake servers, online banking, and preventing someone replaying the same authorization to a cash dispenser and a credit card authorization terminal. Each one of these problems is apt to involve a solution that includes aspects of cryptography, but the type and strength of crypto differs among the different applications, as well as other measures such as identification, access control, auditing, and intrusion detection. I have material on hand that needs to be restructured with book-with-sidebar, but that shouldn't take long.
I'm not at all opposed to having strong statements, but in context. For example, in the middle of a very straightforward discussion of cryptography, I have a sidebar, with typography and layout making very clear it is commentary rather than mainstream, which reads:
WARNING
  • Never completely trust a source address received from the public Internet, unless the packet header is cryptographically authenticated, or at least part of the payload is cryptographically authenticated.
  • Never accept a source address associated with one of your internal networks, even if that netowkr is registered, if you receive it from the public network.
  • Never buy a car from used car dealerships with "Honest" in their names.
Perhaps that sort of sidebar is the role of the signed article, as optional spice for the main meal of readable but neutral taste. While I like my Thai food with enough heat to raise eyebrows in Bangkok, I don't cook it that way for one's relatives that think macaroni and cheese is high cuisine. Howard C. Berkowitz 16:15, 8 August 2008 (CDT)

OK, who does what next?

We seem to have a consensus. I think the current article text could be a starting point for Selecting cryptosystems, albeit with some rewriting and additions. Also, either a brief article on Snake oil (cryptography) or a more general article on the phrase Snake oil mentioning crypto as one common use needs to be written. I think I prefer the latter.

Who should do those? I'm willing to tackle both, but since the current text is mostly mine it might be better for someone else (Howard?) to do the editing. Also, I'll be mostly off the air for the next couple of weeks. Sandy Harris 16:38, 8 August 2008 (CDT)

Maybe a good laugh will help...

Some years ago, IBM's computer networks conformed to their proprietary Systems Network Architecture, usually known as an abbreviation. A colleague observed that someone might be trying to suggest its use was sinful -- after all, what were the first three letters of the being, in the Garden of Eden, who misled Eve & Adam?

Right. Probably a source of oil as well. :=)

Howard C. Berkowitz 14:37, 4 August 2008 (CDT)

I have nothing to add to this huge discussion other than a chuckle and interest in the conversation itself :) Eric M Gearhart 14:05, 6 August 2008 (CDT)
All right. It was bad enough for the Right To Live of Snakes. Now, Naugas are threatened. My housemate used to have one, as well as an iguana, both of which are now in the Reptilian and Quasi-Reptilian Afterlife.
Spokesman for Reptilian and Quasi-Reptilian Rights 14:17, 28 May 2010 (UTC)

References

  1. Anderson, Ross (2001), Security Engineering: A Guide to Building Secure Distributed Systems, Wiley
  2. Schneier, Bruce (15 February 1999), Crypto-Gram Newsletter
  3. Kahn, David (Second Edition, 1996), Chapter 21: Heterogeneous Impulses, The Codebreakers: the Story of Secret Writing, Scribners p. 763 ff.
  4. Weinberg, Gerald M. (Silver anniversary edition, 1998), The Psychology of Computer Programming, Dorset House

Proposal

I am going to put together a front-end article, which I should be able to get done tonight, tentatively secure communications, but communications security is more technically elegant. Opinions welcome on a name. It will define the types of security services that can be set up for an application. Not all will be needed for every case, and not every mechanism (e.g., biometric identification, network intrusion detection system) is necessarily cryptographic. This will not initially have {{subpages}} so we don't have to move metadata, although we will want a talk page.

What I'd like to suggest, Sandy, is that you go to cryptography, and cut-and-paste the "hows" and "whys" into linked articles. Assume you are a reader that knows what services are wanted; in the other article, I'll identify which must use cryptography, might, or do not. The services will include user identification, user authentication, user credentialing, server authentication, mandatory access control, hierarchical access rights, nonhierarchical access rights, atomic integrity (i.e., hash on each record), sequential integrity (i.e., add sequence numbers/timestamps to each record, and protect them with a hash), content confidentiality (obvious encryption, with the caveat that there may be additional physical protections), sender nonrepudiation and receiver nonrepudiation(digital signatures). There's a special case of sequential integrity to protect against replay attack.

A lot of the content is already there -- my suggestion is that cryptography will be at the level of there are one-way and two-way encryption, and symmetric vs. asymmetric cryptography -- these are the services they provide". Alphabetic vs. block vs. stream are at a more detailed separate article level, but much of it is already there.

FYI, non-crypto protections I have in some form is protected distribution system and frequency agility; I am working on spread spectrum and will have it cover frequency-hopping in conjunction with spread spectrum. The protection itself is non-crypto, but the frequency selection and such is definitely controlled by the equivalent of time-synchronized PRNGs, which select the active frequencies at any given time.

Wishing I could remember who wrote "never consider a cipher developed by anyone who has not broken a complex one", I see the cryptanalysis article(s) logically dependent on cryptography, but there are going to be sub-articles. It's reasonable to illustrate basic cryptanalysis first with monoalphabetic substitution frequency analysis, and maybe the index of coincidence to get the number of polyalphabets, but things like differential cryptanalysis is its own advanced topic.

General question for all -- there's a delicate balance among a statement "this can be cryptanalyzed", some generic statement about approach, and when the math starts getting heavy. Indeed, for something like ULTRA, it involves both group theory and (need a better term) "cryptanalytic tradecraft", such as brute force vs. chosen plaintext vs. probable text, etc.

Larry, is "snake oil" appropriate as a signed article? By that, I mean written as colorfully as desired (with due regard to family-friendliness). A less colorful main article could go under the cryptographic topics, giving the general strengths and weaknesses of each technique, and something like "questions to ask".

I'll suggest that others might want to look at application-specific security and link as appropriate. For example, I have a HIPAA article that discusses its security and privacy requirements. Maybe there's someone who can contribute on PCI for the credit card industry. I have some military crypto articles where I can make general comments, including dealing with threats such as traffic analysis and direction finding.

Howard C. Berkowitz 17:59, 8 August 2008 (CDT)

I'm off the air for the next few weeks (fly to China tomorrow, travel some, get moved to a new place, get computers set up); will look when I get back. I tend to be a bottom-up writer; I've been creating things like one-time pad, brute force attack and meet-in-the-middle attack; perhaps that can complement Howard's more top-down approach. Sandy Harris 19:08, 8 August 2008 (CDT)

Howard, I can't follow the long comments/proposals you make above, and I leave such arcana in your capable hands. I hope I'm not being too presumptuous in assuming that they aren't immediately relevant to the question "should any article titled 'snake oil' exist?" As you must know by now, I always tend to think of these things based on whether we can universalize the maxim of our action ;-) or in other words, whether we can defend doing the same thing in similar cases. The proposal I made--in order to achieve a reasonable compromise--was this: "We redirect cryptographic snake oil to snake oil (cryptography), and on the latter, have a very short article about the phrase "snake oil" (not the thing, but the words, who used them first and in what context, etc.). Then a pointer at the bottom of that article to selecting cryptosystems." Or if not the latter article, then something of your choice.

You ask, "Is 'snake oil' appropriate as a signed article?"--of course it is, but the question gently implies that it's inappropriate as an unsigned article title. Well, maybe, maybe not. The problem as I understand it, and as you've raised it earlier is that the title seems inappropriate because it suggests that we are officially criticizing of some industry practices, and thus is biased. I agree with you that insofar as it does suggest that, it is inappropriate. I won't take a stand on "colorful" language at this point, if you don't mind, except as follows. Now, what if the article titled "snake oil" concerns strictly the use of the term--not about how to identify purported snake oil, examples of snake oil, and so forth, but only interesting semantic data, word history, that sort of thing? What if all the detail and suggestions about snake oil currently in cryptographic snake oil are moved to selecting cryptosystems or something like that? Then, we can make it perfectly clear that we don't use the term "snake oil" but are describing how it is used. Similarly, we might have an article about "kraut (German person)," "whitey," "lemon (automobile)," the n word, and any other terms of disapprobation. An article about "them krauts" would not be about German persons per se, but only about the word "kraut," just as any CZ article about the n word wouldn't be about black people per se, but about how the word is used. Well, if we can have neutral articles that discuss even more obviously offensive words, I see no problem with allowing someone to have a brief article about the words "snake oil" as used by some in cryptography.

Another principle apropos here is CZ:maintainability--basically, we're open to all topics unless they are so specialized that we can never anticipate having a fully-developed set of articles on similar topics. To use my usual examples, we can't have articles about every street in the U.S., but we could have articles about famous avenues, that would include Park Avenue, Champs Elysees, etc. Could we eventually maintain a full complement of articles about every piece of specialized jargon in cryptography, at least at the level of currency of "snake oil"? Sure, I guess so. --Larry Sanger 22:51, 8 August 2008 (CDT)

First, I don't want to lose focus on having solid content in cryptology, which has (cough) key implications in many areas: mathematics, computers, military, history, linguistics, psychology physics...I could go on, but leave Cryptococcus for health sciences. Seriously, a series of articles here could be a different sort of core: an interdisciplinary one. While entropy applies to CZ as much as anywhere else, I think this is a place where the CZ community could shine, and perhaps be an exemplar of collaboration, visibly more so than the Other Place.
I plead guilty to writing fear, uncertainty and doubt, but as much as a psychological phenomenon than as an industrial analysis. I doubt I would have the slightest problem with an article on the cultural and subcultural aspects of the phrase "snake oil", not applied to any particular topic. Your points are well taken on the dealing with phrases as cultural and linguistic phenomena; my concern is that the conceptual shorthand useful in a specialist group — such as a cryptographic mailing list, a medical chart, or soldiers discussing why a training exercise went wrong — may not be the best form of presentation in a main article page, as opposed, for example, to signed article subpage. In my books, I make extensive use of sidebars, and my writing style becomes much more dramatic than in the main text, where I still try not to be too dry.
AI'm not objecting to an implication that CZ is "officially criticizing of some industry practices". My concern is more for an appearance of imprecision, reflecting on CZ quality. I'll leave it to a cultural linguist to tell me if I am using the correct terminology, but I see a blurring between "term of art" (a phrase beloved of patent attorneys, who have beaten me with it) and "jargon" -- or perhaps "in-group humor". For example, I have written, and will continue to write, on Internet routing technology. In particular, Border Gateway Protocol is one of the things that makes the anarchy of the Internet infrastructure work. In that article, I have subpages of "advanced" and "operations". Apropos of operations, and the in-group of North American Network Operators' Group and equivalent organizations, there are things we say within the group that are judgmental and imprecise, but useful in an in-group culture (brief pause for a correctional sociologist). ISPs and core operators do not use the term "snake oil", but "clue", or the lack thereof, I suspect is a linguistic equivalent. "You have no clue", "Hit that man with a clue-by-four," or the ultimate NANOG Curse:
You have no clue. Further, you couldn't get a clue if you stripped naked, smeared yourself with clue musk, and hurled yourself into a field of horny clues during clue mating season
At least for my writing and editing style (both here and in publications), I can't see using "clue" in an encyclopedic context. Without calling them such, I can and will describe some incredibly clueless things that caused major perturbations in the Internet, but go through the incidents, describing the key errors. Switching hats briefly from Computers to Military editor, effective militaries have institutionalized "Lessons Learned" and "After-Action Reviews" as extremely useful things. Those two phrases are indeed terms of art, as they describe a process. While clue mating season may have come close to the edge of family friendliness, do trust me that some of the military in-group terms would not' pass that CZ policy.
As an editor in a wide range of contexts beyond CZ, one of my roles has been to tease the true lessons learned, and the true terms of art (i.e., with precise meaning), out of what can be a mass of opinion and jargon. In my opinion, "cryptographic snake oil" is in-group jargon, not necessarily a good term for explaining a topic to a newcomer. One of my areas of specialization is the in-group communications used among physicians, in part to be able to build clinical information systems that "sound right" to a clinician. It turns out that a major reason that laymen and physicians clash in conversation is that efficient peer conversations is not, as many assume, the vocabulary. It is, to borrow from the anthropologist Edward T. Hall, an "extremely high context" mode. Rereading cryptographic snake oil, I recognize I have the context, in cryptology, to understand the underlying assumptions that make a particular presentation "snake oil." It concerns me, however, that featuring the phrase, with respect to cryptology, may be quite misleading other than to the in-group.
I've gone on too long, but I believe that quality suffers when jargon, other than as a linguistic phenomenon,is assumed to be precise. Jargon and terms of art both have a place, but are not interchangeable. I can recognize the scenarios where a salesdroid (yes, agreed, in-group) presents something that is cryptographic snake oil, but, in reading the article from an editorial perspective, I'm concerned that CZ should not be doing articles on things that are convenient shorthand to practitioners, but not necessarily good introductions to a reader first coming upon them. Without prejudice, Sandy correctly characterized my approach as top-down rather than bottom-up. Bottom-up can be very helpful among people with the requisite context, which is why I say that a signed article subpage, read after the context is set, is the conceptually best place to place such material. :Howard C. Berkowitz 23:51, 8 August 2008 (CDT)

Maintainability

To answer you as simply as possible, I have no intention of maintaining this. I don't think a standalone example of what I consider jargon/irritation at the clueless qualifies as a term of art. Essentially, it's in-group jargon in a certain segment of the security community. I don't feel strongly enough to ask for it to be removed; I'm just excessively neutral about it.

If Sandy maintains it, fine. I am willing to deal with technical contributions in technical articles. If my article on fear, uncertainty and doubt, which I intended as a (loosely) social science commentary on technical sales techniques, seems hypocritical with that article, my feelings won't be hurt if you delete FUD. It adds something, I believe, but if you need to draw a line, feel free.

Howard C. Berkowitz 12:38, 21 August 2008 (CDT)

Moving

I was going to move this to Snake oil (cryptography) as I think we agreed above, but for some reason I get a move button on the talk page but not on the article page. I don't fully understand clusters and subpages, and I do not want to do anything that might break things. Can someone please either do the move or tell me how? Sandy Harris 03:47, 23 October 2008 (UTC)

This was a common problem for a little while, but it should be fixed now. --Larry Sanger 17:53, 25 October 2008 (UTC)
Chris has been fiddling with cluster-moving stuff, and it's different from the way it used to be. Let me try moving this one, and see what happens... J. Noel Chiappa 19:53, 25 October 2008 (UTC)