Talk:Snake oil (cryptography)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Cryptography / Computer science   
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the quality scale.
 ???  This article has not yet received a rating on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science.
edit·history·watch·refresh Stock post message.svg To-do list for Snake oil (cryptography):
  • Fix bullet point format
  • Resolve NPOV discussion

good start[edit]

JS, An excellent start. I'll have at it some in the next few days (modulo time and diversions) to tighten it up a bit. Thanks. ww 14:24, 9 Jun 2004 (UTC)

orientation of article[edit]

The point of this article, in my view, is three fold. First, to make known to readers that there exists a class of crypto nonsense. Second, to make known to readers some of the characteristics of said nonsense. Third, to make known to readers why this nonsense is nonsense (or at least some sense of why if not the excrutiating details). None of these purposes is NPOV, nor need any say nasty things about particular products or systems. However deserving...

Actually, I disagree with your assessment of the purpose of this article. Our agenda isn't "to get the word out" about weak cryptosystems, but rather to document what people mean by "snake oil" in cryptography, and also to document how and why some cryptographers characterise some products as bogus. Notice the change of emphasis -- we're not delivering the verdict ourselves, but describing the arguments used by others. If we don't take this approach, we veer towards POV: Not everyone agrees with the assessment of what constitutes "snake oil"; certainly snake oil vendors don't, and opinion how telling individual "snake oil signs" are also varies -- e.g. quite respectable cryptographers (NSA or GCHQ) will use secret algorithms; other respectable cryptographers will promote new constructions without extensive analysis (e.g. Ferguson and Schneier in Practical Cryptography) etc...
We certainly cannot absolutely condemn certain forms (snake oil) of crypto, in much the same way we can't trash certain forms of alternative medicine in the context of modern medical opinion. What we can do is present the arguments, and that will have the desired side effect anyway. — Matt 12:46, 13 Aug 2004 (UTC)
Matt, In thinking about a response to your comment above, I keep ending up with an image of extreme PC ending in a quivering failure to to cope with such nonsense as junk science and assorted other mental vacuities. iN our case, merely because someone says something or believes something does NOT justify straightforward inclusion in an encyclopedia, WP or otherwise. But how to convert this to a policy is less clear. Thus, the fact there are many people (oh, I despair of my species!) believe that the moon landings were faked by Hollywood and the CIA may be a fact worth reporting here. Perhaps in an article about lunatic beliefs of the loony? Having an article which explains how it was all faked, or which otherwise takes such things seriously, would certainly not be. I am not happy with my inability to produce a policy better than Potter Stewart's 'I know worthless junk when I see it'. ww 17:25, 13 Aug 2004 (UTC)
Amen to Matt's first paragraph. This article should enable someone who's learning cryptography to read an abbreviated claim such as "snake oil!" and understand what is being said and from what viewpoint. That necessarily includes detailing the cryptographer's viewpoint as well as the vendor's. (The N in NPOV stands for Neutral, not for No.)
However, I note that this points up a weakness of NPOV. If I go to the article on Fermat's last theorem and note that not everyone is convinced of it, that's true (because many people, myself included, are not so well educated that we can follow the proof). If I note that not everybody can be convinced of it, that's also true (because mathematics relies on circular definitions or undefined terms at its base, like every other kind of human thought, and because it depends on the assumption that the rules of logic really do produce truth from truth every time, or else it depends on our defining "truth" as "whatsoever is reachable by the rules of logic" -- again, just like every other kind of human thought). If I note that some people are convinced of it, not by the proof, but rather because the ghost of Ramanujan returned from the next world in splendor to tell them so, that may be true as well. (I hope not!) And a naive application of NPOV dictates that all this garbage be larded into the article: "Notwithstanding Wiles's work, which was generally accepted among mathematicians, not everyone is convinced of the result, not everybody can be convinced of the result, and some feel that the proof was a waste of effort anyway." More practically, the first claim belongs in an article on specialization in education, the second in an article on radical rejections of phallologocentrism, and the third in an article on mysticism among mathematicians ... but even there, note that it only takes one obsessed weirdo to get it in, and naive NPOV prevents our removing it. Where does it stop? When I make the same claims about the Pythagorean theorem because I am too lazy to look up one of dozens of proofs? When I add "some people favor its being nuked off the face of the earth" to nearly every article on a national capitol? When I transcribe the God-is-an-alien rantings of that weird guy I met in the airport, verbatim, into the article on the Andromeda galaxy?
Granted, Wikipedia ain't paper. If we need to, we can make the main article say "The accusation 'snake oil' is shorthand for one of various claims of unreliability and hucksterism. Some people, among them those against whom it is levelled, do not find the term meaningful," and then link to separate articles on "Cryptographic ideas mistrusted as snake oil" and "Reasons for rejecting 'snake oil' accusations". In that case, let each side describe its own POV (recognizing that it is not the only POV) with all the careful, encyclopedic reasoning it can muster, and welcome to the marketplace of ideas (in which anyone can buy whatever looks handy). But I don't think that's necessary yet. I admit that I have represented the skeptical perspective better than the other in my own edits; but if anyone can coherently explain the other, e's got an edit button too and e's welcome to it. eritain 20:38, 28 September 2005 (UTC)
Sure. But NPOV does not compel us to discuss both fringe theories and mainstream thought in the same way. Often you can get away with a short disclaimer about dissenting opinion, like the way you mentioned above, and then quite happily describe the mainstream thinking in great detail. NPOV comes into play if we start actually asserting the mainstream view as undisputed fact, and writing as if we're making the argument, rather than describing it. This article has had problems of this sort in the past. — Matt Crypto 20:57, 28 September 2005 (UTC)

Several of the edits in the last week or so (as of 04.08.10) have had the effect of greatly reducing the article's effectiveness, particularly for the 2nd and 3rd points. In this respect the prior article was better WP coverage of this topic. We can do better, and some of that content should be restored. Comments? ww 13:51, 10 Aug 2004 (UTC)

The old article didn't feel very NPOV, and while the new one is more reserved, I think it stays on topic better and is more encyclopedic, while still giving the lay reader the right information to make good decisions. The old one would have made a great usenet FAQ, though. Lunkwill 18:14, 10 Aug 2004 (UTC)
L, There are some phrasing improvements, I agree, but I stand by my comment above. I'll try to get back to this and see if I can't find a happy median all can live with. (On WP this may be a fantasy, but hope springs eternal...). ww 14:53, 11 Aug 2004 (UTC)

a missing sign of snake oil?[edit]

One other sign of snake oil, which I don't see listed, is a claim of the variety: "top cryptographers at institution A, B, and C haven't been able to break our encryption." Usually such a challenge involves the vendor sending some short piece of ciphertext to a researcher and challenging him/her to find the plaintext and/or key, without the aid of the algorithm or any other attack that could be easily be mounted in the real world. (Not that a top cryptographer at institution A, B, or C would want to waste his/her time debunking a particular brand of snake oil in the first place.) I think this kind of claim is pretty common among snake oil vendors.

Sure. I've seen those too. Be bold and add it. Arvindn 21:01, 23 Nov 2004 (UTC)
Okey-doke. It's so much easier to whip out an informal complaint than to write a clean addition in NPOV, though... :) --Chris Peikert 05:08, 25 Nov 2004 (UTC)

Bullet points?[edit]

Came here via peer review. Overall, I think the article is very lucid and well-written, clear to the layman (me!), and NPOV. I wonder about the lengthy bullet-pointed paragraphs -- bullets seem to be better used for short points, and I think this would read as well or better as separate paragraphs, (with or without similar issues being grouped under subheaders of Common characteristics). What do you think? [[User:CatherineMunro|Catherine\talk]] 04:28, 25 Nov 2004 (UTC)

Thanks for taking the time to look over the article! I agree that the bullet-point format needs fixing, and yes, perhaps paragraphs or even subsections (===X===) would be a good solution. — Matt 12:03, 25 Nov 2004 (UTC)
Subsections seemed like a good way to break it up, so I did so. Alphax τεχ 7 July 2005 06:09 (UTC)


I've a number of reservations about this article. It reads, at times, like a prescriptive guide to avoiding weak cryptography, like the Snake Oil FAQ., and a lot of it is opinion and not NPOV — of course, it may be wise opinion, but I don't think it fits for neutrality. I'm a bit stuck on how best to fix it. Do we really need a large list of "signs", and then to present the argument behind each sign? Is there a better approach? — Matt 12:03, 25 Nov 2004 (UTC)

I still think this article is POV at present. We present a set of security doctrines, and we argue the case for those principles; however, I don't think it's neutral to advocate these principles because they are not universally agreed upon. I'll try and reword it so that it reads as a description of the arguments, not as the argument itself. — Matt Crypto 11:53, 22 Mar 2005 (UTC)

My suggestion is to simply make it clear that what's being presented here is an opinion which is held by many leading cryptographers. Perhaps find a few who have commented on these things in the past to cite for it (I know Bruce Schneier does so regularly, but I'm sure there are others too). Having clarified that, I think the NPOV marker can come off. How does that sound? JulesH 9 July 2005 15:49 (UTC)

I'd agree that the list of potential snake oil signs here represents a common opinion in the crypto community. But is there is even a need to recognize snake oil? Souldn't users rather be able to recognize well accepted primitives? I.e., it is rather hard to decide whether a new encryption algorithm (e.g., based on some well sounding chaos theory) is potentially interesting or just snake oil. It is much easier to recognize that AES is a well accepted encryption algorithm. 01:26, 10 September 2005 (UTC)

As to the neutrality of the article, I don't think it has any bias one way or the other. Where the problem lies is that conclusions are being drawn that might be interpreted in other ways. Don't get me wrong, the info is great and I like it, but maybe two sections - Facts and Advice. I'm a n00b to wikipedia, so you can just slap me if I'm being stupid or something. -Amadameus

obfustication (in paragraph 2), obfuscation[edit]

so I googled the former. got enough hits that I think it's word that the crypto-knowlegable use. can someone confirm that it's not a typo, that the proofreader inside me should not change it to "obfuscate"? thankz, OscarMeyerPeener. 04:54, 1 February 2006 (UTC)

"Obfuscate" is a verb. "Obfustication" is a noun. One cannot replace a noun in a sentence with a verb. [Steven 20 March 2006]