After asking a vendor (who shall remain nameless) about details of their encryption scheme, this gem was offered (company and product names have been anonymized):

Sorry but it's not Initech policy to inform any one [sic] of our encryption methods. If we did it wouldn't be a secure encryption method.

All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.

I think that they are using a customized ROT scheme, ROT-14, which no known code can hack.
Either that or they are XORing with the company name.

What sort of data are we talking about.                                                     

bullestock wrote:

... All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.

If they think it is secure because their customers cant break it they are in a big suprise. Wait .. why/how did anybody buy the "Widget" without finding out what algorithm it used ?

My guess is that the programmer though he was "So smart" and could write an encryption scheme that was better than a AES ( or if it was a hash then SHA ). Or maybe it is just [stupid] policy.

bullestock wrote:

All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.

why bother to do testing?  the customers pay us to do our testing for us!  i'm trying to move my (current) company away from this philosophy.

I once worked for a company that wouldn't tell your our encryption algorithm.  However this was because of US export regulations (these are no longer in effect). 

They would give the details to a customer who could comply with the regulations.   However customers who could complie with regulations wouldn't care because they were allowed to buy the version with standard algorithms that could not be exported.  

I never looked at the algorithm myself, but the guys who designed it knew something about encryption.  It might have been flawed, but the flaws were not beginners mistakes.

bullestock wrote:

After asking a vendor (who shall remain nameless) about details of their encryption scheme, this gem was offered (company and product names have been anonymized): Sorry but it's not Initech policy to inform any one [sic] of our encryption methods. If we did it wouldn't be a secure encryption method. All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.

That type of answer just *begs* for someone to post the encrypted string, along with the above response, and the name/address/contact info of the company in question, on an IRC channel...

    dZ.

bullestock wrote:

All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption.

To me, this begs two questions.
Do the customers have a reason to try cracking the encryption? I'd expect that if anyone has a motive, it won't be the people who paid for it.
If someone cracked the encryption on your expensive widget, are you sure they'd tell you?

slainangel wrote:

bullestock wrote: All I can say is that I've been at Initech for several years and in all the time that we've been selling the Widget I haven't had a single customer saying they've cracked the encryption. To me, this begs two questions. Do the customers have a reason to try cracking the encryption? I'd expect that if anyone has a motive, it won't be the people who paid for it. If someone cracked the encryption on your expensive widget, are you sure they'd tell you?

And on a further note, would you trust someone who makes a living of a program and its encryption to just say "Its been cracked X times"?

I guess these guys have never heard of SoftICE or IDA...

Ulvhamne wrote:

And on a further note, would you trust someone who makes a living of a program and its encryption to just say "Its been cracked X times"?

it's like in the first episode of futurama, when fry walks into the cryogenic freezing room, and it says "no power outages since 1998" with the '8' taped on there. 

"Five years without a remote clue in the default maintainer?"

Oh sorry, that was "Only one remote hole in the default install, in more than 8 years!"

emptyset wrote:

Ulvhamne wrote: And on a further note, would you trust someone who makes a living of a program and its encryption to just say "Its been cracked X times"? it's like in the first episode of futurama, when fry walks into the cryogenic freezing room, and it says "no power outages since 1998" with the '8' taped on there.

Actually, the sign says "no power outages since 1997"

Albatross wrote:

Actually, the sign says "no power outages since 1997"

i turned 93 and bought an 87 caddilac / taking my homies down to the dog track / when it's time, i reach for the dime bag / count them out, and bet on 'old rag-tag'

lost our money and we roll down to 'raton / kickin' the buffets for the noodles and the wontons / stuffed, puffed, we head to nightly dominoes / we got rust on the rims and boston pops on the stereo

the man keeps telling me i gots dementia / driving down the sidewalk - bitch, i'm gonna hit ya / i couldn't see a thing since 1989 / but it don't matter - you can't punk this ride