Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-25 Thread Nicholas Clark 
On Sun, Jul 24, 2005 at 11:17:10PM -0400, Garry Williams wrote:
> On Sun, 2005-07-24 at 21:59 -0500, David Nicol wrote:
> > How about using the word "obfuscate?"  It's a nice word
> 
> Eschew obfuscation.

perl -MCPAN -e"install B::Deobfuscate"

Nicholas Clark

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread Garry Williams 
On Sun, 2005-07-24 at 21:59 -0500, David Nicol wrote:
> How about using the word "obfuscate?"  It's a nice word

Eschew obfuscation.

-- 
Garry Williams

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread Michael G Schwern 
On Sun, Jul 24, 2005 at 09:59:32PM -0500, David Nicol wrote:
> How about using the word "obfuscate?"  It's a nice word

Or were you talking about a word to use instead of "encrypt"?  In that case
definately not.  While obfuscation might be seen as a really weak form of
encryption, its certainly not hashing.  For one thing you can recover the 
original data from obfuscation.


-- 
Michael G Schwern [EMAIL PROTECTED] http://www.pobox.com/~schwern
ROCKS FALL! EVERYONE DIES!
http://www.somethingpositive.net/sp05032002.shtml

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread Michael G Schwern 
On Sun, Jul 24, 2005 at 09:59:32PM -0500, David Nicol wrote:
> How about using the word "obfuscate?"  It's a nice word

They don't mean the same thing.

>From The Collaborative International Dictionary of English v.0.44 [gcide]:

  Extirpate \Ex"tir*pate\ (?; 277), v. t. [imp. & p. p.
 {Extirpated}; p. pr. & vb. n. {Extirpating}.] [L. extirpatus,
 exstirpatus, p. p. of extirpare, exstirpare; ex out + strips
 stock, stem, root.]
 To pluck up by the stem or root; to root out; to eradicate,
 literally or figuratively; to destroy wholly; as, to
 extirpate weeds; to extirpate a tumor; to extirpate a sect;
 to extirpate error or heresy.
  
 Syn: To eradicate; root out; destroy; exterminate;
  annihilate; extinguish.
  [1913 Webster]

I think "crippled" or "removed" would be fine.  

Or we could delete the mention entirely as nobody considers crypt to be a 
munition anymore... I hope.  IANAL.


-- 
Michael G Schwern [EMAIL PROTECTED] http://www.pobox.com/~schwern
Insulting our readers is part of our business model.
http://somethingpositive.net/sp07122005.shtml

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread David Nicol 
How about using the word "obfuscate?"  It's a nice word



-- 
David L Nicol
I've got your Oz right here
http://cronos.advenge.com/pc/oz/TOC.html

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread Michael G Schwern 
On Sun, Jul 24, 2005 at 12:59:06PM +0200, Rafael Garcia-Suarez wrote:
> On 7/24/05, Michael G Schwern <[EMAIL PROTECTED]> wrote:
> > > More importantly for the purposes of documentation, at least on my system,
> > > I see this:
> > 
> > Just because someone else does something poorly doesn't mean we have to, 
> > too.
> 
> perlfunc says :
> 
> =item crypt PLAINTEXT,SALT
> 
> Encrypts a string exactly like the crypt(3) function in the C library
> 
> And the C function is a wrapper around the libc function. That's one
> of the many C/UNIX legacies that are present in the perl core...

I'm not sure I understand.  Nobody's saying that crypt() isn't or shouldn't
be a wrapper around crypt(3) or that its behavior should change, just that 
we don't have to parrot their documentation inadequacies.


-- 
Michael G Schwern [EMAIL PROTECTED] http://www.pobox.com/~schwern
Ahh email, my old friend.  Do you know that revenge is a dish that is best 
served cold?  And it is very cold on the Internet!

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-24 Thread Rafael Garcia-Suarez 
On 7/24/05, Michael G Schwern <[EMAIL PROTECTED]> wrote:
> > More importantly for the purposes of documentation, at least on my system,
> > I see this:
> 
> Just because someone else does something poorly doesn't mean we have to, too.

perlfunc says :

=item crypt PLAINTEXT,SALT

Encrypts a string exactly like the crypt(3) function in the C library

And the C function is a wrapper around the libc function. That's one
of the many C/UNIX legacies that are present in the perl core...

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-23 Thread Michael G Schwern 
On Sat, Jul 23, 2005 at 07:34:02PM -0400, John Peacock wrote:
> Michael G Schwern wrote:
> >crypt() doesn't really encrypt, it hashes or digests.
> 
> "encrypt" is a generic term.  "hash" or "digest" are specific methods.  
...
> So I think that trying to discuss the actual method used in the Perl 
> documentation is really going beyond what we need to do.  We could mention 
> that DES isn't all that secure, but trying to differentiate between 
> different encryption methods is outside of our scope (IMNSHO)... 

crypt() doesn't do generic encryption, its specificly a digest/hash function.
While its not so important that the user knows what hashing algorithm is used
it is important to make it clear that it is a non-reversable digest and not 
two-way encryption.

Most folks, when they hear "encryption" think lossless, reversable encryption.
Not a digest.


> More importantly for the purposes of documentation, at least on my system, 
> I see this:

Just because someone else does something poorly doesn't mean we have to, too.


-- 
Michael G Schwern [EMAIL PROTECTED] http://www.pobox.com/~schwern
Insulting our readers is part of our business model.
http://somethingpositive.net/sp07122005.shtml

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-23 Thread John Peacock 

Michael G Schwern wrote:

crypt() doesn't really encrypt, it hashes or digests.


"encrypt" is a generic term.  "hash" or "digest" are specific methods.  More 
importantly for the purposes of documentation, at least on my system, I see this:


$ man crypt

NAME
   crypt - password and data encryption

SYNOPSIS
   #define _XOPEN_SOURCE
   #include 

   char *crypt(const char *key, const char *salt);

DESCRIPTION
   crypt  is  the  password  encryption function.  It is based on the Data
   Encryption Standard algorithm with  variations  intended  (among  other
   things)  to discourage use of hardware implementations of a key search.
...

So I think that trying to discuss the actual method used in the Perl 
documentation is really going beyond what we need to do.  We could mention that 
DES isn't all that secure, but trying to differentiate between different 
encryption methods is outside of our scope (IMNSHO)...


John

--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-23 Thread Russ Allbery 
Dave Mitchell <[EMAIL PROTECTED]> writes:

> Well pedantically speaking, crypt() encrypts a block of zeros using a
> DES variation and the supplied password as a key, so yes it does
> encrypt; but yes, it's use is as as a secure hash, so maybe the
> description could do with some polishing.

Not to mention that it's not a very *good* secure hash, given the
increasing ease with which one can brute-force DES.  It might be worth
pointing people at SHA1 or at least MD5 if they really care about
security.

-- 
Russ Allbery ([EMAIL PROTECTED])

Re: perlfunc sez crypt() encrypts... but it doesn't.

2005-07-23 Thread Dave Mitchell 
On Sat, Jul 23, 2005 at 01:08:49PM -0700, Michael G Schwern wrote:
> crypt() doesn't really encrypt, it hashes or digests.  Yet perlfunc/crypt
> talks about encryption.  This seems misleading.  I discovered this while
> explaining that passwords aren't stored encrypted, they are hashed.  This
> not-encryption is done with the crypt() function--erk.
> 
> So I think it makes sense for the crypt docs to stop saying it encrypts.
> 
> I'm no expert in cryptographic terminology, can anyone confirm or verify this?

Well pedantically speaking, crypt() encrypts a block of zeros using a DES
variation and the supplied password as a key, so yes it does encrypt; but
yes, it's use is as as a secure hash, so maybe the description could do
with some polishing.

-- 
You never really learn to swear until you learn to drive.

perlfunc sez crypt() encrypts... but it doesn't.

2005-07-23 Thread Michael G Schwern 
crypt() doesn't really encrypt, it hashes or digests.  Yet perlfunc/crypt
talks about encryption.  This seems misleading.  I discovered this while
explaining that passwords aren't stored encrypted, they are hashed.  This
not-encryption is done with the crypt() function--erk.

So I think it makes sense for the crypt docs to stop saying it encrypts.

I'm no expert in cryptographic terminology, can anyone confirm or verify this?


-- 
Michael G Schwern [EMAIL PROTECTED] http://www.pobox.com/~schwern
You are wicked and wrong to have broken inside and peeked at the
implementation and then relied upon it.
-- tchrist in <[EMAIL PROTECTED]>