
Snake Oil Crypto Competition - aburan28
http://snakeoil.cr.yp.to/
======
chatmasta
I was disappointed to realize the snake-oil competition is a parody, because a
properly-implemented version of it could teach valuable lessons to non-
technical consumers.

Many products make outrageous claims about their security. Try browsing the
aisles of Best Buy or any major department store. From smart-home sensors to
security-cameras to anti-virus software, the shelves are stocked full with
snake-oil security products advertising themselves as legitimate. These are
the products that big retailers and OEM partners are marketing to the public
as "secure," with much lower standards for security than any expert would
assert.

To prove this to the public, what better way than a competition for benevolent
security researchers to create a wolf-in-sheeps-clothing? The competition is
to produce most shiny, marketable product design that looks like a "security"
product, but does something far more sinister than protect its users.

Product ideas: "Anonymous router" that actually logs all traffic and sends it
to a printer in the local police office; "Smart Home Hub" that performs active
exploitation attacks against connected devices; "Smart TV" that actually films
its users and live streams their living room to a website.

(Bonus points if they credit real products!)

~~~
bugmen0t
You must be looking for the Underhanded Crypto Contest: The Underhanded Crypto
Contest is a competition to write or modify crypto code that appears to be
secure, but actually does something evil. See
[https://underhandedcrypto.com/](https://underhandedcrypto.com/)

~~~
thaumasiotes
related: the Underhanded C Contest (
[http://www.underhanded-c.org/](http://www.underhanded-c.org/) )

Apparently this year's contest just opened.

------
zymhan
I clicked on one of the submissions and the paper is in Comic Sans:
[http://snakeoil.cr.yp.to/submissions/Lolcipher%20Submission....](http://snakeoil.cr.yp.to/submissions/Lolcipher%20Submission.pdf)

This is hilarious.

~~~
chronolitus
I'm glad I took the time to read this

------
PhantomGremlin
I assume this is something put up by Dan Bernstein, since that's his domain.

Please, can someone explain what this is about? E.g. Dan mentions the
inventors of Rijndael, which is AES. What is his complaint about it?

~~~
sdevlin
The major complaint against AES is that it is very difficult to implement in a
data-independent way without hardware support. Bernstein has done some
research on this
([http://cr.yp.to/antiforgery/cachetiming-20050414.pdf](http://cr.yp.to/antiforgery/cachetiming-20050414.pdf)),
and a major theme of his research has been designing systems that are friendly
to implementers.

I have no idea if that is what this specific dig ("they already master the art
of snake oil") pertains to.

------
pakled_engineer
>Trying to change winner's parameters.

>Changing winner's parameters to default ones.

>Retraction of the idea to change parameters.

Speaking of Keccak their landing page is full of snake-oily marketing such as
"rock-solid security strength level" and "heavier SHAKE512" or "extremely high
256 bits" like they are trying to sell me a battle armor video game addon. I
realize there is misinformation floating around ever since the questionable
SHA3 competition but bolding arbitrary words and injecting "rock-solid" into
your criticism debunking isn't helping.
[http://keccak.noekeon.org/](http://keccak.noekeon.org/)

~~~
tptacek
"The questionable SHA3 competition"?

------
jcr
> _" Potential extra features (worth extra points):"_

> _" \+ Protection against front-channel attacks."_

I think I just hurt myself laughing.

------
Retr0spectrum
[http://snakeoil.cr.yp.to/submissions.html](http://snakeoil.cr.yp.to/submissions.html)

------
GTP
Yesterday I started writing a paper for Snake Oil Crypto Competition and today
I sent it them. I hope they will accept it!

------
1ris
I wonder what the general crypto communities views on Kenny Patterson, Orr
Dunkelman, Stefan Lucks or Tanja Lange are.

~~~
beagle3
I am not really part of the "crypto community", but I know that Tanja Lange
and Orr Dunkelman are both held in high regard (am not familiar with the other
two names).

~~~
tptacek
Kenny Paterson is the new co-chair of IETF CFRG and a professor at RHUL. Best
known recently for his work breaking RC4.

Lucks is a well known research cryptanalyst and one of the co-inventors of the
Skein SHA3 finalist.

------
mhuffman
rot26 ftw!

