[chilepepper]

More seriously, this is BULLSH*T.

When I took a SANS course,they brought up the *best practices* way of developing an security software: PUBLISH THE ALGORITHM and take on all comers, often with a monetary prize to whoever breaks the algorithm. Letting peers ALL OVER THE WORLD see the code has TWO effects:

(1) Those who write the code are MORE CAREFUL because they know their PROFESSIONAL REPUTATION is on the line for everyone to see

(2) Their peers will ACTUALLY FIND THEIR MISTAKES.

As a direct example of why the technique of security through obscurity (Microsoft's way of doing things) DOES NOT WORK, the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...

[PatrioticAmerican]

"SANS Institute instructor "

Yep, I knew it. A SANS Institute instructor is the world's expert on security. That's why the DoD uses him to help them publish our national security infrastructure. Not!

Peer review is one thing; publishing your system's specifications is another. Remember, when you publish your system's source code, if your peers do not find all the holes, your enemy will.

[Bush2000]

the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...

The encryption wasn't broken, and your instructor did you a disservice by describing it as such. Every DVD player (software and hardware) is equipped with a key which allows it to decrypt the video and audio streams on a standard DVD. The key is burned into every player. It has to use this method because there is no key-distribution scheme. The problem was that somebody discovered the key. It's like you left the key to your front door in the lock. That's not breaking the encryption.

That said, it is correct that security through obscurity generally doesn't work. It is possible to sift through collections of data (located in memory or on disc) looking for very random streams. When you find one, it is often a key or some kind of secret that someone doesn't want you to know. Depending on someone not finding your secrets is a fundamentally flawed design. That is the case with DVD encryption.