Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 20:53:45 -0500
From: Jeffrey Goldberg <>
To: "" <>
Subject: Re: Arstechnica Password article (feat. Matt Weir)

Sorry. I was *not* saying that those I mentioned were snake oil. They emphatically aren't. 

Sent from my iPhone

On Aug 21, 2012, at 8:37 PM, "Brad Tilley" <> wrote:

> <snip>
>> I can't say that 1Password is the only password manager out there that
>> uses a separate key file (there are lots of things out there, even if we
>> exclude the snake oil from consideration), but it is the only one that I
>> know of.
> Solar, I apologize in advance if this is inappropriate, but I felt I had
> to respond.
> Snake oil? What do you mean by that? Many people consider closed-source
> password managers that claim to encrypt and store passwords to be snake
> oil. Their encryption is closed-source and unverified. That is the epitome
> of snake oil. There is no higher kind of snake oil than that.
> You may know that well-regarded software experts who write reliable
> open-source software get encryption wrong at times:
> As many on this list know, Colin is the FreeBSD Security Office and (as
> demonstrated in his post) even he makes mistakes in open-source encryption
> code and admits to them and fixes them and moves on. I have nothing
> against that. Thank god for developers such as Colin and his code. Tarsnap
> is a lesson is clean, well-designed C code that every developer should
> read.
> But knowing that people such as olin make mistakes, why on earth would
> rational people trust a corporation that sells closed source encryption
> software to protect their most important digital assets, their passwords?
> Why would I want to pay for this snake oil?
> I have nothing to sell and nothing to hide. All my source code is public
> and you may compile it from scratch and critique it as well. And I think
> it's very important to note that JtR is open-source software and many
> people who use it value that very much and distrust anything (especial
> encryption software) that is closed source and unverified. I know that I
> do.
> I don't mean to offend anyone, but I feel very strongly about this and I
> suspect other here do as well. The term snake-oil should not be throw
> around as a general, blanket accusation. If you think something is
> snake-oil (such as closed-source, proprietary password managers) then you
> ought to name them specifically rather than just imply that some may be
> snake-oil while others are not.
> I'll state the truth as I see it: all closed-source, unverified passwords
> managers that use god knows what type of encryption are snake oil. There,
> I said it, and it's true.
> Regards,
> Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.