BitCrypt is now donation-ware
Moshe
As some of you may recall I could not sell any copies of BitCrypt.
I have changed it to be donation-ware, so that anyone who wants to use
it may do so.
Please visit http://www.bitcrypt.co.nz or
http://geocities.com/moshe_szweizer/ to download it.
Thanks
Moshe
Josh Bettenheimer
away for free. It's what people in general have come to expect from the
internet.
Josh Bettenheimer
use your kill file stupid.
George Orwell wrote:
> If you're going to post in usenet Josh you fucking jerk, don't top post
>
>
Borked Pseudo Mailed
> Hi
> As some of you may recall I could not sell any copies of BitCrypt. I have
> changed it to be donation-ware, so that anyone who wants to use it may do
> so.
> Please visit http://www.bitcrypt.co.nz or
From that site....
"The source for the BitCrypt is not public and you may not see it."
Why? How do we know you implemented properly? How do we know you didn't
mess something up in the implementation that ruins the security of
otherwise secure algorithms, or for that matter how do we know you simply
didn't put some code in your program that intentionally compromises them?
Wasn't it the German police who compromised JAP, with a gag order that
they circumvented by publishing source code?
Isn't Hagen Reddmann a German citizen?
If I were a cop looking to get around strong encryption I think I might
write a nice Delphi wrapper to a bunch of otherwise trusted cypher
algorithms that stored keys and pass phrases to disk somewhere encrypted
to a "master" key owned by me. Or maybe I'd write some "multiple
recipient" type code that dual-encrypted your files to your password/key
as well as mine.
Then I'd first try giving it an air of legitimacy by trying to sell it. If
that didn't work I'd try giving it away. In fact about the only better
plan I could see is making it "PGP Compatible" with an email plugin, and
so easy to install and use that people would switch. ;-)
That's not an accusation, just an ironic observation of how a compromised
encryption utility might make it into the wild undetected. Without source
code you could very well be the above police agency trying to circumvent
encryption. WE have no way to tell, and some reason to be suspicious. :(
Notan
>
> Moshe wrote:
>
> > Hi
> > As some of you may recall I could not sell any copies of BitCrypt. I have
> > changed it to be donation-ware, so that anyone who wants to use it may do
> > so.
> > Please visit http://www.bitcrypt.co.nz or
>
> From that site....
>
> "The source for the BitCrypt is not public and you may not see it."
>
> Why?
>
Why?
Possibly to prevent all the scum out there, that would gladly copy code
and call it their own?
Notan
Zoltan
As a result, no one will use it, even if it's free.
There's plenty of good open-source encryption software out there.
Sorry, but that's just the way encryption software works.
Ogre
Hash: SHA1
Notan <no...@ddress.thatcanbespammed> wrote:
GPL it.
His software will never be accepted without source code review.
- --
Ogre
~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of nym.komite.net.
Date: Wed May 31 19:53:19 2006 GMT
From: og...@nym.komite.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEffQwya9pXdO6os0RAq8wAKDUGdtnTyPQts+WKYtVSk6hJpK7IQCfQVar
GiNX+f+whDq8r2V/pVlVRfY=
=I2ed
-----END PGP SIGNATURE-----
Moshe
is to strengthen the overall encryption power. Surely, one may attempt
to reverse engineer the program in order to learn how it has been
implemented, but this is not as easy as it sounds. Most reverse
engineering tools would produce assembler as their output, which,
without prior knowledge what the particular part of the program does,
is difficult to read. What I tried to do is to combine three approaches
to the notion of data hiding:
1. Use high quality open source encryption algorithms to encrypt the
text as such. This is open source part and verified by the open source
community as being strong and flawless
2. Use close source code to implement the process of hiding of the
encrypted text. Because this part is not public, and not in possession
of any authorities, an extra layer of encryption strength is added to
the data hiding process. This part contains additional encryption
algorithms, randomization of the image pixels, and the choice of the
points where data is written is dependant on the key typed by the user.
Thus, even the identification of the image pixels used for hiding of
the data should not be possible. I can not achieve this objective if I
publish the source code.
3. Lastly, the image 'looks' like any ordinary bitmap image. Because,
it is a bitmap image (and not for example jpeg), you may not deduce
from the image as such that there is any encryption hidden in the
picture. The encrypted image is different than the original, but this
kind of modification one could achieve through ordinary contrast,
brightness or similar modification.
================================
Stephen K. Gielda
moshe_s...@yahoo.com says...
> The source for the BitCrypt is not public and you may not see it. This
> is to strengthen the overall encryption power.
If your encryption software requires obscurity for security it is
horribly flawed. This is a huge red flag to anyone who understands
encryption and why few will use the package, even when free.
/steve
--
Cotse.Net Privacy Service
Advanced e-mail, ssh, proxies, web hosting, and more.
Your Shield From The Internet
http://www.cotse.net
George Orwell
> The source for the BitCrypt is not public and you may not see it. This is
> to strengthen the overall encryption power. Surely, one may attempt to
You CLAIM you use open source and freely available 3encryption libraries
on your web site. Keeping your source code secret wouldn't protect
anything at all.
Closed source doesn't make anything "stronger", in fact it weakens it by
creating a situation where some obscured error could cause a "catastrophic
failure", as Schneier puts it.
You really need to read up a bit.
> reverse engineer the program in order to learn how it has been
> implemented, but this is not as easy as it sounds. Most reverse
> engineering tools would produce assembler as their output, which,
> without prior knowledge what the particular part of the program does, is
> difficult to read. What I tried to do is to combine three approaches to
> the notion of data hiding:
> 1. Use high quality open source encryption algorithms to encrypt the
> text as such. This is open source part and verified by the open source
> community as being strong and flawless 2. Use close source code to
> implement the process of hiding of the encrypted text. Because this part
> is not public, and not in possession of any authorities, an extra layer
> of encryption strength is added to the data hiding process. This part
Stego?
Trivial to spot and figure out. A single person with a copy of both an
original file and a "stego" file could figure out your scheme in a
couple hours. And since anyone can create these two files, your stego is
rendered meaningless. This is why stego is totally insecure.
> contains additional encryption algorithms, randomization of the image
Your "additional encryption" could just as easily be NSA "phone home"
code. Nobody knows, hence nobody will trust your product.
You were wondering why nobody wanted it? Now you know. Do whatever you
like, it's your stuff. But if you want anyone to actually USE it you'll
have to give up the source.
> pixels, and the choice of the points where data is written is dependant
> on the key typed by the user. Thus, even the identification of the image
> pixels used for hiding of the data should not be possible. I can not
Bullshit. Even a novice could "diff" two images and see EXACTLY where
you're placing data and how. You're hiding nothing at all.
<snip>
dm
news:1149111040.4...@g10g2000cwb.googlegroups.com:
[snip]
Hey, look guys! Flamebait!
<Fwwoooooosh!>
Moshe
> Bullshit. Even a novice could "diff" two images and see EXACTLY where
> you're placing data and how. You're hiding nothing at all.
Sure, I have taken this into account. Try to diff any two images and
find the point used for encryption. Use just one character as your text
to be encrypted. Then find the place in the image where this character
has been written to. Surely, you may diff the original and the
encrypted image anyway you like. You will find at least a thousand
points not just one. Tell me which one it was.
Do not treat this application as bullshit. I have actually spent some
time making it work as it should.
Moshe
Moshe
Stephen K. Gielda wrote:
> In article <1149111040.4...@g10g2000cwb.googlegroups.com>,
> moshe_s...@yahoo.com says...
> > The source for the BitCrypt is not public and you may not see it. This
> > is to strengthen the overall encryption power.
>
> If your encryption software requires obscurity for security it is
> horribly flawed. This is a huge red flag to anyone who understands
> encryption and why few will use the package, even when free.
It does and it does not. The first part as you know is public, so it
does not require any obscurity. The second part is not public. What I
am trying to achieve is to join two approaches. One which is publicly
verified, and the other which is hiding centric.
I intend to publish the algorithm of my hidden part so that your
criticism may be addressed. However, I do not intend to publish the
actual code. The user would have to trust me on that one. I know it
prevents a lot of people from actually using it.
On the other hand you miss one point. Namely, if the source is public
then NSA you mention so often will definitely break your encryption.
This is because the knowledge of the code and a really big computer
would always open your encrypted text.
I understand that you find it impossible to believe in, but that little
gadget that I have written will not be broken even by them.
Moshe
Borked Pseudo Mailed
>
>> Bullshit. Even a novice could "diff" two images and see EXACTLY where
>> you're placing data and how. You're hiding nothing at all.
>
> Sure, I have taken this into account. Try to diff any two images and find
> the point used for encryption. Use just one character as your text to be
> encrypted. Then find the place in the image where this character has been
> written to. Surely, you may diff the original and the encrypted image
> anyway you like. You will find at least a thousand points not just one.
> Tell me which one it was.
It doesn't matter one bit how much padding you use, your stegonogrqaphic
routines and how they function are things that are trivial to ascertain.
And that's the part you're claiming you're hiding by not releasing source
code.
Like I said, you're hiding nothing at all of any importance what so ever,
weakening the overall security of your application, and refusing to allow
anyone to develop any feelings of trust that might prompt them to actually
use your application.
Don't wine about people not wanting your stuff any more, OK?
> Do not treat this application as bullshit. I have actually spent some time
> making it work as it should.
Not bullshit... snake oil. That's what security applications are called
when their authors make claims but refuse to back them up with any hard
evidence.
You keep claiming your software is "good", but then you're nobody. You're
making nobody claims along side every other nobody making nobody claims on
Usenet. You're doing things the wrong way for no valid reason what so
ever, and expecting people to treat you differently than anyone else who
publishes closed source crypto because you keep making claims?
Sorry kid, doesn't work that way.
>
> Moshe
TwistyCreek
A ridiculous argument on any and all levels.
The algorithms are already open source and free. The only thing this
person is "hiding" is a UI and maybe some house cleaning, which can be
duplicated in Delphi with so little effort after watching to program run
for 10 minutes it's not really worth it to begin with.
There's tons of open source software out there doing the exact same thing,
and none of it is significantly impacted by your mythical "coderippers".
How many copies of PGP or GnuPG labeled "Ralph's Encryption" have you
seen floating around lately?
That's right..... none.
If someone steals your code and calls it their own, you have legal
recourse. And it will generate good press. If someone thinks your code is
good enough to steal it might actually be worth looking at.
Any old miscreant could just as easily hexedit your already compiled
executables and call them their own. Keeping source code private doesn't
even actually PREVENT having your stuff stolen to begin with.
There's every reason to believe that closed source encryption applications
have been compromised, and nothing at all to show that they haven't.
Without releasing your source code you won't have a significant user base
to worry about one way or the other.
Look at the WinPT/GPGShell example. One open source, one not. One became
very popular, and the other not, even though the closed source application
was the more feature rich and "better" application in many eyes.